Zero Trust Network Access – The journey continues!

For the next part of my ZTNA (Zero Trust Network Access) series, our journey continues around all things ZTNA space today. There are probably many questions, and some are probably unsure what all this Zero Trust stuff is and how it relates to networks or remote access. I’m going to start with what is, to me, the simplest and most well thought out architecture when it comes to combining dead-simple, easy to use, access to applications whether they are public or private. Don’t worry though, I will get to the variety of architectures that have formed all the way back in 2009/2010.

First, some history. Even before the pandemic, a shift has been happening. People with certain roles and responsibilities have been able to work from home at least part-time for many years now. In fact, I had a 3-year stint as a full-time WFH employee in my AT&T days probably 10 years ago. When we all worked in the office and only a few worked from home or did so part-time perimeter security probably made more sense. Today, a lot more people are home. Not only that, depending on your enterprise you’re either full cloud-based, partially, or thinking about it. Now the enterprise perimeter is stretched to more places requiring bigger and bigger security stacks.

Beyond Corp – The most talked about and well-researched security architecture of our time (in my opinion).

For anyone that hasn’t taken the time I invite you to read the research for the Beyond Corp model. It is enlightening and eye-opening. Probably my favorite part is the user education an experience story located here -> <- From new hire through the entire life cycle of employee experience. You’ll notice that people swear they need VPN (Virtual Private Networks). They try to explain through a variety of ways that what they’re doing requires connectivity to the corporate network. It is an amazing tale of determination and education on the part of Google to wrest unnecessary VPN connections from their employees. If you don’t read anything I highly recommend you start there. It’s like one of those stories where you wonder why everyone always runs towards the danger when they hear something on the other side of the door. You want to scream DON’T OPEN THE DOOR.

In or around 2009 after an attack Beyond Corp declared that they were going to move all of their applications to their internet. I have no doubt that this strikes anxiety and/or push back in many in the networking and security space. “But Hank”, you say, I can’t and/or don’t want to move my applications to the internet. That’s Google, and we’re not Google. I hear you! Though, at the same time, I know if we dig deep into what we’re securing and why we will come to the reasonable conclusion that we have stacked security tech up to the Nth degree and still, once a threat is inside it can be hard to stop. Google formed their Zero trust network infrastructure the way it worked best for them. In the last couple of years, other companies have taken what has been done with Beyond corp and made it their own. One of the key points with the Beyond Corp mode is that devices are managed devices. Those managed devices are secured and monitored and so in this model, the IT administrators can restrict access via a variety of authentication methods to private applications that reside on the open internet. If you like you can read more about the attack in their research documents.

The model is so simple it could be confusing to some or hard to wrap your head around it. I once heard the phrase “It’s so easy, it’s hard” used and I have long adopted that and applied it to so many other things. I think the problem here is that we’re looking at all that we’re taking away and focusing on that. We may not be considering what we’re gaining instead. The model of a safe internal corporate infrastructure is dead or dying. This has been proven time and again through a variety of attacks and breaches which, once breached, the attacker potentially has the run of the internal network. This is not unlike any movie based on most wars we have ever seen. Large powerful walls protect the citizens. Once breached everything is on fire. I’m thinking Troy or Kingdom of Heaven apply here.

I bet you’re wondering – Do I have to change everything at once? Nope! Phased-migrations are possible! The elegant attribute around the Beyond Corp model is that you can run it alongside your existing infrastructure and migrate over as needed in phases. Though as we take our journey together we’re going to find that this is largely true for any of the ZTNA architectures we have today.

If you take anything away from all of this is that It shouldn’t matter where your applications are. The user experience should be largely the same. Security doesn’t have to be nearly as complicated as it seems to be. Sometimes it almost seems like we stack the deck higher and pile on more because we think that’s how we win. In my next post, I will begin to dig deeper into the variety of other architectures that exist, and maybe after that, we can dig into the use cases that have come out of all of this. I’m also going to answer the question – “What is the difference between ZT, ZTN, and ZTNA?” If you want more information on the BeyondCorp research and architecture please go here -> <-.

Published by Hank Yeomans

Principal Engineer in Cloud Security OCTO @ Cisco Systems - Enabler of business, network architectures. I'm into long walks on the beach, zero trust, networking infrastructures, and bacon.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: