Zero Trust Network Access (ZTNA) is being adopted as the best way to ensure the Fleast privileged access to sensitive environments for outsourced teams.
The pandemic. A growing gig economy. Rounds of layoffs across industries. It’s no wonder the workforce looks nothing as it did just three years ago. According to Layoffs.FYI, technology companies alone have cut 24,151 jobs in just the first 15 days of 2023—and that’s on top of another 154,256 workers laid off in 2022.
Some of these workers will join the gig economy, working in temporary or freelance roles. Others will join companies providing outsourced and shared services to organizations around the world that seek specialized talent to fulfil a wide variety of business, technical, and creative needs.
Market research firm Mordor Intelligence LLP says that the global IT outsourcing market alone was valued at $526.6 billion in 2021 and is expected to reach $682.3 billion by 2027.
No matter which side of the table you’re on—contractor or hiring organization—the one thing that has to be in place for both parties to succeed is secure remote access. In the past, traditional VPN access was sufficient for the small percentage of employees who occasionally worked remotely. Now, however, organizations are relying on BYOD workers and third parties to operate, and with that comes a new set of security challenges.
Who Can You Trust?
With talent (especially engineering and DevOps talent) at a premium, organizations must enable access to internal company data and assets. This can mean enabling access to the cloud, on-premises systems, or SaaS solutions from anywhere in the world. However, from a security standpoint:
- Contracted teams are not employees, yet they need remote access to sensitive corporate cloud environments, servers, and data.
- Third-party devices are not managed by the company’s IT team, so they can’t be completely trusted.
- Regulatory compliance requires tight control over which data is accessed, how it is accessed, and the purposes for which it is accessed.
- Multiple third-party users and devices coming into and leaving projects at various phases must be onboarded and de-provisioned quickly and securely.
As organizations increase their use of external resources, all of these demands are converging to require a new approach to secure remote access. Here are two examples of the complex challenges that organizations face in enabling secure remote access.
- Securing Remote Access in a Critical Infrastructure Environment: A European power plant serving more than two million customers had routinely outsourced projects to a third-party engineering firm. In the past, standard security measures were sufficient. Now, however, new nation-state threats and cyberbullies have become significant threats. At the same time, new energy industry regulations demanded a hyper-granular approach to securing power generation and distribution systems. The power plant needed the ability to control and restrict all activities of third-party users with BYOD access.
- A Financial Organization Goes Global for DevOps Talent: A mobile wallet company relies on a global base of developers who connect to cloud-based production and development environments. Because its products perform financial transactions, transfer money, and require the use of PII, the company is highly regulated. Developer activities must be strictly controlled.
Securing Access with Zero Trust
Zero Trust Network Access (ZTNA) is being adopted as the best way to ensure the Fleast privileged access to sensitive environments for outsourced teams. By “never trusting and always verifying,” ZTNA enables SMB and corporate IT and security teams to tailor secure access exactly as needed for protecting assets and systems while supporting a range of development, engineering, and other business goals.
ZTNA limits access on an application-by-application basis. It authenticates every user, no matter where they’re located. It simplifies security by enabling remote access to complex environments, and it provides a way to record and audit all activities by contracted teams.
Six Practices for a Successful ZTNA Implementation
- Know project requirements: Begin by understanding exactly what contracted teams need to do their jobs. Which applications? Which resources? Which protocols and permissions? Understanding requirements enables you to create usage “silos” and apply precise permissions to specific groups.
- Reduce the attack surface: ZTNA can help reduce the attack surface by allowing Layer 7 access through reverse proxies to limit exposure to sensitive assets and applications. This ensures that users will only be able to see the resources that they are allowed to access and will have no visibility into other internal resources. Layer 7 access helps “darken the data centre” to limit visibility into the organization’s networks, applications and assets, which deters attackers and DDoS attacks.
- Simplify provisioning: Outsourced teams need quick, secure access to resources, regardless of where they are hosted and which device is used. Clientless connections that don’t require you to install a security client on a freelancer’s devices simplify the rollout of zero trust access while letting you maintain regulatory compliance. You might also want to manage external users’ identities separately from employee user directories using a cloud-based directory.
- Go granular: Implement authorization down to the most granular levels. Control each asset by restricting policies for each user or user group. Apply granular permissions to apps themselves and also within apps—controlling access and usage of specific commands and queries.
- Use PAM-as-a-service: This simplifies access management for multi-cloud and private servers, allowing authorized users to easily access privileged production and administrative environments. Automated features like single sign-on, key management, and credential vaulting save time while ensuring best practices are followed.
- Maintain visibility: Monitoring, real-time policy enforcement, video session recording, and full audit capabilities deliver full visibility and forensics to accelerate investigation and response in the event of a cyber incident. And of course, they’re key to addressing industry regulations.
How Did They Do It?
Both organizations mentioned earlier chose a clientless ZTNA solution to address their challenges:
Securing Energy Supplies with Zero Trust
Using clientless zero trust access, the power plant implemented a secure remote access architecture. Third-party users have agentless access to terminals, remote servers and applications. This significantly reduces the power plant’s attack surface by eliminating direct network connections.
Sanctioned applications, including Jenkins, ACT, Solar Putty, and RDP, are published through Layer 7 reverse proxies. They are further protected by granular access controls—such as permitting or blocking commands. Role-based controls make it easy for system administrators to grant and revoke access to—and within—applications without complex workflows. Video session recording delivers complete visibility alongside full activity audit trails.
Protecting e-wallet customer PII
The fintech company also opted for a ZTNA architecture to ensure the least privileged access and audit all activities. Clientless access eliminated the need to install agents on developers’ BYOD devices. Databases containing customer details and financial assets are published through Layer 7 reverse proxies.
The cloud ZTNA service enabled the fintech company to precisely create policies that control access to specific databases and allowable queries. The service enabled access to PostgreSQL and Jenkins in an Azure cloud, as well as MySQL and Jenkins in AWS. All sessions are video recorded and documented by full audit trails.
A clientless ZTNA architecture delivers a breezy SaaS-like user experience from any device. At the same time, it enforces granular app-level and in-app controls for any internal resource—on-premises or in the cloud—without requiring an agent. Role-based controls allow administrators to easily provision and de-provision access to (and within) internal applications—as well as limit access in scope.
Moreover, administrators receive full activity logs that provide visibility on all third-party activity. Security teams no longer have to waste valuable time trying to set up and manage complex workflows.
Ready to get started with clientless zero-trust access? Learn about ZTNA from Check Point Harmony Connect SASE or watch a demo on TheDemoForum.com.