ZTNA strengthens security controls for remote workers

News Desk -

Share

Zero Trust Network Access boosts remote access security while reducing the network attack surface.

Remote access has been a component of the network since the days of acoustic, dial-up modems and the blazing fast speeds of 56 kbps. Well, perhaps not blazing fast. These modems eventually gave way to faster and more secure technologies, with virtual private networks (VPNs) hitting the market in the early 2000s. In today’s pandemic-dominated, work-from-home (WFH) environment, VPNs simply cannot cut it anymore, falling victim to security vulnerabilities, speed limitations and lack of scaling. Replacing VPNs for secure, high-performance remote access is Zero Trust Network Access (ZTNA).

By requiring that every component of the transaction of accessing a network, its resources and applications, and its data are authenticated and authorized, ZTNA goes well beyond the Russian proverb: Trust but verify. Zero trust environments, which significantly reduce risk by constantly authenticating every user, device, application and transaction, are based on the mantra: Never trust; always verify.  

Essence of zero trust

ZTNA is a fundamental component of the Secure Access Service Edge (SASE) security framework. It ensures that users and devices are who and what they claim to be and can be instrumental in protecting a network from ransomware attacks.

While this article focuses on Sophos ZTNA for enhancing remote access beyond the popular VPN, a detailed explanation of how Sophos ZTNA can be used to fight ransomware can be found here.  

“Zero trust is a way of thinking, not a specific technology or architecture,” wrote Gartner Distinguished VP Analyst Neil MacDonald in the research firm’s article New to Zero Trust Security? Start here. “It’s really about zero implicit trust, as that’s what we want to get rid of.”

A better option for remote access  

The pandemic enticed cyber criminals to target remote workers, forcing organizations to rethink how they implement their zero-trust strategy. As more employees work from home, the corporate imperative for cybersecurity changes. Where once a handful of employees worked remotely, today entire companies are becoming virtual.  

Transitioning to a remote workforce changes the risk profile for the corporate network and endpoints, further stressing network security resources that might be underpowered for the massive relocation of staffers and create a larger network surface for attackers. To address this fluid network security challenge, many companies with traditional, on-premises organizations and standard perimeter defenses from the early 2000s are turning to a zero-trust model to reduce the attack surface while concurrently ensuring that every user and device that logs in is fully authenticated. They are doing this, in part, by retiring their VPNs and substituting ZTNA.

The differences between how VPNs and ZTNA approaches address security, scaling and bandwidth are noteworthy. VPNs provide basic network access. If a user has the proper credentials — often just a username and password — they get access to the entire corporate network and all that is attached to it, just as they would if they were sitting in the office at a network-attached workstation within the firewalls.

ZTNA delivers strong defenses against potential bad actors by eliminating the implicit trust and lateral movement of VPNs. Additionally, VPNs tend to be slow and were not designed to operate in environments where most workers were off-site, away from the strong fortifications of network firewalls and the rest of the network security infrastructure. ZTNA offers a better alternative for remote access by providing superior security and threat protection, a more scalable management experience and a more transparent, frictionless experience for end-users.  

As workers move out of the friendly confines of the corporate network and work from home, they create millions of new, vulnerable endpoints, often outside the control of the corporate IT staff. These endpoints are ripe targets for attackers, since a large percentage of the endpoints might not have corporate-class security protections.  

Additionally, the large number of newly minted external users created a huge burden on the overburdened corporate VPNs. While VPNs have defined bandwidth parameters, ZTNA is flexible, scaling up to meet the greater network burden from WFH employees.

Connecting via ZTNA gives a user access to a specific application on the corporate network, not universal access. The applications, users and devices are micro-segmented to limit the ability of the user to move through the network, a common ploy of cyberattackers and malware. With the integration of device health to automatically limit compromised devices from accessing business resources.  Sophos ZTNA takes full advantage of its unique integration with the full Sophos ecosystem especially Sophos Intercept X endpoints.  

The Sophos ZTNA difference

Sophos ZTNA is a much more secure and easy-to-manage remote access approach that delivers a transparent, friction experience for end-users. Moving to a zero-trust model significantly reduces risk while protecting the network from potential attackers, including those who plan to deposit malware on a system or leave breadcrumbs for employees to find, leading them to compromised websites. Among its key capabilities are:

  • It removes the need for VPN clients, reducing the attack surface and making it harder for adversaries to get on your network
  • Ransomware actors commonly exploit weaknesses in VPN clients (vulnerabilities, misconfigurations) to get into their victims’ networks, but ZTNA removes that avenue by eliminating VPNs
  • ZTNA constantly checks user and device security, delivering continuous high-level of controls and preventing attackers from exploiting a previously authenticated user’s access
  • It makes it easy to apply granular access controls, enabling companies to easily restrict access to resources just to those who need it, further reducing the attack surface
  • It is managed from the same Sophos Central console that customers use to manage their other Sophos products, and uses the same agent as the Sophos endpoint protection, reducing device overhead  
  • With the average cost of ransomware remediation now $1.85 million, small- and mid-sized organizations investing in secure remote access via a ZTNA approach is a cost-effective investment with a discernible return on investment

Sophos ZTNA delivers transparent, clientless access for web-based applications. Among the applications a ZTNA client protects are Remote Desktop Protocol (RDP); the Secure Shell Protocol (SSH), virtual network computing (VNC), a remote-control application and other TCP/UDP-heavy applications. In fact, RDP is one of the problematic applications often used by malware to permit attackers access to infected networks. As such, many cyber insurance companies recommend that RDP access be removed entirely from corporate networks as a condition of obtaining cyber insurance.