Sophos Zero Trust Network Access: An alternative to VPN
Sophos recently released the public beta for its new Sophos Zero Trust Network Access product. Anyone can now register for the ZTNA Early Access Program. Let’s take a look at what the Zero Trust security model is, and what makes it one of the most secure cybersecurity frameworks in the world.
What is the Zero Trust Model?
The Zero Trust model simply states that an organization must not trust all attempts to access data and must be verified before granting access. To explain it in three words: Don’t trust anyone. Don’t grant access of any kind unless it is 100% sure who is trying to access it. But why should you use this over-the-top and borderline paranoid security model? Well, consider this, Cybersecurity Ventures predicted that cybercrime will cost $6 Trillion in loss around the world by 2021. This is the expected loss despite the extravagant investment in cybersecurity by some of the biggest companies in the world. No one is safe from cyberattacks, SQL injections, and illegal access to your devices. The Zero Trust model proposes to change the concept that organizations focus on outside threats while assuming that everything already inside does not require any authorization and is harmless. Most security breaches occur because it is easy for hackers to gain access to more information within the system once access has been granted. Before putting all your faith in the Zero Trust model, you should know the pros and cons of this framework.
Pros of the Zero Trust model:
- The company is much less vulnerable to cyber threats.
- Authentication procedures are very strict.
- Improved protection of company’s data.
- Very sophisticated security structure.
Cons of the Zero Trust model:
- Requires a lot of time to set up.
- The management of many users as all the access requests needs to be authenticated.
- Harder to secure data as data is stored in multiple locations which means there is more protection needed at multiple sites.
What is ZTNA?
ZTNA is the newest Sophos Central product that is completely delivered and managed on the cloud. Its purpose is to provide secure application access to remote users. What is ZTNA about? It is based on the Zero Trust framework, which means verifying the user in every way possible to minimize the chance of compromise. This includes user authentication (commonly two-factor authentication to make sure stolen credentials don’t lead to a breach), device health validation, and checking the compliance state of the device to decide on granting access.
How does ZTNA compare with VPN?
While VPN has been a good option for us, ZTNA provides a better solution when we stack them up against each other. How does ZTNA outperform VPN?
- Better Security: The security of the networked application will improve drastically because, unlike VPN, ZTNA will verify the device’s health and status as well. Unhealthy devices can seriously harm a device.
- Transparent: ZTNA offers “just works” transparency to users with frictionless connection management. VPN can be difficult and prone to initiating support calls.
- Granular Control: ZTNA offers more segmented access over the application’s data, unlike VPN which allows the user to access all the data once verification goes through. Attackers love this, once inside, it gives them unlimited time to move from device to device. Once authenticated, it could mean access to thousands of devices.
As VPN is a technology that was developed over 20 years ago, it is a little outdated. It was created with the goal of expanding trusted networks to connect corporate officers into a unified network. But now, cloud-based applications have a wide range of users that are connecting to them through several devices, which makes VPN a vulnerable and unsafe choice. And hackers are using these weaknesses all the time. VPN flaws pose a serious threat to businesses.
What applications can ZTNA protect?
ZTNA will protect all the networked applications hosted on the company’s on-premise networks or available on the public cloud. This includes applications like Wiki or Jira or any other sort of repositories or ticketing apps. ZTNA will not provide protection for the applications that are not owned by the customer but instead are internet-facing applications that are used by many customers like Microsoft Office. But these systems already have a very sophisticated two-factor authentication procedure in place.
Components of ZTNA
There are three components of the Sophos ZTNA:
- Sophos Central: provides a cloud management platform for all Sophos products including the Sophos ZTNA which is cloud-enabled providing easy deployment, policy management, and reporting.
- Sophos ZTNA Gateway: a virtual appliance for the protection of on-premise or public cloud networked applications with initial support for AWS and VMware ESXi and will support Azure, Hyper-V and Nutanix very soon.
- Sophos ZTNA Client: provides seamless connectivity to applications based on end users’ identifications and device health. It is straightforward to deploy and will gain device health status from Windows Security Center. It will only support windows in the beginning, shortly followed by support for macOS, Linux, and the mobile operating systems iOS and Android.
When can we expect to get our hands on ZTNA?
Sophos is proud to announce that they are starting with the Early Access Program for Sophos Zero Trust Network Access (ZTNA). The first phase will provide clientless access to browser applications such as CRM and Ticketing applications (JIRA). The next phase will contain further advancements such as Windows client support with integrated deployment alongside Intercept X, Synchronized Security for device health, additional Identity providers, and a gateway for AWS.
Licensing and Pricing
As we already know from other Central products, ZTNA is licensed per user and not per device. So a user with multiple devices needs only one license. There will be a free trial at launch as well, so the users can take a look under the hood before deciding to buy the license.