In the ever-evolving landscape of cybersecurity, the concept of Zero Trust has emerged as a critical framework for safeguarding organizational assets, Interlink's webinar provided a deep dive into the principles of Zero Trust and how that impacts the way we should think about network security.
First, what is Zero Trust?
Zero Trust is a security model that operates on the principle of "never trust, always verify." It's a shift from traditional security measures that relied on a defined perimeter. Zero Trust assumes that threats can exist both outside and within the network, thus requiring continuous verification of all users and devices.
Why Choose Zero Trust?
Zero Trust principles focus on authenticating and authorizing connections with as much information as possible. Access is limited to the minimum necessary, and communications are encrypted to prevent prying eyes from listening in.
This principle works particularly well with cloud services, where providers only allow specific access. Tools such as Entra ID Single Sign-on/Conditional Access and Intune for device compliance may be integrated for added security. However, many companies still maintain on-premises infrastructure based on legacy Active Directory, and this is where many organizations struggle to implement Zero Trust principles. Once a device is on the internal network, it typically has access to servers and other locations, leaving it vulnerable to attack.
From an attacker's perspective, this is a gold mine for lateral movement. They have free reign to do reconnaissance, find an exploit to elevate their privilege, and launch an attack. The most impactful ransomware and data exfiltration incidents have occurred because of this weakness.
How Organizations Fail at Securing their Internal Network
The answer is simple: firewalling servers from users is really difficult! For instance, anyone who has tried to place a domain-joined PC in a DMZ knows the number of ports that need to be opened between a PC and a domain controller - it's a lot. Locking down servers via firewall is also a complex process, especially when working with IP addresses instead of users, their devices, and the applications they need to access.
This is where Security Service Edge (SSE) tools like Entra Private Access come in. SSE allows organizations to grant access to applications and resources based on users and devices. Some of the initial vendors in this space were network providers like Palo Alto and Cisco. While these solutions may be a great option if their network gear is already in use, they still rely on other identity providers such as Entra ID.
With Microsoft, one is not locked into specific hardware, and they are likely already using Entra ID for conditional access, multifactor authentication, and single sign-on, giving Entra Private Access a compelling advantage.
How Zero Trust Network Access Works- Deploy a connector agent to one or more servers on a network segment that opens an outbound tunnel to Microsoft that allows us to connect to applications on that network.
- Add the applications to publish to end users as an Enterprise Application in Entra ID and pick the IP address/fully qualified domain name and port(s) we use for that app.
- Grant access to the application to users and update our conditional access rules.
- Deploy the Global Secure Access client to our PCs.
- When the user launches the app, the Global Secure Access client automatically proxies the connection through Entra ID in the cloud and back to the on-premises connector.
- The user experience to access the application is seamless if they have an internet connection. The best part is that the user PC doesn’t have to be joined to legacy Active Directory to have single sign-on. A fully Entra ID joined PC can still access legacy resources through Entra Private Access.
FAQ's
Does this only work with web applications? No! We can publish apps such as RDP (Remote Desktop Protocol), Citrix, or even file servers.
Can this replace my VPN? Yes! Anything published through Entra Private Access can be accessed from anywhere the user has an Internet connection and authentication is secured with the same Entra ID Conditional Access that’s likely already in use for multifactor authentication.
If I’m in the same building with my servers, will the data still have to be proxied through the cloud? Unfortunately, yes, but that probably matters less than expected. Many organizations already use third party data centers, so this potentially allows replacement of more expensive WAN (Wide Area Network) links with cheaper internet connections. Also, most high-bandwidth and latency sensitive apps are already published via remote desktop.
So how much does it cost? Entra Private Access is available for customers as part of the Entra Suite. This also includes Entra Internet Access (secure internet connectivity) and Entra ID Governance and lists for $12/user/month which compares favorably against other SSE products in the market from Palo Alto, Zix, and Cisco.
Applying Zero Trust Network with Interlink
Interlink is dedicated to helping others navigate the challenges of cybersecurity, providing expert evaluations and strategies to smoothly transition to a Zero Trust architecture. Our recent session highlights the transition to Zero Trust security, outlining Microsoft’s Entra Private Access and cloud-first identity architecture as key to securing infrastructure without traditional VPNs or firewall changes.
For those who missed it or want to review the webinar, access this, and other recent resources, on our site. Looking for more information or guidance on strengthening their cybersecurity? Reach out to work with one of our experts.
