The critical gap in zero trust [Q&A]
As network boundaries can no longer be relied on to define the limits of cybersecurity, zero trust has become the overarching framework that now guides enterprise security strategies.
However, Zero Trust Network Access (ZTNA) has its limitations, especially in application security, and this can open up risk for organizations heavily reliant on SaaS systems.
We spoke to Brian Soby, CTO and co-founder of AppOmni, to discuss ZTNA's limits and how organizations can best apply zero trust principles to their apps and data.
BN: Why shouldn't enterprises rely on ZTNA alone to secure their zero trust architecture?
BS: The problem here is with the word 'alone'. ZTNA solutions primarily focus on device posture and getting users to applications or private network enclaves. For clarity, I'm using ZTNA to describe both of these use cases, including access to public applications such as SaaS that are intended by a company to have restricted access.
Many ZTNA implementations are part of Secure Service Edge (SSE) or Secure Access Service Edge (SASE) and also incorporate proxies such as Secure Web Gateways (SWGs) and Cloud Access Security Brokers (CASBs).
However, once a user is transported to an application through the ZTNA or ZTNA+SSE stack, most of these solutions lose visibility into what the user can do or is actively doing within the application. This means that authorization policies with ZTNA are typically coarse-grained as they can only make authorization decisions in the form of whether or not a user should be provided transport to an application. It gets even more complicated when we see how many SaaS applications have multiple generations of technologies, integrations of acquired products, or other layered interfaces working in parallel. While a proxy or CASB vendor may be able to reverse engineer limited portions of a few selected SaaS apps, this approach will always be unsupported and at odds with the application, generally leaving large gaps.
Now consider the NIST reference architecture on Zero Trust (800-207) and other authorities on what a Zero Trust Architecture (ZTA) needs to achieve:
- Continuously assess and verify both posture and behaviors of all resources
- Access control enforcement should be as granular as possible
- All access to data and resources should be on a least privilege basis
- Zero trust must be implemented end-to-end.
With ZTNA, we can continuously access device posture but not the applications themselves. Also, SaaS applications are independent systems available over the Internet. ZTNA protections don't mean much when they can be completely bypassed by attackers when application security posture doesn’t enforce mandatory SSO or that users may only access the application through the ZTNA.
User activities and behavior are somewhat monitored but on a crude basis. As the proxy layer watching user behaviors doesn't really understand the internals of the application and what the user is doing while interacting with those applications, it's highly limited in what it can observe and behaviors it can track.
There is also no concept of least privilege or monitoring with respect to external users and cloud to cloud applications. ZTNA and inline proxy solutions were never intended to provide coverage or protections within these SaaS applications to any entities beyond corporate users. As large and flexible platforms, SaaS applications are very often collaboration points between companies and their customers, partners, and prospects. These apps can have dozens of cloud to cloud integrations and thousands, even millions, of external users accessing data and other resources directly within the SaaS platform. All of those integrations and external users are invisible to the ZTNA and proxy implementations.
Having zero trust enforced end-to-end is definitely not possible as it really stops at access to the applications. This eliminates the feedback loop that should allow for dynamic policies and continuous adjustment of security controls, another goal of zero trust.
Does ZTNA, especially as part of SSE or SASE, add security value for organizations? Absolutely. Does it alone achieve what NIST, the NSA, and others have defined as the goals for zero trust? It does not.
BN: How can applications be secured while still maintaining a zero trust posture?
BS: The goal is not to replace or even diminish zero trust principles but instead to extend and enforce them through the applications that are necessarily a part of a ZTA. This leads to a more comprehensive embrace of zero trust and stronger security throughout the infrastructure.
There are now options available to complement ZTNA and ensure that security principles are not only applied to all resources and access, but are also intricately woven within the fabric of the applications themselves. These enhancements create an end-to-end ZTA and allow organizations to fully achieve the zero trust principles. By ensuring that applications are configured and used in a manner that aligns with zero trust principles, organizations effectively bridge the SaaS security gap.
These new capabilities:
- Prevent unauthorized ZTNA bypass: With comprehensive monitoring and continuous configuration assessment, organizations gain visibility around mandatory single-sign-on (SSO), multi-factor authentication (MFA), IP restrictions, and proper access controls to identify bypasses, side-loaded accounts, and other backdoors that can compromise the security posture
- Ensure secure configuration posture and compliance: The new approaches play a crucial role in continuously monitoring and assessing the configuration of SaaS applications to ensure that they comply with zero trust principles. This helps detect misconfigurations such as data exposures, misconfigured security controls, and unwanted user access entitlements
- Offer dynamic policy enforcement and adaptability: The new options leverage real-time analysis and create a continuous feedback loop to other components of the zero trust architecture to enable continuous authorization decisions and dynamic enforcement of security policies
- Adapt to changes in user behavior, application usage, and the evolving threat landscape, ensuring that security measures are always aligned with the risk context
- Extend zero trust to third-party integrations and external users: It is now possible for zero trust architectures to achieve an unprecedented level of end-to-end security. This approach extends zero trust principles into the very fabric of applications and SaaS environments.
BN: How does ZTNA tie in with privileged access management?
BS: PAM and other changes in user access within applications is naturally a part of continuous assessment and authorization. As a user's access changes, a ZTA should recognize these changes and dynamically adjust policies as appropriate. These behaviors should be automatic and integrated into a ZTA, incorporating the principles of fine-grained authorization decisions and an end-to-end scope.
Beyond PAM, it's also possible that a user’s permissions and entitlements don’t change but the applications themselves change. For example, new data or business processes could be added to an application that is now available to users without any change to the user accounts or their permissions. These and other manifestations of context changes must all be handled within a ZTA.
BN: Can zero trust help businesses meet compliance standards as well as securing access?
BS: In the complex world of compliance, and even more so for security, no single approach can meet every need. However, as the number of compliance mandates continue to grow in volume and complexity -- encompassing perhaps every function in every industry -- there's no question that zero trust principles can indeed help ensure compliance while strengthening security protocols.
By now the notion of zero trust is three decades old, and it has largely held firm while just about every corner of the technology market that it originally encompassed has been drastically transformed. In order for zero trust to retain its vitality, it is crucial for those principles to be extended past the network layer and into core applications.
A more comprehensive approach that ensures 'never trust, always verify' guardrails by, for example, enabling continuous monitoring into broad-scale access to widely used SaaS applications can go a long way toward not only boosting security but enduring compliance.
BN: Does zero trust need to become part of the design process for new apps?
BS: The 'Secure by Design' concept has gained popularity precisely because it offers a clear path forward -- when security is an afterthought, as it is in so many consumer creations for example -- it is often inadequate.
However, product development is not a singular field. A consumer-friendly mobile app and a piece of network hardware should both be designed with security as a priority, but the process for each is very different.
There are likely many fields in which zero trust can play a critical role in product development. However, legislating the inclusion of this notion into every field is likely unrealistic.
Image Credit: Nuttapong Punna/Dreamstime.com