Reinventing Security for Corporate Networks with Universal ZTNA
Zero Trust is a security model developed by former Forrester analyst John Kindervag in 2010. Since then, the “zero trust” model has become the most popular concept in the field of cybersecurity. Recent massive data breaches only confirm the need for companies to pay strict attention to cybersecurity, and the Zero Trust model may be the right approach.
Zero Trust refers to the lack of implicit trust in anyone — even users inside the network perimeter — attempting to gain access to digital resources. The model implies that each user or device must validate its credentials every time it requests access to networked resources.
In enterprise campus and branch environments, organizations often invest in network access control (NAC) products and deploy enhanced security capabilities. Specific examples include FortiNAC, Cisco SDA/ISE, Aruba ClearPass, and ExtremeControl. Configuration of technologies including DHCP snooping, IP, Source Guard, MACsec, 802.1X, private VLANs, and dynamic ARP inspection, is another popular approach
For remote workers, companies primarily invest in VPN or, more recently, Zero Trust Network Access (ZTNA) technologies. But as organizations shifted to hybrid work, the use of multiple products — for campus assets and remote users — becomes inefficient.
Therefore, the Universal ZTNA methodology is introduced and recommended by Gartner for modern hybrid enterprises.
Enterprises use several tools to secure users on- and off-premises, including software integrated with switching/WLAN solutions, ZTNA, and NAC. NAC is underserved within wired enterprise deployments, largely due to complexity, since less than 25% of enterprises utilize NAC enforcement of strict access on wired campus networks.
The Convergence of Security and Access Control: ACLs, NAC, MPLS, SDWAN, and Microsegmentation
Access control list (ACL) rules, also called access control rules, determine which data users can access and how they can get to it. ACL rules require users to pass a set of requirements to reach particular data. Each ACL rule specifies both the object/device and operation being secured and the permissions required to access the object
NAC enables several features:
- It authenticates devices for network access.
- It provides support for passive authentication on agentless devices.
- It enables agentless device fingerprinting to determine the probable type.
- It allows for agentless devices to be segmented.
The Remote Access multiprotocol label switching (MPLS) VPNs feature allows the service provider to offer a scalable end-to-end VPN service to remote users and integrate the MPLS-enabled backbone with broadband access capabilities. This allows the service provider to give remote users and offices seamless access to their corporate networks and align their broadband access networks with the MPLS-enabled backbone.
SD-WAN gives organizations and service providers a platform to deliver rich services over any WAN link, including broadband. Unlike MPLS solutions, SD-WAN can be deployed within a few days and is transport agnostic, pulling existing configurations from the cloud to onboard new sites. This gives organizations faster response time and the nimbleness to open new locations or pop-up offices quickly. Security is essential for SD-WAN. Most traditional SD-WAN solutions include little to no security. But now organizations don’t just use SD-WAN to support traditional branch offices, they also use it to drive each employee’s remote-work location as the new “branch of one.”
For non-security vendors, combining security with SD-WAN can be difficult. Hence, only a few SD-WAN vendors offer a solution that includes a full suite of enterprise-grade security and sophisticated routing/VPN capabilities.
Microsegmentation is a security method for managing network access between workloads. With micro-segmentation, administrators can implement security policies that limit traffic based on the principle of least privilege and Zero Trust. Organizations use micro-segmentation to reduce the attack surface, improve breach containment, and strengthen regulatory compliance.
Microsegmentation delivers the ability to perform two critical functions:
- Identification of network traffic based on L2–4 (transport) information
- Reducing the attack surface via enforcing lateral network traffic control policies
The biggest application for this technology is in controlling east/west traffic that does not traverse a firewall or a router. However, traditional micro-segmentation solutions lack the ability to authenticate lateral traffic, and hence, once the network is breached, there is still a possibility of lateral threat movement.
What we need is a converged solution that improves operating efficiency by offering a unified stack for the hybrid workforce. This can be achieved by eliminating the need for duplicate tools e.g. NAC and remote access VPN, disjointed security for remote users and on-premise users, etc. In addition, we need a solution that offers a comprehensive solution to protect the corporate network, the private applications, as well as SaaS assets. Finally, an integrated threat response could ensure that the organizations can improve their security posture with a comprehensive solution.
We agree with Gartner’s forecast of nearly $3 billion per year to be spent on enterprise campus network security software and NAC from 2021 to 2023. Employees are returning back to the offices, the supply chain is impacted due to the pandemic and the geopolitical climate is a cause for concern. Therefore, this may be the perfect time for us to refine the corporate infrastructure strategy with a software-only solution that complements the existing install base while offering the necessary benefits.
We believe that Gartner’s recommendation for “Universal ZTNA” is aligned with our thought process. Universal ZTNA promises to disrupt existing campus switching and the NAC market.
- ZTNA for hybrid workers — The Airgap solution extends the ZTNA management plane and security policy to workers located in physical corporate campuses or branch locations (wired or WLAN)
- Lightweight and easy to use Cloud NAC — The platform supports local traffic handling rather than requiring hair pinning to centralized Internet-based points of presence (POPs) for all traffic types
- Headless device support on the corporate network — Industrial control systems, healthcare MRI scanning instruments, or OT/IoT sensors can be micro-segmented and can be a part of a broader and unified Universal ZTNA strategy
- Simple and straightforward pricing — The Airgap software is licensed per user and covers users and devices, regardless of their physical location
Airgap’s Universal ZTNA is delivered via a single software architecture that shares a common data intelligence, zero-trust security policy engine, and management plane with fully published RESTful APIs to enable autonomous controls for the hybrid workforce and on-premise corporate assets across offices, factories, healthcare facilities and much more. For more information or a demo of Airgap’s patented technology, please visit https://airgap.io
Reference: Campus Network Security and NAC Are Ripe for Market Disruption Published 7 March 2022 — ID G00764413