Zero-trust networking

11 May 2021

Darren Fields, regional vice president, cloud networking, EMEA at Citrix

Darren Fields, regional vice president, cloud networking, EMEA at Citrix

Imagine you are in a foreign city for the first time and need to take a taxi cab to reach your destination. When hailing a taxi, the only thing you can go by is a quick inspection: if it looks like a taxi, carries the typical “taxi” sign, a taxi registration number, and the name of a taxi company written on its doors, you get onboard – unless the car, again at first glance, is in terrible shape. 

As soon as you have taken your seat in the cab, you need to trust the driver: you need to assume that they will take you to your destination smoothly, won’t endanger your safety by speeding or drunk driving, and will avoid unnecessary detours. This is always a somewhat uneasy feeling – but we cope with it. 

From the bird’s eye view of an IT team tasked with securing the company network, all user accounts look like little taxi cabs: the “vehicles” employees use to navigate the company’s data highways are their endpoint devices, their “taxi license” is their user profile and the associated access password – and, just like real-world taxi cabs, they can have accidents or even be hijacked by threat actors. So, while companies used to be content with an initial showing of papers, today’s IT and network security teams cannot simply assume that these taxis will drive safely and responsibly – they have to make sure.

There are two main drivers (no pun intended) for this change: first, in today’s business world, practically all business processes depend on a reliable, secure 

IT infrastructure. So the IT security team is required to have a close look at who way is using this infrastructure in what way. Second, today’s user base is far more heterogeneous than it used to be. While twenty – or even only ten – years ago, most users would probably access company resources by using company devices from within the company network, the current situation is vastly different – and much more complex. 

Even before the current crisis with its lockdowns and the boom in home-office and remote work scenarios, employees used to work ever more flexibly: they increasingly accessed apps and data from anywhere – from home, from a hotel on business travels, from a train or plane, or from their favourite café. They had long started the “bring your own device” (BYOD) trend of using privately-owned devices instead of just company equipment. Also, more and more of the apps and data they accessed would not reside only in the company data centre anymore, but in the cloud – usually in a variety of public clouds. Today’s digital work is shaped by increasing mobility and flexibility, and recent Citrix surveys suggest that even after the current crisis, this trend towards more flexible remote work will continue.

So the challenge is to guarantee the required level of security in an increasingly complex environment. To achieve this, the zero-trust approach replaces the initial “at a glance” security control, instead following the rule, “never trust, always verify”: in a ZTNA, security software based on AI algorithms continuously monitors user (more specifically: user account) and endpoint device behaviour, checking for deviations from defined rules and historical behaviour patterns. 

For this, the first step is to continually verify the user’s identity, ideally by applying multi-factor authentication via hardware tokens or soft-token apps. The second step is endpoint device monitoring, from the devices’ ownership status (company-owned, privately owned) to their patch level. This non-stop vigilance allows the ZTNA infrastructure to immediately react to suspicious activities, for example if a log-in request comes from London, but one minute later the next request comes from, say, Singapore – a clear sign of a user account takeover. In this case, the ZTNA software can alert the security team or even, if permitted to do so, automatically block user access. In other cases which are not quite as clear, the software might ask users to provide additional proof of their identity, e.g. by using a second authentication factor. For information security, users’ access to resources can be limited to what they actually need to access in their respective roles. This is complemented by customisable rules that restrict user access based on their current context: user X may be allowed access any kind of apps or data from anywhere with any device, but user Y may only use e-mail and the web remotely, while user Z may only access sensitive business intelligence data using two-factor authentication and a corporate device. 

It is important to note that when implementing ZTNA, the focus needs to be on the employee experience: access policies should be designed to give the users all the flexibility they need in their usual business day. Once this set of policies is established, the beauty of ZTNA is that  the software will use AI to automatically determine a baseline of regular behaviour, and will only intervene if there is a reason to be suspicious. This means that most of the time, users won’t notice the AI algorithms working in the background at all. This makes zero-trust networking much more employee-friendly than traditional IT security solutions: ZTNA strikes a perfect balance between resilient security and hassle-free usability, so employees can work without distractions or interruptions, but with the comforting knowledge that their digital workspace is secure. 

In other words, a zero-trust network architecture – either as an integrated component of a digital workspace environment or as a stand-alone ZTNA solution – will always have a close eye on the taxi driver – not only upon entering the cab, but throughout the whole trip. This way, ZTNA gives employees a safe journey through today’s complex hybrid multi-cloud world. Zero-trust – in spite of its name – continuously establishes the trust needed for an efficient, secure work environment with a great employee experience.