8 questions to ask vendors about zero trust network access (ZTNA)

The increased deployment of core business applications in the cloud and the shift to remote work brought on by the pandemic have obliterated any notion of the traditional “corporate moat” style of security.

Today’s hybrid workplace, where employees are on the road, working from home and maybe visiting the office once or twice a week, has forced network and security teams to adopt a more flexible approach to managing the network, identities, and authentication.

Zero trust network access (ZTNA) has emerged as the preferred approach to address today’s security challenges. The concept is relatively simple: Instead of building a layered perimeter defense of firewalls, IDS/IPSes and anti-virus software, zero trust assumes that every user or device is untrusted until it becomes sufficiently verified.

Implementation, however, can be complex. Most enterprises understand that despite the hype from vendors coming at zero trust from every vantage point, IT execs can’t buy zero trust off-the-shelf and deploy it over the summer.

Zero trust is not a product, it’s a framework, an architecture, a philosophy, that can take many forms and requires quite a bit of time and effort to successfully implement. Here’s a list of questions to ask vendors about how they can help your company embrace zero trust principles.

1. How can I leverage my existing security and networking infrastructure as part of a transition to ZTNA?

Enterprises have invested significant amounts of money over the years on security and networking hardware and software. One key challenge is making the transition to ZTNA while leveraging existing technology as much as possible.

Most companies already have pieces of the ZTNA puzzle in place, whether that’s identity management, access control, two-factor-authentication, network segmentation, or policy management. But few have mastered all aspects of zero trust in a comprehensive, integrated, scalable, policy-driven manner.

“Companies need to look for a vendor that can help them identify what elements are the easiest to protect with minimal overhaul of the company’s existing infrastructure,” says Tim Silverline, vice president of security at Gluware, a network automation vendor.

2. What are the business goals the enterprise wants to achieve with zero trust and how can the vendor help make that happen?

Look for vendors who don’t launch discussions about zero trust by talking about technology, but who start out by asking you to define the business challenges you face and the benefits that you are seeking.

David Berliner, director of security strategy at SimSpace, a cyber-risk management company, say goals can include secure remote access for work-at-home employees, protecting sensitive data on premises and in the cloud, or boosting API security for software developers.

Companies need to identify how the vendor will tailor their solution to the business needs of their organization.

3. What’s the plan for managing identity and applying it to security controls across the enterprise network?

ZTNA vendors should level with customers and acknowledge that applying identity controls across an enterprise network is easier said than done, says Silverline. For example, many companies neglect to apply granular identity management in scenarios such as employee access to web applications.

He says, “There are too many gaps right now and too many point solutions (such as web application firewalls) that try to fill in those gaps, but don’t integrate well enough to be a single solution for all identity use cases.”

On the plus side, Silverline says more mature security organizations are leveraging Security Orchestration, Automation and Response (SOAR) tools or Extended Detection and Response (XDR) to try and smooth over integration complexities as much as possible.

4. How will the vendor help us prioritize what’s important so we can create an initial victory with Zero Trust and gain the confidence of staff and top management?

Den Jones, chief security officer at Banyan Security (not to be confused with the now-defunct Banyan Systems) advises enterprises to look for vendors that make the user experience a priority. Companies need to make Zero Trust as frictionless as possible, or else workers will find a way to get around any new security controls.

One approach is to deploy authentication based on digital certificates and phase out those annoying user names and passwords. When users are accessing their productivity apps via the cloud or other internet-facing apps and doing so in a way that’s passwordless and backed up by two-factor authentication, they will be more accepting of other steps in the Zero Trust process that may impact their lives.

In addition, Jones points out that upper management will take notice of this early success and will be more receptive to funding more complex Zero Trust projects, such as automating the continuous monitoring of user activity on the network.

Jones recommends that when an IT exec is explaining Zero Trust to top management, it’s best to keep it simple. He boils it down to three simple outcomes: People want to hear that Zero Trust will cost less, be easier for users, and improve overall security.

5. How will the vendor help us prioritize what data needs to be protected and help us continuously manage data across the enterprise from a Zero Trust perspective?

Dan Weiss, senior vice president of application and network security services at pen testing company GRIMM, says the industry has gone from “defining the network” in the old perimeter-centric world to “defining the data” as companies run today’s remote and hybrid networks.

Weiss says companies must start by performing asset discovery to find out what data the company has on the network, where it is stored and how it gets tracked. Then, identify which specific data assets are most sensitive, set up data classification policies, and automate the management and tracking of the assets.

6. How can we set up granular access controls for each end user?

In order to implement ZTNA, companies need to understand their end users. Who should log in and what should each user be allowed to do? For example, an accounts receivable person should only have access to certain folders once a month when bills get paid.

“The whole point of Zero Trust is for companies not to trust until the user is sufficiently verified,” Weiss says. “They have to be confident that this is the person they think it is, doing what they should be doing.” Setting up and enforcing access control throughout the user session is where many companies fall down, he adds.

7. How will the vendor help us set up microsegments so we can shrink the attack surface and reduce gaps in the network?

Network segmentation has been around a long time, but Zero Trust takes the concept a step further to an extremely granular approach called microsegmentation.

In a Zero Trust network, companies can create a segment around a single endpoint or a single server with very restricted access. For example, traditionally, the HR department may have been on its own network segment, but now the director of HR might have their own segment with very defined firewall rules as to what they can and cannot do.

Under a microsegmentation approach, a payroll person could be allowed to access the payroll app, but not salary data. “It’s a lot more demanding on network configuration and network control,” Weiss says.

8. What is the vendor’s breach notification policy and do they have a back-up plan if our main identity management platform goes down?

Enterprise execs might not have asked this question of vendors 10 years ago, but Berliner says that in the wake of the recent Okta breach in which a major identity vendor was infiltrated, companies really do have to push back and ask the vendor what will happen in the event of a breach.

Enterprise customers need to consider not just the point failure, but think about the broader ramifications. Companies need to ask the following questions: What systems and users were exposed? What data was accessible? Was there lateral movement from a bad actor that could have bypassed our layers of defense? What’s my remediation strategy.

“In some cases, it’s a rip-and-replace depending on the severity,” Berliner said. “In others, it might be a limited breach that takes a single terminal or employee offline by revoking further access privileges.”

Berliner says ideally, enterprises have teams that consistently practice dealing with the compromise of an identity solution – or a similar system in their Zero Trust architecture – so that they have the muscle memory for how to respond.

It’s really important for companies to have teams set up for when the “big one” hits, whether it’s a breach of the identity system, a nation-state attack or common breaches caused by employee user errors.