Extending Zero Trust to any Remote Wi-Fi Connection
Zero Trust Network Access (ZTNA) products are built on the premise that access to corporate applications and services should be earned at every request, based on the identity of the user, the device, and the context. This is in contrast to the implicit trust that the traditional perimeter-based security model assumes, automatically granting access to any device connected.
The ability to segment, isolate, and control the network is essential to ZTNA as there should never be a reason to put the user onto the network where they can explore/route to your application servers and data centers.
This post will explore the last mile security problem: exposed devices on untrusted dirty networks and how Byos complements ZTNA solutions through endpoint micro-segmentation.
Determining Trustworthiness: the User, the Device, and the Context
The three main aspects of any access decision made by the ZTNA Trust Broker: the user, the device, and the context.
User - To continuously monitor and validate user trustworthiness, ZTNA products use signals from Identity and Access Management (IAM) and Multi-Factor Authentication (MFA).
Device - To determine device trustworthiness, the device’s security posture is validated during every request with signals collected from various sources:
Unified Endpoint Management (UEM)
Mobile Device Management (MDM)
Endpoint Protection (EPP) suites or Endpoint Detection and Response (EDR) tools
User and Entity Behaviour Analytics (UEBA) platforms and/or Security Information and Event Management (SIEM) solutions.
Context - The context is in relation to the network that the endpoint connects from. ZTNA assumes all user network connections as public networks like those in hotels, coffee shops, or home Wi-Fi.
Based off of these three input variables, ZTNA allows for administrators to:
control privileged network access
manage internal and external data flows
prevent lateral movement in the network
visibility to make dynamic policy and trust decisions on network and data traffic
However, there is a missing piece to the whole equation: What is happening on the local network the device is connected to? Yes, the device is assumed to be connected to an uncontrolled public Wi-Fi network, but are there malware-laden devices potentially infecting corporate devices? Are there malicious actors waiting for the corporate devices to leak DNS information or SMB requests?
Needing More Context for the Local Network Environment
Despite the user and device input signals, context alone isn’t enough; security teams need assurance that the local network connection is segmented, isolated, and controlled.
ZTNA solutions don’t protect or isolate devices from the local network, leaving them exposed. Despite using a ZTNA solution, devices remain vulnerable to a number of attacks including:
Scanning, Enumerating, and Fingerprinting
Remote Access Exploits
Lateral Network Infections
Read more here: The Half Dozen Risks of Using Dirty Public Wi-Fi Networks
While it’s true that administrators using ZTNA solutions will have full visibility over the devices requesting access, they won’t have full visibility over that remote network that the device is connected from.
How does Byos complement ZTNA?
The Byos µGateway solves the last mile security problem through endpoint micro-segmentation. The µGateway adds another layer of security by providing the endpoint with its own protected micro-segment of one within the local network. In addition, the presence of a known µGateway can act as an authorization signal to the ZTNA trust broker that the local network connection is secure. Enabling granular policy enforcement at the endpoint, the µGateway also gives the administrator assurance that the endpoint is shielded away from all other local network security threats.
While the perimeter-based model of security may be flawed for the new world of decentralized work, understanding the user, the device’s security posture, and the security of the network is fundamental to achieving a Zero Trust environment. Pairing the Byos µGateway with a ZTNA solution will enhance control and reduce the risk of devices connecting to dirty networks, extending ZTNA efforts to allow connectivity from any Wi-Fi network.