A holistic approach to security: Zero Trust Network Access (ZTNA)

Endpoint security, much like life, shares an interesting quality: “Everyone wants to walk through a door marked private.” – XXXX, Layer Cake. In the case of the latter, people around the world often queue up to enter clubs, concerts and other social events to access the exclusive sections cordoned off for VIPs.

As it relates to endpoint security, the same applies when requesting access to sensitive data, business apps and securing remote network connections – the aim is to let the right requests through (authorized users and devices) while restricting access to all others (unauthorized users and unknown/compromised devices).

Those other solutions only begin to scratch the surface of the modern threat landscape challenges Zero Trust Network Access (ZTNA) was designed to address. In redesigning the approach to remote connection security, ZTNA expands on the protection introduced by legacy VPN so many decades ago by integrating:

• Identity-centric authentication
• Context-aware access policies
• Network segmentation
• Device health attestation
• Always-on, low resource usage
• Uniform policy enforcement
• Real-time risk assessment data

And many more features were developed with modern data security needs at the forefront to holistically address the concerns that face organizations trying to keep their devices, users and data safe from modern threats. It does this while adapting to the evolving work environment brought on by migration to remote and hybrid environments, as well as the growth of mobile device adoption in the enterprise and finally, the various ownership models in use, such as corporate-owned/personally enabled (COPE) and employee choice models, like bring your own device (BYOD) and choose your own device (CYOD).

The result is that – regardless of what device you’re using, where you’re working from, which network you’re connected to or the time of day – users can remain productive while corporate resources remain secured across the entire infrastructure. This flexibility ensures security is maintained and user privacy is upheld – without compromising either to achieve it.

Never trust – always verify

The above phrase is the driving force behind ZTNA. In a nutshell, it removes the concept of trust completely from the security equation because, well, it simply cannot be trusted implicitly.

“Trust” as a concept implies that the endpoint (usually managed and company-owned) has been vetted by the organization at one point in time, so it stands to reason that it is free from malicious code, suspicious network connections and up-to-date and therefore should be granted access to any resources the user requests. Here’s the rub: perhaps the device was indeed free from malware at the time it was checked, however, that doesn’t mean that it will be free from internal or external threats at any point in the future.

The waters get even murkier when considering how the modern computing landscape has changed with the adoption of mobile devices and varying ownership models. In other words, if it’s difficult to ascertain the security of a managed endpoint, stop to consider how much more of a challenge it is to determine the security level of an unmanaged one.

Is it wise to grant access to organizational resources or work with sensitive, perhaps even confidential data to a personally owned device that the organization’s IT or Security teams do not have administrative access to or even visibility into?

In case you were wondering, no, implicitly granting access like that does align with best practices. That said, these types of scenarios serve as the crux of what ZTNA is developed for: providing organizations with adaptable, scalable endpoint security that spans across your entire fleet to protect access to resources, apps and data from bad actors and compromised devices through constant attestation that dynamically adjusts access based on risks identified.

If risks are identified, access is denied and context-aware policies automatically execute in real-time to mitigate risk through several remediation tasks, such as deploying updated patches or cleaning malware threats on supported, modern operating systems. After mitigation tasks have been performed, endpoint health is verified again to ensure devices and user accounts are free from threats prior to re-instating access for the user, mitigating threats that could otherwise lead to a compromise or data breach.

Secure access without the legacy pain points

While we mentioned VPN before when discussing securing remote connections, we didn’t go into detail as to what makes ZTNA the more advanced and better solution to protect users and devices working with data away from the company office.

Let’s begin by highlighting some of the ways ZTNA resolves the security challenges that plague legacy VPNs:

• Microtunnels: Each request to access a resource, app or data source is made through its own dedicated microtunnel, ensuring that communications are not only secured through encryption but ensures that if a resource were to be compromised, only the affected resource needs to be disabled until resolved. This limits disruptions to only affected resources, permitting users to remain productive while the issue is remediated by IT.
• Network segmentation: By design, legacy VPN grants users access to the entire network. This opens the door to lateral attacks if the account becomes compromised. By default, ZTNA is designed to prevent lateral movement attacks since each resource request is contained within a unique microtunnel. This permits network segmentation between each request, preventing a compromised device or credential to be reused laterally to further compromise the organization.
• Context-aware access policies: Device attestation coupled with access policies provide visibility into endpoint health in real-time which allows policies to determine if endpoints meet the requirements for access, such as up-to-date patches, whether a device has been rooted/jailbroken or is otherwise compromised. Armed with this data, policies can be granularly configured to automatically execute upon resource request to determine if access is granted or denied. If denied, workflows can be configured to automate remediation tasks to bring the affected endpoints into compliance before access is granted.

Proper credentials + authorization = Access. No exceptions.

As you are no doubt aware by now, ZTNA requires both authentication and permission components to approve a request before access is granted. If one or both fail – regardless of the device’s ownership level or user’s job role – access will be denied. Simple as that!

To enable this added layer of security, ZTNA leverages its integration with cloud-based identity providers (IdP) to not only map permissions to roles or groups but to also keep those permissions updated and in sync across your infrastructure(but more about that a bit later).

For now, ZTNA achieves parity with multiple security paradigms by combing the following:

• Centralized authentication: Gone are the days of separate VPN accounts, adding more administrative overhead to already overburdened IT and Security teams and yet another password for users to remember and keep safe. Through IdP integration, users need to only worry about one password to request access to resources through a portal. The former keeps permissions up-to-date while the latter works in conjunction with ZTNA’s security features to limit access to only what users are assigned.
• App-specific access controls: Not all apps are created equal, just like some data may be more critical than others. App-specific controls can be customized to add greater flexibility to security controls, by requiring multifactor authentication (MFA) or specifying a particular device configuration to be enabled to further enhance the security of the resource. By keeping data independent from devices or authentication credentials, access to organizational information is always protected — regardless of the endpoint’s status.
• Enforce least privilege: By centralizing authentication around IdP, the permissions associated with a user account, role or group are implicitly stated, meaning users only have access and are limited to the specific resources they are granted access to. All other organizational resources are effectively blocked and hidden from the user’s view. In other words, they can access up to and include what’s necessary for them to be productive and cannot see anything else.

Manage risk, not infrastructure

Modern computing requires a lot of flexibility from all stakeholders – from the types of devices used to optimize the software for maximum efficiency to be able to scale quickly to meet the demands of your fleet.

Below are a few of the benefits of modernizing the protection of your endpoints with ZTNA:

• Cloud-based: No hardware to maintain means ZTNA can be implemented quickly and easily. Plus, scaling to meet your needs requires nothing more than a few taps of your screen to adjust the software-defined perimeter (SDP) – no costly equipment to manage, expensive service contracts, increased utility charges or additional support personnel.
• No complex configurations: Unlike legacy VPNs which could require complex configurations and added administrative overhead to management processes, ZTNA isn’t dependent upon maintaining hardware in an office. Nor does it require coordinating with multiple vendors across multiple service calls to get integrations operating properly.
• Extends across entire fleet and infrastructure: By leveraging modern security protocols, ZTNA is designed to work seamlessly with both on-premises, public and private clouds and SaaS to both extend security across your entire infrastructure and standardize security policies, aligning them with organizational policies for endpoint compliance from end-to-end.

Purpose-built for Apple

Not all VPNs (or ZTNAs for that matter) are created equal. That said, many secure remote access solutions don’t work well on mobile devices. Sometimes they lack the robust features of their desktop counterparts, other times, they simply lack the optimization for the technologies present in mobile operating systems. Either way, it results in a poor user experience that often leads to users simply not enabling the security features just to avoid the headache.

In our ZTNA – an included component of Jamf Connect – the issues listed above are addressed as Jamf developed ZTNA with the following in mind:

• Align with Apple frameworks: Apple’s native frameworks governing security and privacy serve as foundational support for the endpoint protections included. In doing so, users and administrators alike can expect same-day support for all of Apple’s OS’, which takes advantage of the latest protections against vulnerabilities and include support for the latest protections that keep your Apple fleet safe and secure without compromising user privacy.
• Designed and optimized for mobile: Ensure protections extend to all mobile device features, such as securing Wi-Fi and Cellular networks, optimizing for battery life by utilizing minimal device resources and designing ZTNA solutions for mobile endpoints to maximize performance.
• Uphold the user experience: What’s the benefit of deploying legacy VPN if users are frustrated or merely forget to enable it? Neither bodes well but both will certainly put data at risk, that’s why ZTNA distinguishes between business and personal apps, relying on split-tunneling technology to intelligently protect business app traffic while routing personal app traffic directly to the internet, balancing performance, security and privacy. Furthermore, ZTNA just works, connecting automatically when business apps are launched and reconnecting – user intervention is not required.

Key takeaways:

• No implicit trust – access is granted only with proper credentials and authorization.
• Identity-centric integration ensures IdP credentials and permissions are centrally managed and in sync.
• Device health is constantly monitored, attested and verified before each unique access request is granted.
• Data is secured and protected independently from devices or authentication requests across your entire fleet while standardizing these protections across your infrastructure.
• Secure remote access encrypts all work traffic while segmenting network traffic, by default.
• Microtunnels for each unique request protect resources while upholding the principle of least privilege.
• Context-aware policies deny access to devices that do not meet granular requirements, such as missing patches or from devices or user credentials that have become compromised.
• Automated remediation workflows execute when access requests are denied bringing endpoints back into compliance.
• Designed and optimized for mobile devices to ensure minimal resource utilization while maximizing performance.
• Cloud-based infrastructure integrates seamlessly with your existing on-premises, public/private clouds and SaaS apps without needing to manage hardware or software configurations.

***

This post is one of a series on a holistic approach to security. See a roundup of all of the posts, or read one below:

• How Trusted Access can protect your organization's data
• Mobile Device Management (MDM): a basic building block for tighter security
• Threat prevention and remediation from Jamf
• Zero-touch deployment can keep your devices safe
• Automated application management keeps everyone more secure
• Modern endpoint protection can mitigate new security challenges
• How inventory management affects security
• How Self Service can mitigate risk from third-party apps
• How identity and access management can protect your users and your sensitive data
• How content filtering and safe internet can keep users —and your data— safer
• The importance of visibility in compliance and security