Zero trust, not no trust: A practical guide to implementing ZTNA

Zero-trust network access (ZTNA) is a security model that follows the principle of “never trust, always verify.” Instead of relying on traditional network perimeter security, ZTNA mandates that all access requests, regardless of origin, are strictly validated before granting permission. This means that every user, device and application must be continuously authenticated and authorized, ensuring that only those with legitimate credentials can access network resources. 

The term “zero trust” gained widespread recognition in the industry thanks to a Forrester Research analyst over a decade ago. Shortly after, commercial zero-trust security solutions began to emerge, and their adoption rates have steadily climbed across various industries worldwide. 

The increasing popularity of ZTNA in recent years, particularly following the global pandemic, can be attributed to the shift away from traditional office environments. Today, employees often access corporate networks, applications and data remotely, from diverse locations and using various devices. This trend, coupled with the growing demand for cloud-based services and digital transformation, has rendered traditional perimeter-based security models ineffective. 

For example, many of our bank customers haven’t visited a physical branch in years. Why? Because the features and convenience of internet and mobile banking make the physical branch irrelevant for most people. The implementation of backend technology sits on top of the capacity that cloud computing and open banking have brought us. 

The old static security approach, which blindly trusts entities within the network while distrusting those outside, can no longer adequately protect modern organizations. To address this challenge, a new framework is needed: one that focuses on user identity, device, application, data and network-centric security, providing continuous, dynamic and secure access. This is where ZTNA comes into play. 

ZTNA is not a standalone solution 

Zero trust is part of a comprehensive framework that addresses user identity as well as device, application, data and network security. As CISOs, it’s crucial to assess our current state in each of these areas, understand our existing access control mechanisms and determine how verification is performed initially and ongoing. Prioritizing critical assets for ZTNA implementation is essential, as is creating a user-friendly and customer-centric security experience. 

So, how does ZTNA allow us to meet the demands for supporting remote work and digital transformation initiatives? While digital transformation often involves technological advancements, it begins with a cultural shift and encompasses changes in infrastructure, governance, business operations, client engagement and more. ZTNA is a key component of this transformative journey. Indeed, it’s the engine that enables the entire journey! 

It’s important to view ZTNA beyond the context of remote work alone. Before the pandemic, the world was increasingly interconnected, and ZTNA provided the foundational philosophy for this global village. Since the pandemic, its significance has grown exponentially as a larger portion of the population has adopted remote work. 

ZTNA enhances security across all aspects of the digital landscape, from user identities and devices to applications, data and networks. By continuously evolving and adapting, ZTNA offers a dynamic and robust approach to access control. 

Let us look at some real ZTNA implementation cases in the industry. 

Use case: ZTNA for multi-cloud access control  

Organizations are increasingly adopting multi-cloud strategies to leverage the benefits of multiple cloud environments. Securely accessing resources across these environments has become a critical requirement. Zero Trust Network Access (ZTNA) provides a solution by enforcing least privilege access controls and considering contextual factors like user identity, device posture and location. This ensures that users can only access authorized resources on the respective cloud.  

As Symantec’s paper, “ZTNA to Multiple Data Centers,” highlights, a London-based international fintech company specializing in software-as-a-service and distributed ledger technology for financial institutions has successfully implemented a ZTNA solution to secure access to their multi-cloud environment. The company’s complex regulatory landscape demands strict control over access to sensitive customer data across its operations in the UK, the US and other locations. 

By replacing traditional VPNs with a ZTNA solution, the company has achieved identity-based access control and seamless integration with its existing Identity and Access Management (IAM) solution. This deployment has streamlined access to web portals, APIs and various servers without the need for endpoint agents, enhancing security, governance and operational flexibility across their global infrastructure. 

Use case: ZTNA for BYOD support 

The pandemic accelerated the adoption of so-called bring your own device (BYOD) policies to enable employees to connect to the corporate network from anywhere, anytime, using any device. ZTNA provides secure, agentless access to enterprise applications from personal devices, supporting BYOD initiatives. 

As SentryBay’s whitepaper, “Prioritize Security to Successfully Deliver BYOD in a Zero Trust Framework,” highlights, a North American insurance company faced significant costs and compliance challenges with tens of thousands of remote agents using corporate laptops. To reduce expenses, they adopted a BYOD strategy and deployed a virtual desktop infrastructure (VDI) system. However, this introduced new endpoint compliance risks. 

A ZTNA solution was implemented to secure the VDI client, ensuring compliance with PCI DSS requirements. The product was installed using single sign-on (SSO) and certificate-based device validation, transforming unmanaged devices into secure endpoints. This approach reduced capital expenditures, simplified device management, ensured compliance and safeguarded customer data. 

Use case: ZTNA for meeting regulatory and compliance requirements 

Organizations, especially those subject to regulations, must comply with various compliance and regulatory requirements, including stringent access controls, detailed audit logs and security analytics. Traditional security solutions often lack the necessary granularity and documentation to meet these requirements. Zero Trust Network Access (ZTNA) provides granular access control, detailed logging and real-time security analytics, addressing these challenges. 

As highlighted in the same SentryBay whitepaper linked in the above section, a global investment bank faced difficulties with their existing security solution in meeting financial compliance regulations for thousands of remote workers accessing the corporate network. To address these issues, they replaced the previous solution with a ZTNA solution. 

The ZTNA solution provided a highly customized security profile for an initial 7,000 endpoints, which has since expanded to 20,000. This solution ensured full compliance with global financial authorities while reducing support calls and eliminating the need for new corporate laptops. The seamless deployment of the ZTNA solution protected remote employees globally, with patented protection against keylogging and screen capture at the kernel level, effectively safeguarding sensitive financial data. 

Measuring the success of our ZTNA journey involves evaluating its alignment with global cybersecurity strategies 

Zero trust has gained significant recognition worldwide, with countries like the United States and Singapore incorporating it into their national cybersecurity plans. Singapore’s 2021 Cyber Security Strategy highlights the importance of a zero-trust approach for safeguarding government agencies’ systems and data. In the United States, the release of the CISA Zero Trust Maturity Model version 2.0 in April 2023 further demonstrates the growing popularity and adoption of ZTNA. This global trend indicates a successful increase in awareness and implementation of ZTNA principles. 

ZTNA adoption varies significantly across organizations, with some in the early stages, others more advanced and still others having well-defined and implemented controls. The success of a ZTNA journey cannot be measured by a single standard, as it should be tailored to the specific nature, size and operations of each organization. 

So, to recap, here are some practical tips for those considering ZTNA: 

• Assess your current security posture and ZTNA maturity level. 
• Identify critical assets (systems, data, personnel, business process, etc.) and prioritize ZTNA implementation based on your organization’s unique characteristics.
• Remember that ZTNA is a continuous process. Prioritize ongoing monitoring, adjustments, innovation, automation and improvements in user and customer experience. 

In today’s world, security isn’t a luxury; it’s a necessity. Every organization, from startups to global corporations, must commit to safeguarding its employees, clients and reputation. As AI continues to revolutionize technology and business, zero-trust network access becomes even more critical. 

Consider this: AI’s potential to drive growth is undeniable. But your organization’s future also hinges on its ability to withstand threats like data breaches, ransomware, phishing and deepfakes. A robust ZTNA solution is the foundation for resilience in the face of these challenges. 

Frankie Shuai is a CISO with two decades of experience in the financial and IT Industries. He has been featured on the Nasdaq Tower in New York’s Times Square as the 2024 Global CISO 100 award winner and featured on the cover page of Enterprise Security magazine (2022 APAC special edition). He has received such awards as CSO 30 & CIO 100 ASEAN from IDG/Foundry, Global Top 100 leaders in InfoSec and World CIO 200. He is also an innovation catalyst with a patent about next-generation wireless networking filed at the US Patent Office as the sole inventor. The patent has been cited by both Intel and Ericsson.