by Serena Raymond on Apr 26, 2021 12:00:00 AM
Zero Trust Network Access (ZTNA) is an approach to IT where trust is never implicit. Trust needs to be earned, repeatedly, to ensure that everything inside your network (and of course outside) is a verified, trusted resource.
“Trust but verify” is not an adage that modern cybersecurity teams should be repeating. We all need to update our mantra to be: “Never trust. Always verify.”
We see the need for this mentality in everything from phishing emails to questionable changes made within company IT infrastructure. We can’t trust that the person claiming to be our CEO in a strange email is our CEO and “verify later”. We need to question that immediately.
Verify first, and skip the trust unless it’s earned. And that trust is only temporarily.
Where did Zero Trust come from?
While we can thank Stephen Paul Marsh’s doctoral thesis on computation security for the term “Zero Trust”, the modern concept was reintroduced to the world by Forrester analyst John Kindervag. And like seemingly everything in our digital lives, once Google tested it in 2009 with BeyondCorp, it started to take off.
In the wake of the OPM data breach, the U.S. government began to take (and promote) a Zero Trust approach. In an article, Representative Jason Chaffetz points out that were Zero Trust implemented at the time of the OPM attack, “Zero trust would have profoundly limited the attacker’s ability to move within OPM’s network and access such sensitive data.” This endorsement of Zero Trust from the federal government made the approach centerstage.
Defining ZTNA in 2021
It was a lot easier to trust things inside your network when your network was inside an office along with all of your employees. But that’s not the case anymore. Employees are spread far and wide, and often your company network includes employees who are working from home and relying on home routers.
Your network is a distributed workforce of home offices, WeWork spaces, cafes, IoT devices, mobile tablets, and various other infrastructure.
This change in the last year has really cemented the need for complete adoption of Zero Trust Network Access. Susan Gosselin on CIO Insight called 2021 the “year for Zero Trust security.” Attacks occurring from within company infrastructure by outside attackers made that clear. So the need for repeated authentication is a huge must-have for cybersecurity professionals (and companies as a whole) going forward.
In reality, you don’t know who’s behind that desk.
Walking the Zero Trust walk
Despite how often the term gets thrown around, ZTNA isn’t as widely adopted as you think it is.
One of the biggest issues with the concept of “Zero Trust” is that it’s a model, not a tool you can deploy. And so, a lot of companies think they’re employing Zero Trust when really they’re leaving it to their employees to apply a Zero Trust mindset ad hoc. And then there are companies that have a Zero Trust model in one department, but it’s not company-wide. And then there are the companies that think implementing ZTNA means an overhaul of their entire security framework.
But moving to Zero Trust doesn’t me re-architecting everything. It means applying that model to everything you’re doing currently and then adopting the tools you need to fill in the gaps.
What you really need are the right tools in place to support a Zero Trust framework. This way, there is less pressure on individuals to “take a Zero Trust approach” since everything is put in place so that their only choice is to take a Zero Trust action inside a Zero Trust model.
So what does this look like?
It means putting “trust” barriers between people and the actions they take. When you implement our DNS security, that means that no website any of your users want to go to is inherently trusted. You put that website under a microscope to find out what category it falls into and whether or not it’s malicious.
And this protects you as sites inevitably change. Formerly malicious sites are taken down, purchased by new owners, and turn into small business websites. Alternatively, previously “trusthworthy” websites can be hacked. Our AI looks for markers that indicate a site is now deceptive, and will categorize that site as a threat.
Additionally, we see our features such as Multi-factor Authentication as an important part of a Zero Trust architecture, enabling our users to prevent threat actors or employees lacking the right permissions and the ability to login and change your company’s DNS security policies.
When you work in the cloud, DNS is the road that your entire infrastructure is built on. It’s important that you implement a Zero Trust model when it comes to how your employees use it.
Why Scaling Your MSP Doesn’t Mean Hiring More Technicians
Growth should feel like progress. But for a lot of MSPs, there comes a point where growth starts to feel heavier instead. New clients are coming in, and revenue is rising, yet the day-to-day operation feels more stretched, not more efficient. The service desk is constantly busy. Senior techs keep getting pulled into escalations. The team is working harder just to maintain the same standard of delivery.The usual response is to hire more people. On...
The Hidden Cost of “Good Enough” Security in MSP Environments
“Good enough” security checks the boxes and keeps the dashboards green. It covers the basics and gets you through onboarding. But in MSP environments, “good enough” usually means nothing breaks badly enough to force action. And that’s exactly the problem.The tooling system doesn’t fail. It just becomes more expensive to run, gradually turning your service desk into a permanent cleanup crew.Over time, reactive security tools create a profitability...
SASE vs SSE: What's the Difference and Why It Matters for Your Security Stack
If you’ve spent any time researching modern network security, you’ve likely come across SASE and SSE used interchangeably, sometimes even in vendor messaging. The result is a lot of confusion around two concepts that are closely related but not identical.
