Since the world is moving towards ZTNA solutions
I’m curious what is the best way to adopt zero trust architecture.
I have been looking into a few ZTNA solutions however I’m trying to understand how you guys have implemented zero trust at your organization.
That is pretty open ended. For a start it relies heavily on your budget and the amount of support for zero trust adoption by senior leadership. It isn’t an overnight change no matter what zscaler/palo alto tell you. It is far more to do with a root and branch review of information and asset classification and access controls. Technology can automate a lot of things, but unless you have clean policies on who/what should be able to access what, that technology will never exactly as you want it to and will require a lot of maintenance.
Cloudflare published a ZTNA roadmap that is (surprisingly) vendor-agnostic and gives the best overview I’ve read of all of the components that go into implementing zero trust.
ZTNA and Zero Trust Architecture are not synonymous. It’s a technology that accomplishes some capabilities of ZT, but it isn’t something that once it is implemented means you have achieved ZT.
It’s fantastic. However, in my opinion, you really only have half of the pie unless you have micro-segmentation as well. The value of micro-segmentation depends heavily on your infrastructure stack.
it’s not a solution. It is a framework and it is a long journey. Start small based on priorities.
Microsoft has the most comprehensive zero trust adoption framework I’ve seen. Company I work for is a new startup and has ZTNA since day one. My tip is start with your identity and access management, as much automation as possible. Your identity (and the logging that comes with it) should be spot on otherwise zero trust falls apart
It’s pretty good in terms of security. It is pretty expensive in terms of budget.
Zero Trust = The new buzzword for defense-in-depth, often encompassing principle of least privilege, just-in-time access and network microsegmentation. Was coined somewhere in the early 2010’s. The term has never made sense.
ZTA = The framework minted by NIST for use across the US Gov. This is the stuff that “Zero Trust” vendors now cling to and claim to fully encompass (they never do). The doc is only 60 pages, if you’re interested, there is no better option than to go read.
ZTNA = Overlay networks. Seriously, every “ZTNA” vendor does either microsegmentation or overlay networks via NAT piercing or both.
Step one: recognize zero trust is a buzz word concept that is rarely truly implemented.
I work for a company that developed an open source ZTNA called OpenZiti - https://github.com/openziti. How does that compare to other ZTNA, I wrote a blog using Harry Potter analogies - https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/.
We implement and use the technology ourselves, a few examples:
There are now fully fledged ZTNA replacements for VPN using POPs in the cloud to provide greater speed and security. Cloudbrink are a good example of a startup looking to help replace the “legacy” VPN with a Zero Trust + SD-WAN designed solution
Also zero trust is a heavily abused and misunderstood term. I actually hate it because zero trust goes hand in hand with effective PKI which is entirely about developing a chain of trust. “Defense in depth” was the original term, but isn’t as sexy to sell.
Specifically about ZTNA (which is a subset of zero trust), your job is to separate privileged network traffic by identity and role as opposed to the traditional method, which is by network location. From a technology standpoint this can be achieved two different ways:
- Developing a network overlay that abstracts the physical network and requires a higher standard of authentication. SD-Access, NAC, and some SaaS VPNs (tailscale, zerotier) are effective at this.
- Setting up an east/west proxy and shoving as much traffic through that proxy as you can. This is the zscaler/SASE approach, and IMO is the less effective/less flexible approach.
Regardless of the method chosen, any sort of fine grained network segmentation is manually intensive, exhausting, and requires the commitment to redesign your network architecture. Most people never get that far. They just buy a ZTNA product and end up with a worse VPN solution than what they started with.
https://www.cloudflare.com/static/23d12fa1934d27eddb0dbace49cff5f3/Zero-Trust-Roadmap-WP.pdf
I’ve been reading through CISA Zero Trust Maturity Model
I dont know how you dont have more upvotes.
How exactly would you implement zero trust without micro segmentation? That’s like swimming without water - you can do it but you look like an idiot.
Someone knows what they’re doing! OP should listen to this posters advice!
It doesn’t have to be ‘free’ and open source ZTNA solutions exist.
I would contest ‘every’. Some do it properly, incl. microsegmentation, outbound-only connection (not NAT whole punching), least privilege, authenticate (using strong cryptographic identity) before connect, posture checks, and more.
Actually ZT and not a rebrand of Defense in depth. DiD was focused on having multiple security controls, but those controls did not verify, it just trusts. Example a compromised system could still VPN, then access a website and get challenged for multi-factor.
In a ZT policies are the core so you still have DiD, but each layer is checked. Same example above device must be compliant and healthy before VPN allow the connection, user must be complaint before access website, means low risk and MFA challenge and device is low risk, and use must be at an approved location and an approved Os and Browser. So you can bundle and enforce and confirm all the security controls must be working.