Work-from-home (WFH) and work-from-anywhere (WFA) initiatives were trending pre-pandemic. CISOs globally were looking to enable greater workforce agility and improve workplace flexibility. When the pandemic hit, WFH and WFA became the number one priority for enterprises worldwide as employees batted down the hatches and began to work from unsecure home networks. Security and networking teams became faced with requirements to quickly onboard remote workers but still protect against malware and ransomware. Security needs and connectivity needs began to merge together, as did security operations and business operations. This proves to be problematic because SecOps and BizOps are dramatically opposed, and different access requirements have to be carefully delineated.
Even as the world emerges post-pandemic, CISOs are tasked with enabling secure multi-location access: from on-campus networks, to branch offices, employee homes, and even across public mobile networks. To meet these new access challenges, we’re expanding our edge solutions suite to include zero-trust network access (ZTNA).
Zero-trust is a model of security that works on the concept of least privilege – never trust, and always verify. In a zero-trust model, systems provide minimal access needed for resources or users to perform their tasks. This is independent of whether the user is inside or outside the perimeter. Zero-trust models are sometimes viewed as perimeter-less security, though in reality, it can more accurately be defined as a software-defined perimeter.
By focusing on identity and context, ZTNA allows fine-grained access control to enterprise resources and adapts well to a WFH and WFA world. ZTNA also works in an environment where businesses need to connect with and collaborate with non-employee users like partners.
ZTNA takes the identity of a user, their role in the enterprise, their location of access, and device state into consideration when granting access to enterprise resources. ZTNA implementations can protect resources anywhere — in branches, in enterprise data centers, or even in the cloud. It has the flexibility of providing different levels of access privileges based on a combination of attributes. For example, companies can limit employees to read-only versus write access if the employee is connecting from an untrusted public WiFi at an airport. This approach ensures that enterprises are minimizing their attack surface without impeding employee productivity.
Hillstone combines the capabilities of the Hillstone Security Management (HSM) Platform with our NGFW product line to offer our clients ZTNA features. Hillstone ZTNA supports a wide range of authentication schemes, popular enterprise devices, and operating systems. HSM enables scaled deployment and management. With ongoing investment into the research and development of our solutions, our ZTNA implementation will be delivered at a broader scale, exhibit more advanced intelligence, and support more deployment options in the near future.
With our superior security foundation, Hillstone’s ZTNA solution can serve many use cases and industries effectively. While not limited to the use cases that we’ll discuss here, we believe that highlighting our unique benefits will translate into ideas on how we can help you as an industry-agnostic solution.
Hillstone ZTNA provides the flexibility to accommodate this WFH and WFA world while keeping the attack surface contained. Our ZTNA solution can ensure that only corporate-registered devices are used to access the corporate network, antivirus software is running, and operating systems are up to date. This will help avoid situations where attackers take advantage of a known vulnerability on a system and leverage it as a jump-off point into corporate systems via remote VPN.
Hillstone ZTNA can ensure that employees attain the necessary access for work processes while limiting modify access privileges to sensitive data. For example, a corporate finance employee who is traveling might be able to access their email but not allowed to connect to the finance or accounting systems while they are on the road and accessing corporate services via public locations. Once this user arrives at a branch office and is confirmed to be in a secured site, this user will gain access to the finance systems. This intelligent, context-based, least-privilege approach does an excellent job of managing risk and balancing security with productivity. ZTNA provides CISOs with the tools to surgically implement their policies, as opposed to the blunt hammer of all-access or no-access.
Hillstone ZTNA can provide the necessary additional layer of protection for government entities and enterprises with stricter compliance requirements. Both are categories of organizations at higher risk of compromise from malware and ransomware. ZTNA aligns with the philosophy of many of these agencies and industries, who themselves advocate a policy of need-to-know, need-to-access mindset. For example, ZTNA policies can mandate that traveling government employees use multi-factor authentication and trusted devices for remote access. Hillstone can be programmed to block access otherwise or allow limited access to commonly targeted systems like email.
Service providers looking to help their customers secure their company IT resources in the face of WFH and WFA will find added value in Hillstone’s ZTNA solution. Many small and medium enterprises (SMEs) are under threat from ransomware but have little to no in-house IT expertise. As such, such enterprises are expecting reliable connectivity in tandem with dependable security for their digital assets. By layering ZTNA on top of Hillstone’s NGFW solutions, service providers can provide these SMEs with the added value of a managed solution that improves their security posture significantly. ZTNA can easily be provided as a service to these SMEs, allowing them to benefit from the advanced policies while trusting the service provider to manage the security policies on their behalf.
In summary, ZTNA allows enterprises to clearly see assets and interactions existing on their network, understand what access requirements are needed where and to who, and allows enterprises to quickly fulfill network needs while ensuring security despite the complex present-day access requirements.