Security teams are facing challenges when it comes to maintaining visibility across remote,...
Network Access Control for a Zero Trust Age
Previously, we’ve written about the zero trust network security framework and separately, about network access control (NAC).
But how do zero trust and NAC fit together? Is it like a belt and suspenders? Hammer and nails? Chocolate and peanut butter?
Before we dig into that, let’s start with a quick recap.
Zero trust is a security framework anchored by the principle that no user or application should be trusted by default. It’s built upon the following assumptions:
- There is no traditional network edge. Networks can be local, in the cloud, or hybrid with resources and users in any location.
- The network is hostile; external and internal threats are ever-present.
- Trust cannot be established or perpetuated based on network locality.
- Authentication and authorization are necessary for every device, every user, and every network flow.
- Security policies must be dynamic and derived from multiple sources of credible data.
Network access control or NAC represents a set of technologies designed to strongly authenticate devices in order to gain access into sensitive networks. As we shared previously, NAC technology is not new, in fact it has been around for nearly two decades. However, the ever-growing attack surface and increased complexities amid the remote work revolution demand a new generation of information security solutions aimed at protecting the myriad of users, devices, and resources in the widely dispersed modern workplace. Now, more than ever, it’s critical to have visibility into devices connecting both internally and externally, along with an ability to respond automatically if compromises occur.
If you’ve read our previous posts on zero trust and NAC, hopefully that all sounds familiar, and if not, you can link back to those posts in the first paragraph for more details. But the question for today is…how does NAC fit within a zero trust network security policy?
To answer this question, let’s start with two very important points:
- NAC is a fundamental, enabling technology for zero trust networks. But…
- NAC is only a part of a modern, effective network security solution, and woefully insufficient on its own. The NAC that got you here, won’t get you there.
Enter ZTNAC
ZTNAC (not to be confused with ZANTAC — although still effective at preventing heartburn) stands for zero trust network access control. It represents the evolution of traditional NAC methodologies into a solution for today’s Enterprise of Things, remote work, and zero trust world.
Like a virtual private network (VPN), ZTNAC provides secure, remote access to applications and services through an encrypted tunnel. With that being said, the similarities end there. Quite unlike a VPN, ZTNAC is based on a dynamic matrix of defined access control policies which are consistent with zero trust protocols (access is denied by default and provided only when explicitly granted on a transactional basis to specific users, for specific applications, and under specific circumstances).
Once ZTNAC secure access is established, users see only the applications and services they have been granted conditional permission to access, and they are continuously verified and validated throughout the user’s session in real time based on identity, time, and device posture assessments. By incorporating location and device-specific access control policies, organizations dramatically reduce the possibility of compromised devices accessing its services. Additionally, ZTNAC protocols are designed to prevent lateral attacker movement — a vulnerability cyber criminals commonly leverage to scan and pivot to other services.
There are numerous other benefits to ZTNAC. For example, as primarily a cloud-native solution, ZTNAC doesn’t require backhauling all traffic to an on-premises data center security stack for inspection, which improves the user experience. It provides software-defined perimeters, allowing network microsegmentation. ZTNAC also eliminates reliance on legacy remote access hardware/appliances, and capacity can be scaled quickly and efficiently.
ACP CreativIT would love to help your organization leverage all the benefits this next generation of zero trust network access control solutions offer. Talk to one of our experts today.