Zero Trust Segmentation

Why ZTNA Leaves Security Gaps — And How ZTS Fills Them

As much as many Zero Trust vendors would like you to believe, Zero Trust is not a single product or technology, but instead an overall strategy for the entire IT environment.

Zero Trust, as the name suggests, is a model that denies access to an enterprise's digital resources by default and grants permissions only on an as-needed basis, based on identity and resource type.

To protect an organization's critical workloads the three critical Zero Trust must-haves are:

  • Identity Governance
  • Zero Trust Segmentation (ZTS)
  • Zero Trust Network Access (ZTNA)

While most organizations have already adopted Identity Governance, the latter 2 components of Zero Trust go hand in hand and play a major role in securing an organization's infrastructure.

What is ZTNA, and why is it important?

ZTNA has seen widespread adoption over the past couple of years, to secure an organization's perimeter and the north-south traffic. ZTNA provides a simple but robust mechanism for users to access applications in the cloud or data center by authenticating users based on their identities and roles.

Moreover, when the users are granted access, unlike a traditional VPN, the users are provided access only to the application the user needs and denied access to the corporate network itself. This reduces the network attack surface exposed at the perimeter.

The top 3 areas where ZTNA falls down

Although ZTNA has proven to have many advantages, it's not a bulletproof solution for your network.

In reality, breaches still happen.

As the complexity of attacks increases, it becomes imminent to adopt an "assume breach" mindset where the goal of the organization should be to reduce the internal attack surface and contain breaches to as few resources as possible.

ZTNA does a great job securing external access to applications from remote users, but there are multiple scenarios where ZTNA cannot provide benefits. That is why a defense-in-depth approach is essential.

There are 3 major areas where ZTNA offers no protection:

  • Lateral movement between endpoints: ZTNA solutions provide resource access from remote users to applications. However, when a user is in the office, it doesn't prevent or regulate access from various end-user devices. An infected endpoint inside the corporate environment can laterally move across many endpoints and servers, gaining access to sensitive user data and at the same time is prone to large-scale ransomware attacks.
  • Lateral movement between servers: ZTNA doesn't have the ability to protect against attack vectors that originate inside the data center. A great example would be the SolarWinds supply chain attack of 2020 in which attackers gained access to the networks and systems where SolarWinds was deployed.
  • Failure of Identity Service Providers: ZTNA solutions place their trust to authenticate users into their environment on Identity Service Providers (IDPs). Attackers have taken advantage of this by spoofing IDPs and bypassing MFAs. Once inside, attackers are free to wreak havoc, exfiltrate data, and infect an organization's critical assets.

How does ZTS help when ZTNA falls down?

ZTS and ZTNA are fundamental building blocks in any Zero Trust journey. It's clear that an organization cannot solely rely on ZTNA to protect against malicious actors.

ZTS fills the gap by securing the east-west traffic that's left wide open by ZTNA and provides much needed visibility into network traffic to continue your Zero Trust journey.

It's common knowledge that you can only secure what you can see. In addition to securing the east-west traffic, ZTS provides end-to-end visibility from endpoints (remote and the office) all the way to the applications in the data center or the cloud. Organizations can leverage this visibility when implementing other Zero Trust solutions.

With ZTS, an "assume breach" approach is enforced throughout the environment so that nodes cannot communicate with one another unless explicitly allowed. This ensures breaches are contained and cannot spread to the entire network.

The shift from a breach prevention mindset to a breach containment mindset has been validated by the White House's Executive Order 14028 issued in 2021. The EO calls on federal agencies - and all organizations - to move towards a Zero Trust security strategy which specifically highlights Zero Trust Segmentation (also called microsegmentation) as one of its major pillars.

Learn more about the highlights from Executive Order 14028 in this article.

ZTS addresses the 3 major shortcomings posed by ZTNA

Endpoints that are allowed to communicate with other endpoints are a gift to any attacker to spread quickly. Therefore, endpoints inside or outside the corporate network need to be secured using ZTS. When ports are left open, endpoints become an appealing attack vector and a major source of ransomware propagation within the network. Once endpoints are infected, attackers may move to critical assets within the data center.

With the visibility gained from ZTS, you can simply create segmentation rules where granular policies can be applied on application servers, allowing only certain servers to communicate with one another over specific protocols. For example, we may want to allow communication between a web server and a database server on port 3306 (MySQL) but want to restrict the database from accessing the web server.

ZTS proves to be a valuable failsafe in case attackers bypass the IDP's authentication mechanism. Even if an attacker gets in, they will be unable to move laterally throughout the environment, thereby reducing the blast radius of an attack.

A vast majority of cyberattacks depend on network discovery and lateral movement. Without ZTS in addition to ZTNA, an organization is vulnerable to these tactics being repeatedly exploited.

Illumio + Appgate: Attain cyber nirvana by implementing both ZTS and ZTNA

ZTS and ZTNA play a major role in securing a modern infrastructure. Combining them is how you make your networks great again and attain cyber nirvana!

Illumio and Appgate are leading the way in helping organizations implement effective and efficient Zero Trust security protection. Illumio and Appgate were ranked as Leaders in the Forrester Wave‚Ñ¢: Zero Trust eXtended Ecosystem Platform Providers.

With Illumio and Appgate, you can quickly build Zero Trust security to protect both perimeter and interior traffic across your hybrid computing environments.

Learn more about Illumio + Appgate in this article. And get the three-step, best practice approach to implementing Zero Trust security with Illumio and Appgate in the solution guide.

Related topics

Related articles

Container Security – A New Frontier (Part 2)
Zero Trust Segmentation

Container Security – A New Frontier (Part 2)

Container security, Kubernetes guidance: challenges, threats, and considerations. A two-part blog series on how to keep your container use secure.

What Makes Illumio's Agent More Reliable Than Inline Agents
Zero Trust Segmentation

What Makes Illumio's Agent More Reliable Than Inline Agents

Focusing on risk reduction goals and taking a hands-off approach to packets, Illumio lets you think about security without worrying about a reliable agent.

5 Reasons DevOps Will Love Micro-Segmentation
Zero Trust Segmentation

5 Reasons DevOps Will Love Micro-Segmentation

When segmentation runs off the same metadata sources as the application automation, it is easy for DevOps teams to build segmentation into automated workflows.

No items found.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?