ZTNA and Microsegmentation: A Powerful Duo to Mitigate the Risk of Breaches

Last year, organizations all around the world collectively suffered more than 10,000 data breaches. These attacks may have exposed more than 360 million people to potential cyber threats, from identity theft to ransomware. As remote employment, cloud computing, and mobile devices become more common in the workplace, threat actors have more methods than ever to compromise legitimate accounts and steal sensitive data. Organizations can leverage a powerful tool to help thwart these attackers: ZTNA with microsegmentation.

Zero trust network access (ZTNA) solutions require users to rigorously and continuously validate their identities before accessing private applications and data. Microsegmentation, a key component of ZTNA, breaks networks up into smaller, semi-independent systems. In practice, these two approaches complement each other. The authentication aspect of ZTNA  reduces the risk of infiltration, while microsegmentation limits the amount of damage a threat actor could do. By implementing ZTNA and microsegmentation techniques, organizations can mitigate a variety of cybersecurity risks and potentially prevent destructive data breaches.

‍

How ZTNA and microsegmentation work together

ZTNA and microsegmentation operate off of zero trust principles. Compare and contrast to the “perimeter-based” approach to cybersecurity that organizations used to employ.

In perimeter-based setups, administrators used firewalls, VPNs, and even physical access controls to prevent threat actors from breaching a network. The “wall” surrounding the network was essentially inaccessible, so legitimate users within the network were free to navigate around at will.

A zero trust system like ZTNA, on the other hand, starts with the assumption that any login could be from a compromised account. ZTNA may require users to supplement their username and password with multi-factor authentication (MFA). They may have to log in multiple times per day and log out after every single session. A network could deny access to users with unfamiliar IP addresses, locations, or devices.

Microsegmentation eschews the traditional “north-south” flow of network traffic between a data center and a client. Instead, traffic flows “east-west” between various servers or data centers within a network. Successfully logging into one server does not guarantee access to the whole system. Additionally, no single data center has access to the entirety of an organization’s resources.

Together, ZTNA and microsegmentation offer multiple, complementary ways to mitigate a potential data breach. Consider the following scenario: A threat actor has obtained a username and password via social engineering or credential stuffing. The authentication features of a ZTNA system would still deny them access without a proper MFA code, device ID, or IP address.

However, a sufficiently savvy cyber attacker could phish an MFA code and spoof a location. At this point, microsegmentation would limit the attacker to a small subsection of the overall network. This could give an IT administrator time to identify and oust the intruder, as well as prevent a minor data breach from ballooning into a disastrous one.

‍

Implementing ZTNA and microsegmentation

As you consider implementing ZTNA and microsegmentation at your organization, you’ll have to consider a number of factors, including:

• where you store your data;
• the number of staff you employ;
• whether workers use personal or company-issued mobile devices;
• your remote and hybrid work policies;
• who can access sensitive files;
• how many data centers you use;
• and the lowest level of privilege each employee needs to do their job.

Suppose you run a small organization with in-office workers and on-premises data servers. A ZTNA solution that rigorously checks locations and IP addresses would make a potential intruder obvious. On the other hand, imagine a fully remote organization, completely reliant on cloud computing to run apps and store data. Prioritizing MFA and restricting access on personal devices might be a wiser use of resources.

Making broad recommendations for implementing microsegmentation is difficult, as your approach will depend almost entirely on your organization’s software, hardware, and personnel hierarchy. Still, you may want to start with a complete audit of your current network structure. Figure out how much data you store, where you store it, and who can access it. Evaluate each employee’s access privileges and decide whether they need more — or fewer — restrictions in place. Determine which of your apps and files are interdependent and which you could store in a completely separate system.

‍

ZTNA and microsegmentation’s challenges and limitations

While ZTNA and microsegmentation can be indispensable cybersecurity solutions, they require some time, effort, and money to implement. Employees may also find accessing and sharing data to be less convenient overall.

Without ZTNA, an employee logging into a remote network may need only a username and password. With ZTNA, they might need to provide an MFA code and get logged out every few hours — potentially losing focus on their work in the process. Even with the proper credentials, their ability to modify and copy files will probably be limited. If they log in from an unfamiliar device or location, they may not be able to get into the network at all. 

Educating employees and having a procedure in place can alleviate some of these issues. There’s no denying that ZTNA requires more complex, frequent logins. However, if your staff understands how common data breaches are and how much ZTNA does to mitigate them, they should understand why the tradeoff is worthwhile. Similarly, if they know how to contact an IT administrator for quick assistance, an occasional, accidental lockout shouldn’t impede their workflows too much.

Microsegmentation in particular is a complex technology with hundreds of different variables and dependencies. Just taking full stock of your network traffic is a difficult, time-consuming process. Network microsegmentation might require new hardware, and almost definitely requires new software, all of which have learning curves. Routing traffic across multiple zones may require more processing power, potentially slowing down vital applications. The only way to solve these issues is to implement solutions gradually and gauge each step’s impact along the way.

‍

Enforce zero trust to safeguard your data

While cloud computing and mobile devices have made data storage more convenient, they’ve also introduced a whole host of cyber risks. Zero trust tools like ZTNA and microsegmentation can significantly enhance your organization’s data security in this new landscape. For a more complete picture, read the Lookout e-book The Data Protection Playbook: How to Enforce Zero Trust to Your Private Apps. In it, you’ll find a step-by-step guide to identifying and remediating potential holes in your cybersecurity framework. By using zero trust principles, you can mitigate the risk of a costly data breach.