SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Cloud-only ZTNA is no longer enough to secure organisations
Tue, 29th Nov 2022
FYI, this story is more than a year old

The dispersed workforce of today’s business operating environment has significantly increased organisations’ attack surfaces and moved these outside conventional perimeter defences, such as firewalls, built only to thwart cybercrimes within the office environment. Cybercriminals can now take advantage of the shift to remote and hybrid working environments, exploiting vulnerabilities through insufficiently secured home networks and end-user devices.

Securing today’s work-from-anywhere world has never been more important, yet many businesses continue to rely on outdated security tools that aren’t equipped to tackle increasing cyber risks that can cause operational disruptions as well as financial and reputational damage.

Shifting how organisations think about enterprise network security

To support the hybrid workplace, organisations are deploying software-defined wide-area networking (SD-WAN) and tools that support a zero trust network security model, particularly zero trust network access (ZTNA). ZTNA secures remote access to applications, data, and services and adheres to the principle of ‘least privilege’, granting access on a need-to-know basis. Rather than trusting user access based on credentials, ZTNA ensures that users only have access to the resources they need to perform their role.

The increasing sophistication of cybercrime and rise of nation-state cyber attacks against critical infrastructure means that ZTNA is an essential framework for businesses to implement within their cybersecurity strategies and is a pivotal component of digital transformation. However, cloud-only ZTNA implementation is limited to cloud-based applications and doesn’t work in dense office locations or for organisations with hybrid IT infrastructures.

What some don’t realise is that vendors have two approaches to implementing ZTNA:

  • Clientless ZTNA: the clientless or ‘service-initiated’ ZTNA approach is cloud-based and doesn’t require an agent on the device. It’s an attractive method for unmanaged devices; however, its most significant limitation is that it only supports cloud-based applications. It doesn’t offer the same level of control or visibility as an agent loaded on the device. It is also based on an application’s protocol on HTTP/HTTPS, limiting the solution to web applications.
     
  • Client-based ZTNA: the client-based or ‘endpoint-initiated’ ZTNA approach works whether an employee is accessing cloud-based or on-premises resources. An agent is installed on authorised end-user devices, which then transmits security-based information to a controller and prompts the device user for authentication. The biggest benefit of this approach is that ZTNA works within hybrid networks and offers better visibility and control of devices.

Rather than starting in the cloud with a clientless ZTNA, a better approach is to set up a client-based ZTNA that not only delivers enhanced visibility and control of devices but can also perform application firewalling within the agent. When the network identifies malicious activity or objects, it can automatically submit them to the sandbox environment for virtual analysis.

To adapt to the ever-changing workplace, organisations require consistent security with a zero trust approach available both on-premises and in the cloud. It also means businesses must upgrade their firewalls to support the growing number of users and applications and conform to a scalable zero trust framework. Next-generation firewalls (NGFW) provide more visibility into network activity than traditional firewalls do and can run ZTNA quickly and efficiently. Integrating client-based ZTNA with NGFW ensures flexibility, covering users whether employees are in the office, at home, or travelling for business.

ZTNA is poised to become the future of network security, and as cybersecurity threats continue to rise, it’s time for organisations to consider implementing client-based ZTNA sooner rather than later.