BuzzWord Bingo - Zero Trust Network Access (ZTNA)

BuzzWord Bingo - Zero Trust Network Access (ZTNA)

Our social media feeds, TV ads and Billboards are full of them - BuzzWords.  Although many of these have long, carefully researched and well cited articles, we will stick to the quick and brief description that is applicable and understandable by everyday people in the context of today's business scene.

Zero Trust Network Access

Much used, not well understood.  Basically is referring to a more secure way for users/accounts/services to connect to apps/data/resources that consider a number of factors other than username and password.  No one product provides Zero Trust, by the way.

Also, Zero Trust is a bit of a misnomer - if there was no trust there would be no access.  So it is more Variable Trust, or as I prefer to call it, Risk Based Trust and Access.

Many people have their opinions on this - and once again, I am not going to weigh into the finer details here.

Broad overview diagram of zero Trust Network Access (ZTNA)

But basically it is this . . . when you go to connect to a company application, to get data (view/download/input/print/etc), there a number of steps in the process that you don't see, and a number of factors that can be used to make sure you can be trusted/not trusted to do that.

Firstly, are you who you say you are ? There many John or Joan Smith's in the world, are you the one that is expected? This is whey we had usernames and password - with your password being something only YOU KNEW.

But then we progressed . . . something YOU KNEW was not enough because people shared passwords, people guessed passwords, people stole passwords. We moved to something YOU HAVE and well as something YOU KNEW. Something YOU HAVE may be a physical token, a phone with an app token, an SMS to YOUR phone that YOU HAVE. This was called Two Factor Authentication.

But then people learned how to hack SMS. People shared tokens, people lost tokens.

Now we have Multi-Factor. Something YOU KNOW, something YOU HAVE, and something YOU ARE. Something YOU ARE is your fingerprint, or you unique face. It cannot be copied (yet? Or can it?).

So then to log in, you had to have something YOU KNEW, username/password, something YOU HAVE, token or similar, something YOU ARE, your face or fingerprint.

But that is just for you. What about your device? Is it a company device ? Is it your personal device? Is it some random person on the internet on the other side of the world pretending to be you? So now we need to know about what device and is it expected. If it is your personal device, we might not let you access the real sensitive stuff, we reserve that only for company owned and managed devices. Why? Because with a company device we can generally see if it is infected with a virus or not, and have protection for that, not so with your personal device.

What about your location? Which Wifi or network is allowed/not allowed . . . are you on the office network, or your home or at a free unsecured one in a public place (cafe/airport/shopping centre)? This matters, especially if you are connecting from an overseas location when you are not overseas.

So ok, you have proved you are you, your device is good, we know the location, and we know what you are allowed to access, but what if now your computer/device/phone gets hacked, or has an app that steals/siphones data or has more access than it should? What if you go from your home wireless network, to the free unsecured one at the cafe? Things have changed. You have become suspicious - risky. The RISK has changed. Maybe you shouldn't be allowed to access that sensitive data anymore, maybe you shouldn't be able to access anything anymore?

And this is what Zero Trust Network Access is - using many data points, such as the above, and more, to determine what you can/can't access - and doing this constantly, assessing the data points and the risk and adjusting access accordingly. And also making sure that data is encrypted/protected and encapsulated - but that is for another day :)

This is why no one product can provide Zero Trust Network Access. Because you need the identity and authentication/authorisation data (Microsoft M365 Entra ID/Google Workspace/AWS IAM/Duo Security etc), constantly, you need the network connection data (firewall/proxy) such as source and destination IP addresses, you need the endpoint data (Computer/Laptop/Mobile Device) such as type/manufacturer, device fingerprint, Operating system (is it up to date?) and to know whether it is compromised or not. You need the access data to know which app is being accessed, and of course, you need to know which apps are allowed based on all of this ! Identify, firewall, endpoint data, access data, time of day, location . . . . no one product can do it.

We, Small Robot and Cisco partner to bring you the solutions, and the expertise to make this all work. The way we see it, only they have the technology stack to do true Zero Trust Network Access.

Oh, and how does it look for a user when you have Small Robot implement this .. . . . you just log in once and do your job - you get all the access to all the things you need off the back of that one time log in . . . no more logins, no more token prompts, no more password prompts . . . unless you change and become a risky user, then we will ask you to verify briefly, and if all good, away you go again. If not, access is reduced or revoked.

Simple and secure. Easy for users, hard for hackers.