Beyond VPN replacement: Four ways to extend ZTNA’s power with Cloudflare
e92plus
October 2023
by Hannah Long
Organisations exploring Zero Trust adoption often begin by enhancing and eventually replacing VPNs with more secure Zero Trust Network Access (ZTNA). Unlike VPNs that grant logged-in users access to an entire corporate network, ZTNA serves as an aggregation layer, enabling secure one-to-one access between any user and app, on any device, from any location, which is particularly crucial for hybrid work security.
But reducing VPN reliance is just one aspect of how ZTNA enhances organisational agility and adaptability. Below, we delve into four key "super powers" that ZTNA unlocks for customers:
- Mitigating risks associated with third-party access
- Implementing phishing-resistant multi-factor authentication (MFA)
- Ensuring business continuity during cloud migrations
- Streamlining IT integration during mergers and acquisitions
1. Reducing risks from third-party access
Providing application access to outside collaborators — whether they’re contract workers, agencies, or other third-party vendors — is both a logistical headache and security risk. In one example, London’s Metropolitan Police Force suffered a data breach exposing the information of 47,000 personnel after cyber criminals attacked one of their supplier’s IT systems.
Traditionally, organisations solve the challenge of third-party access with a cumbersome onboarding process that requires multiple steps to give contractors passwords to new accounts. However, ZTNA accelerates this process for giving trusted third-party users access to internal apps and resources.
Here are some ways that e92plus partners with Cloudflare Zero Trust to help customers achieve fast, safe access for outside collaborators:
· With Cloudflare’s ZTNA service (Cloudflare Access), there is more flexibility to use multiple sources of identity (e.g., a single sign-on service, LinkedIn, Google, or others) to grant different groups of users access only to the apps they need.
· An organisation’s guest users can authenticate with time-based, one-time passwords based on their existing email address.
· Organisations have the ability to search and audit real-time access logs in the Cloudflare dashboard, to gain full visibility across contractor activity.
2. Rolling out phishing-resistant MFA
According to the UK government’s 2023 Cyber Security Breaches Survey, phishing is the most common type of attack that UK businesses and charities experience. Login credentials are common targets; by gaining unauthorized access, cyber attackers can move laterally to compromise accounts and inflict other damage.
One of the most effective ways to reduce credential theft is to deploy multi-factor authentication (MFA) using hardware security ‘keys’ that are FIDO2-compliant. Users logging in to corporate resources are required to present a physical FIDO2-compliant media device — in addition to their username and password — to authenticate their identity upon each login.
Using Zero Trust Network Access simplifies the rollout of phishing-resistant MFA to more types of apps, including legacy apps that do not natively support FIDO2 authentication. With Cloudflare Access acting as an aggregation layer around all resources, organisations can implement FIDO2-compliant MFA in more places. (Read more about the cryptographic protocols that help make FIDO2 phishing-resistant here).
3. Ensuring continuity during cloud migrations
Most organisations today have a mix of corporate applications — some that are SaaS, some hosted on-premise, and some that are hosted in the cloud, such as on Microsoft Azure.
However, as more workloads migrate to the cloud, new IT challenges will arise. Gartner predicts, for example, that by 2025, 99% of cloud breaches will be traced back to preventable misconfigurations or end-user mistakes.
Business continuity is another challenge: an organisation must ensure that its current systems remain available during times of IT transformation, like migrating apps or identity directories to the cloud. Yet, when employees need to access disparate systems using different methods, productivity can suffer.
Zero Trust Network Access helps solve those challenges. It makes all applications feel like SaaS apps, allowing employees to access them with a simple, consistent flow. Importantly, it also makes sure every request is authenticated, authorized, and encrypted — regardless of where those apps live.
For example, customers using Cloudflare and Microsoft Azure Active Directory can deploy Zero Trust security without changing one line of code. They can define specific rules, such as which users can access specific applications (based on factors like user risk level, device platform, location), and enforce access across both Azure AD and Cloudflare.
4. Simplifying IT integration during M&As
Despite economic headwinds, the recent EY CEO Outlook Pulse survey found that the majority (63%) of UK CEOs expect to pursue an M&A, and 69% are looking to enter strategic alliances or joint ventures in the next 12 months.
One corporate network can be complex enough, let alone the potential trouble encountered from combining multiple networks during an M&A. Integration teams wrestle with:
· Very manual due diligence processes and implementation steps
· Network incompatibility and scalability issues
· Risk of new vulnerabilities, especially if the companies’ security postures not identical
Because ZTNA decouples the access mechanism from the corporate network(s) entirely, it can provide a faster path to IT integration during M&A.
A ZTNA approach can bring together both organizations’ existing identity providers, maximize simplicity for end users of web apps and Secure Shell (SSH) connections, and alleviate concerns with overlapping IPs across multiple networks.
These and other ZTNA capabilities:
· Make it simpler to provide access to the new swath of users and devices accessing both companies’ resources and data
· Maintain employee productivity and connectivity by offering less intrusive security checks, simplified authentication workflows, and faster employee onboarding/offboarding
· Reduce the effort required to provision and secure new infrastructure (or fix vulnerabilities in legacy systems)
Empower businesses with modernised access
In today's distributed work environment, traditional security perimeters have vanished, and outdated remote access solutions can't meet modern security or performance standards.
ZTNA simplifies and secures access for any user to any app, on any device, from any location, eliminating the trade-off between security and user experience.
Together, e92plus and Cloudflare help customers boost their own “super powers” using ZTNA:
- Enhance user experience: Boost team productivity with modernized security, providing on-premises apps with the same performance as SaaS apps, eliminating slow VPNs and employee complaints.
- Limit lateral movement: Reduce cyber risks and minimize the attack surface by granting context-based, least-privilege access per resource, rather than network-level access.
- Seamlessly scale Zero Trust: Enhance technological efficiency by safeguarding critical apps or high-risk user groups, then extend Internet-native ZTNA to protect the entire organization.
But reducing VPN reliance is just one aspect of how ZTNA enhances organisational agility and adaptability. Below, we delve into four key "super powers" that ZTNA unlocks for customers:
- Mitigating risks associated with third-party access
- Implementing phishing-resistant multi-factor authentication (MFA)
- Ensuring business continuity during cloud migrations
- Streamlining IT integration during mergers and acquisitions
1. Reducing risks from third-party access
Providing application access to outside collaborators — whether they’re contract workers, agencies, or other third-party vendors — is both a logistical headache and security risk. In one example, London’s Metropolitan Police Force suffered a data breach exposing the information of 47,000 personnel after cyber criminals attacked one of their supplier’s IT systems.
Traditionally, organisations solve the challenge of third-party access with a cumbersome onboarding process that requires multiple steps to give contractors passwords to new accounts. However, ZTNA accelerates this process for giving trusted third-party users access to internal apps and resources.
Here are some ways that e92plus partners with Cloudflare Zero Trust to help customers achieve fast, safe access for outside collaborators:
· With Cloudflare’s ZTNA service (Cloudflare Access), there is more flexibility to use multiple sources of identity (e.g., a single sign-on service, LinkedIn, Google, or others) to grant different groups of users access only to the apps they need.
· An organisation’s guest users can authenticate with time-based, one-time passwords based on their existing email address.
· Organisations have the ability to search and audit real-time access logs in the Cloudflare dashboard, to gain full visibility across contractor activity.
2. Rolling out phishing-resistant MFA
According to the UK government’s 2023 Cyber Security Breaches Survey, phishing is the most common type of attack that UK businesses and charities experience. Login credentials are common targets; by gaining unauthorized access, cyber attackers can move laterally to compromise accounts and inflict other damage.
One of the most effective ways to reduce credential theft is to deploy multi-factor authentication (MFA) using hardware security ‘keys’ that are FIDO2-compliant. Users logging in to corporate resources are required to present a physical FIDO2-compliant media device — in addition to their username and password — to authenticate their identity upon each login.
Using Zero Trust Network Access simplifies the rollout of phishing-resistant MFA to more types of apps, including legacy apps that do not natively support FIDO2 authentication. With Cloudflare Access acting as an aggregation layer around all resources, organisations can implement FIDO2-compliant MFA in more places. (Read more about the cryptographic protocols that help make FIDO2 phishing-resistant here).
3. Ensuring continuity during cloud migrations
Most organisations today have a mix of corporate applications — some that are SaaS, some hosted on-premise, and some that are hosted in the cloud, such as on Microsoft Azure.
However, as more workloads migrate to the cloud, new IT challenges will arise. Gartner predicts, for example, that by 2025, 99% of cloud breaches will be traced back to preventable misconfigurations or end-user mistakes.
Business continuity is another challenge: an organisation must ensure that its current systems remain available during times of IT transformation, like migrating apps or identity directories to the cloud. Yet, when employees need to access disparate systems using different methods, productivity can suffer.
Zero Trust Network Access helps solve those challenges. It makes all applications feel like SaaS apps, allowing employees to access them with a simple, consistent flow. Importantly, it also makes sure every request is authenticated, authorized, and encrypted — regardless of where those apps live.
For example, customers using Cloudflare and Microsoft Azure Active Directory can deploy Zero Trust security without changing one line of code. They can define specific rules, such as which users can access specific applications (based on factors like user risk level, device platform, location), and enforce access across both Azure AD and Cloudflare.
4. Simplifying IT integration during M&As
Despite economic headwinds, the recent EY CEO Outlook Pulse survey found that the majority (63%) of UK CEOs expect to pursue an M&A, and 69% are looking to enter strategic alliances or joint ventures in the next 12 months.
One corporate network can be complex enough, let alone the potential trouble encountered from combining multiple networks during an M&A. Integration teams wrestle with:
· Very manual due diligence processes and implementation steps
· Network incompatibility and scalability issues
· Risk of new vulnerabilities, especially if the companies’ security postures not identical
Because ZTNA decouples the access mechanism from the corporate network(s) entirely, it can provide a faster path to IT integration during M&A.
A ZTNA approach can bring together both organizations’ existing identity providers, maximize simplicity for end users of web apps and Secure Shell (SSH) connections, and alleviate concerns with overlapping IPs across multiple networks.
These and other ZTNA capabilities:
· Make it simpler to provide access to the new swath of users and devices accessing both companies’ resources and data
· Maintain employee productivity and connectivity by offering less intrusive security checks, simplified authentication workflows, and faster employee onboarding/offboarding
· Reduce the effort required to provision and secure new infrastructure (or fix vulnerabilities in legacy systems)
Empower businesses with modernised access
In today's distributed work environment, traditional security perimeters have vanished, and outdated remote access solutions can't meet modern security or performance standards.
ZTNA simplifies and secures access for any user to any app, on any device, from any location, eliminating the trade-off between security and user experience.
Together, e92plus and Cloudflare help customers boost their own “super powers” using ZTNA:
- Enhance user experience: Boost team productivity with modernized security, providing on-premises apps with the same performance as SaaS apps, eliminating slow VPNs and employee complaints.
- Limit lateral movement: Reduce cyber risks and minimize the attack surface by granting context-based, least-privilege access per resource, rather than network-level access.
- Seamlessly scale Zero Trust: Enhance technological efficiency by safeguarding critical apps or high-risk user groups, then extend Internet-native ZTNA to protect the entire organization.