제로 트러스트 네트워크 액세스(ZTNA)란 무엇인가요?

The zero trust model describes the security principle of “never trust, always verify”. Zero Trust Network Access (ZTNA) is a way of implementing this security model across an enterprise’s access points. In practice, this is based on the Principle of Least Privilege (PoLP), which says that users should only be able to access the resources they require for their day-to-day work.

Forrester Wave Zero Trust Report ZTNA solution brief

제로 트러스트 네트워크 액세스(ZTNA)란 무엇인가요?

How Does ZTNA Work?

Zero trust aims to eradicate the inherited trust in a way that doesn’t harm user experiences or productivity.

It does that by allowing users to access only to the resources their role demands, and all access requests are strictly and repeatedly verified. The Principle of Least Privilege (PoLP) is core to ZTNA: user access and permissions are granted to only what you need to do your job. 

For instance, remote users in the sales department may be granted read-only permissions to customer data within Salesforce, but are locked out of interacting with the codebase on GitHub.

Universal PoLP would demand the opposite setup for DevOps staff.

Streamlining this across an organization demands a thorough understanding of what each account requires. This principle also applies to non-human resources, such as:

  • Systems
  • Applications
  • 디바이스
  • Processes

By assigning these resources only the permissions required for their authorized activities, access rights are effectively minimized and controlled. It’s also the difference between ZTNA and VPN:

  • VPN simply establish an encrypted tunnel between the enterprise’s VPN server and the on-device client, regardless of underlying account behavior.
  • ZTNA takes the device’s security status into account before issuing access to the individual resource.

This, too, is different – rather than granting access to the entirety of a connected network, ZTNA provides isolated access to only the requested resource.

제로 트러스트 네트워크 액세스를 구현하는 방법

From a CISO’s perspective, it’s vital to balance high-security verification while ensuring the customer and user experience is maintained. The end goal of ZTNA security is to have each access request carefully evaluated against established access policies; this should check factors like:

 

  • The current status of the user’s credentials
  • Whether the device posture meets the company’s security standards
  • The specific application or service being requested

Step 1: Understand Who’s Who

Zero trust requires you to know who is accessing what. The first step of any zero trust implementation is focused on establishing a clear picture of the users, devices, and workloads that make up your corporate network.

To achieve this, many organizations opt for a corporate identity provider. 

This allows for all employees, customers, and contractors to be pulled into the security ecosystem and individually accounted for. It also sets the foundation for a consistent method of enforcing authentication. While this provides granular visibility for users, it doesn’t grant inventory for all services that communicate over a network.

This can be achieved through network scanning – either inhouse, or via a third-party asset management tool. With this level of granularity, it becomes possible to identify your attack surface. Throughout the following steps, ensure you prioritize the most valuable digital assets.

The DAAS approach below breaks it down nicely into four steps:

  1. Data: What needs to be protected?
  2. Applications: Which applications handle sensitive information?
  3. Assets: What are your most critical assets?
  4. Services: Which services could a malicious actor target to disrupt normal IT operations?

Step 2: Leverage Secure Network Controls

A zero trust framework only provides users access according to the PoLP. All other users are essentially cut off from the vast swathes of the entire network that they have no business accessing.

So, how do you cut off all unnecessary inbound access? 

Harmony SASE achieves this by establishing a secure gateway: all access requests are filtered via this gateway, which first establishes the role of the user and the associated resources they have access to. All unauthorized devices are automatically prevented from gaining access, and the individual nature of each connection means that no device has visibility into other ongoing connections.

Implementing this secure connection protocol looks a little different depending on the application being secured. There are two major application types:

  • Self-hosted. The SASE gateway’s zero trust tunnel can be established between the application and the firewall’s policy layer.
  • SaaS. SaaS access can be regulated with IP address whitelisting: this means that your SaaS solution can only accept requests that originate from the verified SASE gateway.

Step 3: Implement NGFW Protection

With a secure form of access established, it’s time to establish who is able to access what.

Whether self-hosted or SaaS-based, all network requests are routed via a Next-Gen Firewall. The NGFW can employ HTTPS inspection and TLS decryption to examine each packet of data. Alongside this, stateful inspection allows for a user and device’s behavior to be examined before access is granted.

With these tools in hand, ZTNA can be achieved!

From there, it’s important to continuously iterate: keeping a close eye on firewall logs helps to determine whether access policies are well-balanced. An outward-facing threat intelligence lens can further refine it, but this is becoming an increasingly demanding to-do list.

This is why a Secure Access Service Edge (SASE) solution may offer the most efficient way to implement ZTNA and innovate upon it within your organization.

ZTNA의 이점

ZTNA를 통해 조직은 네트워크 에코시스템 내에서 제로 트러스트 보안 모델을 구현할 수 있습니다. 이는 다양한 사용 사례에 적용할 수 있으며 조직의 보안 태세를 개선할 수 있습니다.

  • 안전한 원격 액세스

COVID-19의 여파로 대부분의 조직은 대부분 또는 완전히 원격 인력으로 전환했습니다. 많은 기업에서 이를 지원하기 위해 VPN(가상 사설망)을 사용하고 있습니다. 그러나 VPN에는 확장성 및 통합 보안 부족을 비롯한 여러 가지 제한 사항이 있습니다.

VPN의 가장 큰 문제 중 하나는 인증된 사용자에게 네트워크에 대한 완전한 액세스 권한을 부여하여 회사가 사이버 위협에 노출된다는 것입니다. 소프트웨어 정의 WAN(SD-WAN) 또는 보안 액세스 서비스 엣지(SASE)(SASE) 솔루션의 일부로 구현된 ZTNA는 ZTNA를 원격 액세스 솔루션에 통합할 수 있는 기능을 제공하여 원격 작업자의 네트워크 액세스를 업무에 필요한 것으로만 줄입니다.

  • 안전한 클라우드 액세스

대부분의 조직은 클라우드 컴퓨팅을 수용하고 있으며 많은 기업이 여러 클라우드 플랫폼을 보유하고 있습니다. 공격 표면을 줄이기 위해 조직은 이러한 클라우드 기반 리소스에 대한 액세스를 제한해야 합니다.

ZTNA를 통해 조직은 비즈니스 요구 사항에 따라 클라우드 환경 및 애플리케이션에 대한 액세스를 제한할 수 있습니다. 각 사용자 및 애플리케이션은 조직의 클라우드 기반 인프라와 관련된 적절한 권한 및 권한을 가진 ZTNA 솔루션 내에서 역할을 할당받을 수 있습니다.

  • 계정 도용 위험 최소화

계정 손상은 사이버 범죄자들의 일반적인 목표입니다. 공격자는 사용자의 계정 자격 증명을 훔치거나 추측하여 조직의 시스템에 사용자로 인증하는 데 사용하려고 시도합니다. 이렇게 하면 공격자에게 합법적인 사용자와 동일한 수준의 액세스 권한이 제공됩니다.

ZTNA를 구현하면 이러한 수준의 액세스와 공격자가 손상된 계정을 사용하여 일으킬 수 있는 피해를 최소화하는 데 도움이 됩니다. 조직의 에코시스템을 통해 횡적으로 이동할 수 있는 공격자의 기능은 손상된 사용자 계정에 할당된 권한 및 사용 권한에 의해 제한됩니다.

Choose Full-Enterprise Zero Trust with Harmony SASE

Your network isn’t the only surface that needs to adhere to zero trust principles.

Communication channels and endpoints all require continuous, ongoing protection – and the principle of zero trust can be applied to all.

Check Point’s Harmony SASE goes one step further with a full-mesh network architecture that provides zero trust protection across every access point, for every user. Identity-centric security policies combine the real-term resource requirements of every team, with continuous verification to identify and stop suspicious behavior.

Discover how Harmony SASE grants zero-trust protection, in-depth reporting, and high performance with a demo today.