Amid hackers, crackers and several other cyber threats such as viruses, malware, ransomware, phishing, and the like, VPNs (Virtual Private Networks) have been the sweethearts of the information technology departments for large, medium and small companies. They enable secure remote access for users, protecting their browsing data, especially from identification of their IP address (identification number of a device connected to the Internet), through encryption.
But if VPNs are so efficient in protecting the remote access connection between a user and the company's or outsourced remote server, why are corporate IT departments still so unsure when using them? The answer is simple. If an ill-intended individual manages to breach the protection of that VPN by misappropriating someone's login and password, for example, they will have access to the entire organization's network. Depending on skill and other means of protection, they can take it down or even hijack it to demand payment of ransoms to release access to data.
In addition, VPNs have other weaknesses. For example, depending on the number of people accessing a server remotely, VPNs may end up being a bottleneck. Another major downside of VPNs is that any devices connected through them cannot be managed by IT teams, who are blind to the respective equipment. And finally, VPNs are not capable of alerting about intrusion attempts, as they are not designed for that purpose.
With that in mind, in 2010, John Kindervag, the current vice president of Forrester Research, worked on a zero-trust model. In 2017, company analysts from Gartner developed a similar concept called CARTA (Continuous Adaptive Risk and Trust Assessment). Finally, in 2019, Steve Riley, one of Gartner's analysts, wrote a report for the market about CARTA and ended up convincing all the company's colleagues that the acronym ZTNA (“Zero Trust Network Access”) would be a more interesting title for the market. And he was right, as the term “zero trust” is currently used by virtually the entire cybersecurity market.
Thus, ZTNA is an information security model that denies, by default, access to applications and data, as it assumes that no one should be automatically trusted, whether inside or outside the network, whether or not they're someone from the organization itself. It assigns least-privilege access and highly comprehensive security monitoring.
In this way, each access is verified and authenticated, regardless of where it is taking place, through a combination of technologies. These include risk-based verification, multi-factor authentication, micro-segmentation, policy-based access control, encryption, security monitoring, and device authentication.
A fundamental concept in ZTNA is the role of an agent in establishing the level of trust. It resides outside the network, ahead of corporate applications, isolating them from direct access via a proxy, and provides the right level of trust for an authenticated user to access a specific application. It checks the integrity of the device, its geolocation, and other behavioral biometrics of the user, generating a confidence score. If this score is appropriate for the specified application, the user is granted access through the agent, and the user is allowed access only to the specified application. Thus, if a user wants to access a different application, they need to reauthenticate to that application, and the authentication requirements can be different, preventing lateral moving within the network.
ZTNA's weaknesses lie in 2 aspects. The first one is the agent that will establish the level of trust, since, if they are compromised, they can assign a level of trust to someone who should not have it. The second is the credibility score to establish the level of trust that could be maliciously used as well, if manipulated.
Although these 2 aspects are a matter of great concern for those who defend the concept, since hackers’ creativity and inventiveness surprise cybersecurity experts more and more, ZTNA is currently undoubtedly more secure than firewalls and VPNs. And considering corporate environments, which are increasingly using cloud environments, ZTNA really seems to be the most secure solution for a company's digital assets to be available anywhere, anytime, and on any device.