From Medieval to Modern – a Zero Trust Story: In medieval times, kings protected themselves and their assets by locking them away in castles built with impenetrable walls. A moat with a drawbridge provided a single route into and out of the castle. Not long ago, corporate networks were designed the same way—a clear, defined network perimeter with gateway security.
Traditional VPN solutions operate much like the concept of the castle, moat, and drawbridge. They provide a way for the owner to restrict access into the castle. However, they both have similar flaws:
An attacker masquerading as someone else can gain access and cause havoc (think: the Trojans)
Once an attacker is within the perimeter walls, they can roam around unimpeded.
Digital transformation has forced technology to move rapidly, replacing the concept of a clearly defined network edge with many diverse network edges and applications and data distributed in many different locations, including the HQ and private and public clouds. With these distributed networks comes a need for a new, modern way of thinking about remote access to address the following concerns:
Users are no longer always in the office. Today, users can be located anywhere in the world, connecting on multiple types of devices. Yet, they still need to be able to do their job.
Data and applications can be in many different locations. The corporate network is no longer the only place to access all your data and applications. With the growth of SaaS and the cloud, it is critical that all locations can be accessed securely and consistently.
While users need to be able to access these applications, access should be highly controlled according to risk to prevent unauthorized data leakage and the propagation of malware around networks.
Out with the Old and In with the New
To achieve the requirements of organizations to provide secure and flexible connectivity to their hybrid workforce, regardless of where the user is connecting from, it is important to move away from the legacy idea of “implicit trust”—the assumption that if a user is already inside the network, they can be trusted to access all applications and move around in an uncontrolled manner.
Zero trust network access (ZTNA) augments traditional VPN technologies for application access by removing the excessive trust that legacy VPN requires to allow employees or partners to connect and collaborate. To achieve this, zero trust network access solutions adhere to the following principles based on explicit trust:
Never trust, always verify: Every user, device and application session is untrusted until fully validated.
Identify users, validate devices: Before granting any access, the identity of each user, the context of the access request, and the posture of each device are first checked.
Secure just enough access: Users are provided the minimal access required to do their job—no broad network access as with legacy VPN.
Continuous posture re-evaluation: The posture of the user and device are continually reviewed so that if they change, so does the access.
Location independent: Regardless of where the user connects from or where the application is located, ZTNA operates identically.
How Fortinet ZTNA Addresses Customer Use Cases
Change can be difficult for both organizations and their users. The rapid pace of change due to digital transformation, the move to the cloud, and the shift to work from anywhere have created security risks for organizations and added complexity for users. Fortinet ZTNA can help resolve these issues by adding strong context-aware security delivered in a way that is simple and intuitive for the user.
Simplicity: The user no longer needs to know which VPN to connect to or where resources are located. Instead, users can access applications using the same methods they would if they were in the office.
Complete transparency to the user: ZTNA uses existing authentication methods such as AD / SAML SSO and native application access methods, resulting in a completely transparent user experience.
The biggest benefit for the organization is that the ZTNA proxy needed to enforce this security policy is built into FortiOS version 7.0, so it can be leveraged with a simple upgrade. And because this is a technology many of our customers already have in place, they don’t need to adopt this across their whole infrastructure overnight. Instead, they can deploy it to specific user groups or applications in a controlled way to avoid potential disruption to the organization.
Reduce the organizational attack surface: Ports, workloads, and applications are invisible unless authenticated and authorized for access.
Conditional access: Access permissions are conditional and based on user contexts, such as role, date, time, location, and device posture.
Dynamic context awareness: As the context surrounding an identity changes in real-time, so do the user’s entitlements.
Prevent lateral movement: Micro-segmentation eliminates visibility and access to unauthorized resources.