RSA 2022: Zero Trust Network Access Must Adapt to the Hybrid Workplace

Broadcom Software knows that when the pandemic hit, many IT security leaders were caught flat-footed. Not Josh Dye.

Dye, who is senior vice-president for information security at Jefferies, an investment bank, was in the midst of a transition to support hybrid work with next-generation zero trust network access (ZTNA) security when COVID-19 struck.

“The bankers needed to shift quickly to work from home with the pandemic. But we had previously started our journey to the next ZTNA. We bought hundreds of laptops and preconfigured them so bankers could work from home,” said Dye, speaking at RSA Conference 2022 during the session, “Why Zero Trust Network Access is Broken, and How to Fix It.”. For Dye and Jefferies, the timing worked out. But others are not so lucky. Many organizations are mired in outdated implementations of ZTNA 1.0, which was built for a pre-pandemic world.

ZTNA is built around the Zero Trust data-centric security framework whose point of departure is that organizations should not automatically trust anything inside or outside their perimeters. Further, that they need to verify the identity and trustworthiness of everything trying to connect to corporate resources before granting access-based on identity and trustworthiness.

Over the last couple of years, more companies have looked for assistance updating their ZTNA deployments as they seek to secure the granting of access only to relevant resources while enforcing Zero Trust principles and leaving all other resources cloaked.

An Investment Bank’s Journey

Dye found out about the deficiencies of ZTNA 1.0 the hard way. Pre-pandemic, Jefferies had a legacy cybersecurity environment with a VPN, a cloud-based proxy server, and an on-premises solution. “There were a lot of conflicts,” said Dye. “It was hard to unify and manage policies. The Sec Ops team had to make changes in three different places,” said Dye, adding, “It caused a ton of user complaints, so we re-thought our entire mobile and remote access strategy.”

Dye’s re-evaluation criteria focused on two elements. First, devices needed to be managed with unified policies regardless of device type or location. For example, laptop users who also used VDI clients needed a single consistent experience, which could only be delivered by centralizing policy management. Second, Dye sought more complete protection. For example, his previous cloud proxy agent just looked at certain ports, but he wanted all ports to be inspected as well as network layer seven.

Implementing ZTNA 2.0 technology now enables Jefferies to protect branch offices and mobile devices through the same workflow. “As of today, we’re hybrid. Bankers still have to have the capacity, flexibility, and security of working in a home office. But I can feel good about it. I don’t have to worry as much because I know what’s on the devices and I can do inspection,” said Dye.

From ZTNA 1.0 to ZTNA 2.0

Companies that have ZTNA 1.0 implementations are likely suffering from multiple issues. For example, even though least-privilege access might be implemented, it’s likely that too much access is being granted. And after access has been granted, everything is trusted, which contradicts basic zero-trust principles. In addition, application traffic is seldom inspected on an ongoing basis, security technology such as DLP is too complex, and cloud-native applications, particularly Zoom, Teams and other collaboration apps, are not secured.

These ZTNA 1.0 shortcomings should be addressed by the five underlying principles of ZTNA 2.0:

1. Applying least-privilege access, including layer seven
2. Performing continuous trust verification of devices, users, and apps
3. Performing continuous security inspection, even for allowed connections
4. Protecting all data across all apps, including SaaS, with a single DLP policy
5. Securing cloud-native, legacy, and SaaS apps.

Lessons Learned – and Advice Given

Based on his experience, Dye recommended performing due diligence to vet vendors’ technology claims. “Understand the true foundational functions of the technology and whether it’s what you need today and tomorrow,” he advised. Most important, he recommended getting started, but taking things slowly.

“Do something, whatever it is. Try to implement a product somewhere to some level in a phased approach,” he recommended, explaining that a proof-of-concept (POC) will go far to gain executive buy-in. “It’s hard to get executive teams to see that change is needed. Do a POC. Then you can explain it to them, and they will understand,” said Dye.

And, he said, “ Don’t bite off more than you can chew.” In his own implementation, he focused on a subset of laptops for a subset of the organization, implementing iteratively and turning on restrictions gradually. Finally, Dye highlighted the importance of users. “Give some candy to the end user. Tell them they no longer have to worry about having a different experience in different locations – and it’s going to be faster.”

To learn more on how Broadcom Software can help you modernize, optimize and protect your enterprise, contact us here.