Hybrid Cloud 2022: Expanding Zero Trust

By John Jacobs | October 28, 2022

Often-Overlooked Aspects of Deploying ZTNA in a Hybrid-Cloud Environment

Ransomware is, without question, a leading topic on the minds of CISOs for 2022. Through a combination of social networking tricks, phishing emails, and gaps in security systems and design, criminals demand money from victim organizations in exchange for unlocking systems or promising not to release or destroy stolen data. The latest FortiGuard Labs Threat Landscape Report shows that Ransomware as a Service (RaaS) is enabling a continuous spread of ransomware and that variants are increasing. But, the threat landscape is not the only challenge facing CISOs. At the Fortinet Championship Security Summit, the ever-expanding digital attack surface was a topic of constant discussion in terms of how to grapple with securing emerging security gaps and new technologies. In particular, securing work-from-anywhere (WFA) came up often in addition to the management complexity of securing new edges.

The Rise of the Hybrid Cloud in a Hybrid IT World

In mid-2021, a survey revealed that 73% of enterprises were using two public clouds, with 26% using three or more. Many of these companies were mixing those public clouds with private clouds, on-premises assets, and edge compute clouds. Many companies continue to test, develop, and deploy cloud resources.

Cloud providers offer rapid rollout of new solutions and immense scalability. At the same time, however, some cloud migrations have proven costly and risk-prone. For example, cloud migrations motivated by a desire to update legacy systems may end up moving only critical and updated data, resulting in insufficient information for historical analyses within the cloud hosting service. Anyone who has moved homes and left behind one of those last-minute boxes marked “miscellaneous” will know, as soon as they need to find a marker or the TV remote, how important it is to have all pieces moved together.

Like in every technology movement, cycles are imminent in the transition to the cloud. The result of this cycle is that the age of hybrid cloud is here. In the second half of 2022, I expect most organizations to find themselves on the middle ground, with some resources on-premises and others in Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and/or Platform-as-a-Service (PaaS) configurations.

The Associated Risks

This shift to a hybrid cloud strategy is a boon to end users, as it dramatically increases the number of systems and applications available to them. CISOs, of course, see the other side of that coin. The corporate attack surface is expanding as rapidly as the landscape of available solutions that end users are accessing. Just think of how many apps are installed on your smartphone today, versus just a few years ago. Companies’ attack surfaces have grown at a similar rate, as has their cybersecurity risk.

The nature of the cloud means that a hybrid network’s perimeter, or edge, is almost indistinguishable. In many organizations, the number of physical sites that house intelligent devices is growing in parallel with the ballooning number of cloud-based services or edges and infrastructure that corporate end users are leveraging.

Legacy security concepts and procedures are being forced to adapt to this evolution in corporate networks. One of the most compelling practices that many organizations are now considering implementing is known as a zero-trust architecture (ZTA). Some are also going as far as to implement zero-trust network access (ZTNA).

What Is Zero Trust?

The first thing to note about zero trust access is that it is not a single specific point product or service to be purchased. It is an overarching philosophy for managing a company’s security infrastructure which mandates that users have only the required level of service access, from the approved devices, at all the right times.

What is Zero Trust Network Access?

Further, Gartner defines ZTNA as a solution, “that creates an identity- and context-based, logical access boundary around an application or set of applications.” The goal of ZTNA is simple in concept, but far more complex and difficult in practice: to reduce the number of threat vectors and, as a result, to reduce ransomware. Thus, ZTNA has become a key initiative in improving the resiliency of both deployed infrastructure and all the myriad services that are built on bare-metal infrastructure, run on general compute or code-only services, or are purchased as a cloud-based software bundle or subscription.

According to NIST, seven tenets guide the implementation of a zero-trust architecture. These are:

  1. All data sources and computing services are considered resources.
  2. All communication is secured, regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications, and it uses this information to improve its security posture.

Key Components of a ZTNA Architecture

One key challenge often lies in developing and then maintaining a complete inventory of all systems and services both running within the business and running in the cloud but connected to the business. It is not possible to secure resources that you do not know about. Cloud providers are offering increasingly capable inventory systems, but most of these have glaring gaps when it comes to the non-cloud infrastructure that an organization may already have deployed or may be planning in the near future.

Having an operations platform—ideally, a security incident and event manager (SIEM) with a full configuration management database (CMDB) for application and inventory visibility—is paramount to success with a ZTA deployment. In a hybrid environment, the most successful implementations leverage the speed, agility, and capacity of cloud computing and storage, using a hosted best-of-breed SIEM solution to achieve the best of both worlds.

In parallel with knowing what resources are available, a ZTNA solution needs to know who is requesting access to those resources. Evolving from the always-on approach of virtual private networks (VPNs) of the past, which granted users access to an entire infrastructure once their username and password were validated, ZTNA’s per-session granting of access mandates a complete identity database and associated multifactor authentication (MFA) solution. This improves oversight of not just how each user is identified, but also what resources they can access and when they can access them. By definition, ZTNA requires users to be granted least-privileged access, which can be accomplished only through a rich and comprehensive database of users, their group memberships, and detailed job functions.

Thus, a company rolling out ZTNA requires a policy-enforcement point solution to coordinate the detailed user information needed to grant and revoke access to resources. This device or system may be a predetermined gateway, such as a next-generation firewall (NGFW) or web application firewall (WAF). Alternatively, however, it may consist of access controls on the end system itself.

For most companies, the infrastructure to gate access to on-premises resources has been in place for years, but cloud services add a layer of complexity that requires them to expand consistent enforcement across every part of the infrastructure. A central principle of ZTNA is that access to each resource—whether on-premises or in the cloud—must be revoked after the session is complete, closing the security opening to that resource that was created to allow the user access. Many security-client and endpoint detection and response (EDR) solutions take aim at this challenge. However, security may vary significantly among a company’s different cloud applications, depending on whether services are purchased directly (SaaS) or built (IaaS or PaaS).

Here is a checklist of key actions CISOs can take to ensure they are not overlooking gaps in the modern overlay of application delivery:

The Measured Approach for ZTNA Success

It is important to find one vendor that can provide a ZTNA solution that will cover all hybrid-cloud deployments. This will ensure that applications can move to the cloud, between clouds, and back to the campus without impacting the user experience and still be secure. This approach allows for a reduction in the number of point products or niche vendors in the ZTNA architecture, which helps reduce the chance of security gaps and the operational overhead involved in communications among vendors.

Having a comprehensive security strategy—that is communicated throughout the organization and supported by the board of directors—is the best starting strategy for any implementation. A CISO who deploys modern technologies with appropriate diligence can leverage ZTNA to secure the business, even as its attack surface perpetually expands to take advantage of the profound impact of cloud services.

Learn about how Fortinet ZTNA improves secure access to applications anywhere, for remote users.