How zero-trust network access secures remote work environments
- By Gerry Gebel
- Sep 28, 2020
As zero-trust network access (ZTNA) modernizes IT infrastructure in the commercial sector, it is also gaining traction in government.
A 2019 report surveying more than 170 prequalified federal government and industry IT experts about zero-trust security capabilities showed agencies are narrowing their security defenses, using a ZTNA approach to manage access to their information resources.
Among the findings, 68% of federal agencies considered zero trust a high priority in meeting goals to improve citizen services. Seventy-four percent said zero trust is critical to cloud expansion, and 70% said zero trust is essential as more applications and devices access agency resources.
ZTNA empowers federal agencies to secure information stored on-premise and in the cloud, across multiple applications and systems, by moving away from wide network access perimeters.
How zero trust eliminates wide network access perimeters
Historically, network security only safeguarded the perimeter. Users with authorized network credentials had access to all information and internal resources on the network, even regulated and business-critical information.
Wide network perimeters worked well when employees accessed data in an office setting or when information was stored on-premise in a single location. However, with cloud data located outside network boundaries and a dramatic increase in remote users thanks to COVID-19, agencies are shifting toward ZTNA to protect individual groups of data resources.
Leveraging the zero-trust principles of least-privilege access, multifactor authentication and micro-segmentation, federal agencies can implement strict controls over individual users inside the network.
Under a zero-trust approach, all users both inside and outside the network are considered threats and require authorization at each entry point. ZTNA establishes clear-cut methods for permitting access, rather than relying on wide network perimeters.
Integrating context-aware technologies
As information networks grow, federal agencies can combine ZTNA systems with other context-based technologies like attribute-based access control (ABAC), ensuring zero-trust protocols don’t cause access disruptions and harm the user experience.
For example, ABAC systems follow the principle of least privilege, leveraging a variety of context attributes like risk score, device information, user location, etc. As a result, only authorized users have access to precise sets of data.
With ABAC, agencies leverage data and user characteristics to develop strong, fine-grained policies to ensure the right access control is executed dynamically at run time.
ABAC also allows agencies to assign security policies from the individual workload level all the way up to data center applications because policies are built on numerous unique attributes to achieve micro-segmentation, another ZTNA principle. Policies reflect business requirements to outline which users can access what resources.
Consequently, agencies can model both simple and complex data access policies that eliminate the “all or nothing” approach of wide network perimeters. Policies are managed independently and carried out consistently across on-premise and cloud-based resources.
How federal agencies benefit from merging ZTNA and ABAC
Since ZTNA and ABAC technologies rely on multiple, diverse factors to validate an incoming user, agencies realize many other benefits.
- ZTNA and ABAC facilitate explicit data access from anywhere, anytime, on any device over the internet by utilizing context-aware, flexible authorization and authentication. As a result, remote workers can safely access information.
- ZTNA and ABAC systems validate the user, device, location and any other factors before allowing access to exact resources or data. Therefore, an outside threat can’t infiltrate an internal network to gain significant access to the enterprise’s sensitive internal resources.
- ZTNA and ABAC technologies solve complicated access-control scenarios to ensure only authorized users have access to the right information under the appropriate circumstances.
As federal agencies continue to ingest data and expand their information systems across diverging cloud platforms, a single point of protection will fail to protect their resources. Instead, agencies require unified context-aware technologies to protect individual information resources.
Gerry Gebel is vice president of business development at Axiomatics.