ZTNA
What Your Firm Needs to Know About Zero Trust
For the full article visit lawyermonthly.com>
January 2022
Zero trust
Sounds ominous doesn’t it? After all, shouldn’t we be able to have even the slightest smattering of trust in anything? Sadly, when it comes to your firm’s cybersecurity, then a zero trust approach is becoming a de facto standard. In essence, the notion of zero trust when it comes to your firm’s security is the mantra that you don’t automatically trust anything inside or outside of your network perimeters – rather, you must verify anything and everything that attempts to connect to your IT systems before access is approved. Why has it become necessary to adopt such seemingly draconian security measures? In a word, breaches.
Let’s face it, your firm (and all the others) handle a great deal of sensitive information – it’s in the nature of the beast. We are talking about things like corporate intellectual property, personal client information and even financial data. And it’s also likely that a significant proportion of this information is accessible to your people via their smart devices or laptops. If you factor in the massive increase all firms have witnessed in the COVID-enforced remote working habits, then the demand for accessing your firm’s networks from outside the ‘normal’ perimeters will have probably sky-rocketed. Your firm’s IT team needs to grapple with an entirely different IT landscape, one which operates largely outside of the traditional centralised network. And with these challenges come the opportunities for cybercriminals to get their hands on all of that valuable information – the attack surface is now much larger, potential entry points more numerous. And so a zero trust approach to your security really does begin to make sense as you look to lockdown your defences.
But before you fully commit, what are some of the considerations to take into account before investing in Zero Trust Network Architecture (ZTNA)? Let’s look at some key factors.
Ease of deployment – An important facet of your initial considerations should be the ease of deployment and scale – i.e. will any investment support the firm’s needs to allow for appropriate growth and expansion. Any successful implementation relies on simple and straightforward onboarding processes for users. Similarly, stick with technology that is easy to manage and that doesn’t require a particularly specialised skill set. Also bear in mind what deployment model suits your needs best – on premises, Saas hosted or perhaps a private cloud?
The Challenge of Legacy apps – such apps are part of the network and could be things like the mainframe or HR Systems for example – they are too commonly left out from the ZTNA. With the proliferation in working from home (WFH), the use of remote desktop protocol (RDP) has gone through the roof, so check with your intended solutions provider how support for RDP will be achieved? Historically, many legacy apps throw up the challenge of being too expensive to re-architect the systems in which they exist. If, in that case, such legacy apps are ignored in the ZTNA approach, they can become the weakest link.
Conditional access – We have already touched on the impact that COVID has had on remote working. Truth is, this shift was already starting to happen with firms planning on the cultural and technical changes that needed to be made. Whilst it remains unclear for most firms precisely how their people will be working moving forwards, it is clear that some kind of flexible working arrangements will exist. So whether it is remote, WFH or hybrid, your people will still need secure access to any applications. To make things easier, your firm can protect access to apps by employing a management process known as conditional access. In this way, a single policy per user can provide access to an application, whether that person is working from home or at the firm’s HQ. Conditional access policies provide access only to authorised users and only to the apps that they specifically need.
Agent or Agentless monitoring? – Essentially, when we refer to ‘agentless’ we are describing an operating environment where no service / process needs to run in the background on the machine. The use of an ‘agent’ typically ends up complicating the overall deployment – and it can also interfere with any VPN service or any other agents in use. At the end of the day, both agent-based and agentless monitoring are able to meet the needs of different users – it ultimately boils down to monitoring requirements. But agentless monitoring offers less complexity and works seamlessly with networks and storage devices.
The demand for accessing your firm’s networks from outside the ‘normal’ perimeters is going up. Your firm’s IT landscape has shifted – it now operates largely outside of the traditional centralised network. Cyber thieves now have a much larger attack surface to play with, so adopting a zero trust approach to your security offers up a truly robust defence.