Minimize risks with advanced ZTNA features

Cloud security player Zscaler explains how

The challenge of giving employees and third parties secure access to applications from anywhere is nothing new in the business world. Security is always high on the priority list, no matter what the task is. From setting up multicloud environments to hosting applications and from digitizing production processes to building hybrid work environments to provide remote access to applications.

The real limits of traditional remote access solutions became apparent during the pandemic. VPN connections were vulnerable to attack and could not be scaled quickly to meet increased demand without sacrificing performance. Users trying to remotely access applications hosted in data centers or private cloud environments experienced a dramatic drop in the quality of their experience. At the same time – and partly driven by the pandemic – the digitization process has accelerated rapidly. This has opened new gateways for hackers to attack businesses through hardware and services revealed in the online environment.

In this scenario, organizations face a whole new set of security challenges. Early in the pandemic, Zero Trust Network Access (ZTNA) proved that employees can have high-quality secure access to the applications they need when they are granted permissions based on a least privileged access model. In this model, an employee who has access to an application will no longer automatically have access to the entire network. They will not be able to access the application they need until permission has been granted for the specific application. Zscaler Zero Trust Exchange, with comprehensive functionality for ZTNA, minimizes the online exposure of business applications and uses a highly integrated platform approach to minimize the risks of a business applications.

Cloud-based Zero Trust network access gives organizations an advantage

All companies and organizations are responsible for their data and the access rights granted to third parties. A risk assessment on this topic should always be part of their strategy. Businesses rely on the Internet to provide access to their own applications, but other applications do not. External applications cannot be opened or even found online by unauthorized users.

Third-party access or remote access for maintenance in production environments is kept to an absolute minimum. In both scenarios, companies do not have to provide access to their entire network. Zero trust provides a tunnel connection with the necessary application access for maintenance or supply chain management processes, while the rest of the network remains invisible.

In a cloud-based security platform, a number of features help minimize application exposure:

User for app segmentation

Zero Trust Network Access (ZTNA) enables granular segmentation at the individual application level, which serves as the basis for a better security ecosystem. Authorized users can only access certain applications based on predefined access rights. Because there is no network access, users cannot move across the network. A cloud security platform acts as an intermediary and uses guidelines to determine whether users should access an application based on their identity and other context-based criteria.

App-to-app segmentation

When workloads are moved to the cloud, they need to be tackled in different ways. In today’s multicloud scenarios in business, this is at the heart of the security debate. The workload of the application and the associated data must be available to both the IT department and employees, communicate with other applications via the Internet and be connected to the data center. If the necessary access rights are not set correctly, vulnerability to attacks can be increased and the infrastructure exposed to higher levels of risk. In these types of scenarios, defined access rights to allowed and embedded communication between cloud workloads can improve security.

Isolation via browser-based access

Browser-based access can also be used to add a higher level of risk minimization. Although the user has the relevant access rights, the system does not establish a direct connection to the application. The user can only connect via a Remote Desktop Protocol (RDP) or SSH, which effectively displays an image of the actual application without fully connecting the client to it. This approach protects the application from potentially harmful content coming from the user or their device, such as an attempt to infect an internal app with malicious code.

Higher security in OT environments through privileged remote access

As digitization progresses in production environments, companies also need to think about who should have access to their machine control systems for maintenance purposes. In this case, the previously separate worlds of IT and OT must be brought together so that only one authorized person can access it. Until now, the challenge has been to figure out how this third party can gain access rights if the device used to do so is not managed by the company. A web portal can be used to grant privileged access if RDP or SSH access cannot be configured for the device.

Use of honey pots as a defense mechanism

Finally, companies choosing ZTNA should also consider the potential risks of compromised users or their devices. Malware attackers can exploit stolen identities to gain access to the applications that the employee is allowed to use. However, if an attacker using a stolen identity is tricked into a deliberate honeypot trap, the attack is detected immediately and critical data can be protected.

The comprehensive functionality of the Zscaler Zero Trust Exchange enables companies to build additional defense mechanisms into their defense strategy through network segmentation, isolation and deception, based on the level of risk they are familiar with. With the new ZTNA features, companies can implement the defense that is so essential to many modern utility cases – including remote access for employees, third parties and machine maintenance – at a significantly more detailed level.

By Nathan Howe, Vice President of Emerging Technology at Zscaler

Leave a Comment