Five Steps to Zero Trust Network Access: Identifying Your Applications
Implementing a zero trust cybersecurity framework is a considerable undertaking — yet so many organizations and government agencies are on a zero trust journey in 2023 that Gartner says the term is moving past marketing hype into reality. Furthermore, Gartner suggests that ZTNA (zero trust network access) and network micro-segmentation are two areas in which organizations of any size could begin ZTNA adoption.
And helping you move forward in your zero trust journey is the purpose of this blog.
Steps to Zero Trust Implementation
In Part 1 of this BlackBerry® blog series, I discussed how to identify practical ZTNA use cases for your organization, then in Part 2, described how organizations can employ ZTNA user personas. Here in Part 3, I’ll define the different types of applications that could be brought under a ZTNA architecture.
Zero Trust Network Access: Identifying Applications
Identifying, inventorying, and gradually bringing one or more applications and services under the ZTNA umbrella can help manage the pace of deploying any zero trust project. While this article focuses on a few general applications, their selection and prioritization should, in practicality, be determined by your organization’s unique use cases, user experiences, and security objectives. Choice of applications can also determine the immediacy of quick wins, return on investment, and formation of a clear ZTNA roadmap.
One popular use case for ZTNA is conditional access to SaaS (software-as-a-service) applications — such as Google Workspace™ and Salesforce®, in tandem with identity providers like Okta® and Ping® — without the need for either a VPN (virtual private network) solution, or for backhauling of SaaS traffic via on-premises network and security appliances.
To deploy conditional access, the system must first determine whether a shared or dedicated IP address is used: A dedicated IP address, a defined IP address range, or the flexibility to provide a custom IP address, can significantly bolster cyber resiliency. Additionally, a one-click configuration to manage SaaS application access, combined with the ability to configure and control private access, can further streamline the roll-out of a zero trust project.
Enterprise Applications: Data Center
Establishing segmented access control for remote and secure private access to on-premises applications allows your users to communicate with content and application servers behind your firewall, when using a zero trust solution such as CylanceEDGE™ from BlackBerry, rather than a traditional VPN. In addition to providing network visibility, secure private access can prevent intruders and malicious insiders from accessing unauthorized information. Furthermore, secure on-prem data center access can stop bots and other forms of malware from reaching command and control servers.
Enterprise Applications: Private Cloud
As enterprises migrate their workloads from on-prem to private cloud systems such as Amazon Web Services and Microsoft Azure®, secure access to private apps hosted at hyperscaler data centers becomes vital for successful zero trust transformation. A ZTNA solution that can simultaneously and seamlessly support secure access to enterprise, SaaS, and private applications, can reduce friction, increase protection, and enhance productivity.
Enterprise Applications: Mobile Devices
Private and secure access to applications from mobile devices within a ZTNA environment can also greatly enhance the user experience. Private access from mobile devices can be accommodated by establishing a secure tunnel across the whole of the device, and/or by configuring a per-app tunnel to allow secure access from specific applications. Repurposing traditional VPN solutions on mobile has so far proven ineffective to support the rapid adoption of SaaS apps and migration of workloads to hyperscaler providers. A ZTNA solution that can provide a choice of tunnel (full, split, or per-app) is ideal for supporting secure access while maintaining consistent access control across all endpoints.
Browser access to private, public, and SaaS apps is yet another application access type that could be implemented within a zero trust framework. Enterprise policies may require limiting access from certain browsers such as Safari® or Chrome™; however, devices can be configured to achieve this objective through a per-app tunnel. ZTNA solutions that achieve similar outcomes on Windows® desktops and macOS® endpoints can subsequently eliminate the need for a standalone browser-based solution.
In the upcoming Part 4 of this blog series, I will discuss access control list policy for user-application micro-segmentation, which can bolster network security while transforming and modernizing the network architecture.