ZTNA : A look back to the Zero Trust concept

In its Market Guide for Zero Trust Network Access (ZTNAZero Trust Network Access. The ZTNA is a name describing products that apply a "Zero Trust", or lesser privilege, policy in the area of external access. The objective is to provide strictly indispensable access to an external user so that he can carry out the necessary tasks within the framework of his work without giving him superfluous rights or access that could represent a risk for the security of the information system. Access policies are defined according to : the identity of the user, possibly reinforced by two-factor authentication mechanisms, its connection conditions, such as its connection location or the health of the terminal used for the connection. The ZTNA makes it possible to give very fine and granular accesses to the information system differentiated according to the user, whether he is an internal teleworker or a service provider. This approach strongly limits the risks of intrusion or infection of the information system....), Gartner estimates that by 2022, 80% of new business applications open to a partner ecosystem will be accessible via a ZTNA solution. According to Gartner, by 2023, 60% of companies will have replaced their remote VPNVirtual Private Network. VPN is a technology that simulates a local area network between two trusted networks. In practice this allows two elements (workstations, servers, printers, etc.) to communicate with each other even though they are not physically located in the same computer network. Since communication between these two networks passes through a public network in most cases, VPNs incorporate security mechanisms to ensure that communication between the two networks cannot be intercepted by a third party to ensure confidentiality. This technology is very practical in the context of companies deployed in several locations that need to share computer resources, such as file sharing. For ease of use, this technology has been adopted by IT departments in cases where teleworking is used by considering the remote user's workstation as an extension of the company's computer network even though this workstation is not part of a trusted network.... access with the ZTNA remote access. Zero Trust is therefore emerging as one of the key issues for CIOs and CISOs in the coming years.

ZTNA / Zero Trust : what are the origins ?

The concept of Zero Trust is relatively new and although the subject is being addressed by more and more organizations, this model is not yet as popular as the VPN. It was John Kindervag, at that time Vice President and Senior Analyst in Forrester’s Security and Risk team, who created, or at least formalized, the Zero Trust concept in 2010.

Today, the U.S. House of Representatives recommends that all government agencies adopt the Zero Trust model. This recommendation comes after a massive data theft experienced in 2014 by the Office of Personnel Management (OPM), the principal human resources management agency and personnel policy manager of the United States federal government. This data breach is considered the worst in the history of the U.S. government, affecting the personal data of 21.5 million employees and former employees within the U.S. government.

In this data theft, the hackers would probably have obtained access authorizations via social engineering, a practice that involves manipulating people by gaining their trust in order to retrieve information. By putting the Zero Trust concept into practice, this massive data breach could probably have been prevented or had its impact largely minimized.

The Zero Trust concept

The Zero Trust is a model that aims to protect the information system (IS) and data of organizations on the premise that they cannot trust anyone. It is therefore a question of verifying both the identities of the people accessing the IS and the devices used to access it, whether they are located outside or inside the organization’s network. This was not the case in older approaches to IS security, which assumed that users and devices located within an organization’s network were trustworthy because they had already passed the organization’s perimeter defenses.

This trust previously given to a user within an organization IS is a source of vulnerability since once an attacker has penetrated an organization’s network, he or she can potentially gain access to the organization’s sensitive resources and data. Several principles allow organizations to implement Zero Trust security, including the following:

Principle of least privilege: Give users only those privileges which are essential to perform their tasks. This is also a key principle of the ANSSIAgence Nationale de la Sécurité des Systèmes d’Information. The National Cybersecurity Agency of France (ANSSI) is a French government organisation reporting to the Secretary General for Defence and National Security (SGDSN), who is responsible for advising the Prime Minister in the exercise of his functions in the field of defence and national security. ANSSI is responsible for cybersecurity issues in France. The ANSSI provides its expertise and technical skills to organisations (administrations or companies) with a reinforced mission to the operators of vital importance (OIV), operating in areas of activity that are sensitive for the very integrity of the country and the population (health, regal, economic and technological fields). The scope of the Agency's action concerns the computer population as a whole. In particular, it intervenes in the following areas - monitoring and reacting to any incident relating to cybersecurity, - in the development of products for civil society, - as an information and advisory body, - as a training organisation, - as a reference organisation for the labelling of trusted products and service providers... (The National Cybersecurity Agency of France) in its recommendations for the implementation of system partitioning. This practice allows the impact area to be restricted in the event of malicious activity (doc PG-040): “Prohibiting by default any action and proceeding with the exclusive authorization of what is essential for the tasks is the most effective strategy for implementing the principle of least privilege.”

Control of devices accessing the IS: It is not sufficient to control the users accessing the IS. If this user is authorized to access the IS, the device through which he accesses the IS, must also be checked. A benevolent user can indeed unknowingly have a malicious program installed on his device and thus contaminate the IS he is accessing.

Multi-factor authenticationPrimary or secondary authentication Authentication allows a user to guarantee his or her identity before accessing a resource or service. Primary authentication will give user access to the workstation (Windows login). Several authentication modes can be made available to users: login and password, smart or contactless cards, biometrics, mobile ... To classify an authentication mode it will be enough to rely on the principles of the 3 factors: "What do I have? ", " What do I know? ", " Who am I? ». The answers provided to these questions make it possible to say for a given authentication method whether it is "simple" or "double" factor. Secondary authentication is the access of a user to an application from an open session on a workstation. The application can be of any type: web, client-server, local to the workstation or external......: Another important element of the Zero Trust model is the Multi-Factor Authentication (MFA), which makes malicious access more complex by requiring multiple proofs of identity from the user wishing to access the information system. Currently, simple authentication is often done using a login/password couple, an authentication element that can be easily usurped, particularly via social engineering, a practice that enabled the data theft from the Office of Personnel Management in 2014. With the MFA, the user will authenticate himself with at least two of three types of authentication factors: something he knows, such as the login/password couple, something he has, for example via a code received on his smartphone, and something he “is”, for example, his fingerprint or retinal print.

Deploying Zero Trust within your organization

Several solutions allow organizations to comply with the key principles of Zero Trust. The implementation of an access control solution using strong authentication, such as Systancia Access, for example, will enable organizations to make multi-factor authentication mandatory for all employees.

On the other hand, a ZTNA solution such as Systancia Gate will enable highly secure access to selected IS resources for all types of user (mobile employees, teleworkers, outsourcers, etc.) via a single access point, with no incoming flows and no network port opening. The risk of IS contamination is thus limited. The devices used by the employees of an organization can also be checked to ensure that they are compliant. In concrete terms, it is possible to implement rules to validate, for example, the presence of an antivirus, a firewall or updates. The Zero Trust can thus be adapted to many use cases, particularly for teleworking or BYOD (Bring Your Own Device), a practice that is not considered to be very secure by IT Departments.