What is Zero Trust Network Access? A Q&A with Grig Milis, CTO at RFA

What is Zero Trust Network Access (ZTNA) and how does it differ from VPNs?

ZTNA is a framework of controls designed to establish additional parameters required to access network resources beyond authentication. The concept of zero trust relates to that fact that a network always assumes that any user or device is not authorized for access, and as such, every request to access a part of the network must be authenticated each time. This is compared with a VPN, which works by assigning credentialed users/devices a system-approved IP address and subsequent access to the entire network.

What are some common misconceptions around zero trust?

There are two common misconceptions which are useful for managers to understand. The first is that ZTNA is complicated and expensive to implement and maintain. Every manager, regardless of size or the network infrastructure it has in place, can implement ZTNA with the help of a specialist who can assess which tactics to employ and which vendors to utilize. Another common misconception is that by implementing ZTNA senior management is saying that it does not trust their employees. Rather, the goal with ZTNA is simply to prevent unauthorized access to your network and data breaches by malicious actors, which could result in large fines, which ultimately negatively affects a business and its employees.

Why have security experts shifted towards this framework?

VPNs typically are not designed to enforce resource segregation and zero trust policies as they provide insufficient controls on data access and usage policies. It is also difficult to monitor activity inside encrypted VPN tunnels. Essentially once you are inside a network that is using a VPN you can get access to everything, and malicious actors have shown many times its possible to infiltrate networks supposedly protected by VPNs.

What is unique about the security considerations, and vulnerabilities, of alternative asset managers? Hedge funds specifically? Private equity specifically?

Alternative asset managers are a particularly attractive target for malicious actors because of the immense sums of capital that they deal with as businesses. Take for instance the middle office of a hedge fund, charged with collateral management and posting margin. This part of a hedge fund’s business is a gold mine for malicious actors who can pose as a fund’s CFO or prime broker and request payments in the hopes of being wired millions of dollars by mistake (it has happened more than a few times). Similarly, private equity firms usually have some form of connectivity with their portfolio companies, which themselves could have access to confidential customer information. Therefore, a cybersecurity breach at the manager level, could theoretically lead to the leak of personal information being held by a portfolio company. This is why a ZTNA framework is vital for the protection of assets, communications and intellectual property in the alternative investment space.

How can a firm successfully deploy ZTNA?

Given a large majority of managers do not have significant in-house IT teams, it is advisable to work with a specialist third party that understands the business of running an alternative investment manager and can therefore tailor ZTNA design and implementation to your firm’s specific requirements. A general lack of knowledge/awareness is a major contributing factor in slowing down the adoption of ZTNA. Today the majority of the public cloud /SaaS ecosystems (such as those run by Microsoft, Amazon and Google), which increasing numbers of managers are utilizing, provide many ZTNA capabilities integrated directly into their platforms. A specialist third-party can help you identify which vendors to use create a wider-reaching solution for your business, notable examples include Zscaler, Palo Alto Networks and Axis Security.

What should organizations consider before implementing ZTNA?

It is absolutely vital for every organization to be aware of what their critical data is and where it is stored. For most managers, this is where the value is within their businesses and what the hackers are looking for access to when they attempt to breach their systems. Once you have this information, the next step is to review who has access to that data, how it is accessed and whether each user needs the access they have. Auditing your user access is best practice cyber hygiene and should be included in your day-to-day operational practices anyway. A suitable place to start is to build out a data privacy impact assessment (DPIA) alongside a robust risk management process for your technology stack.

Next, review your supply chain relationships and communications governance. Supply chain access passwords are often the biggest offender in terms of cyber breaches. It is absolutely imperative that your team are fully trained and understand the consequences of any communications or shared information they may have used to ease other processes. Clear and concise guidelines within supplier agreements will help deliver the correct level of governance. Alongside the security perspective, this is also essential knowledge for any firm to be able to share with regulators and to fulfil any operational due diligence requirements from investors too.

How has the industry adopted it? At what rate? 

The alternative investment industry specifically is rapidly moving to a SaaS consumption model for data and application delivery. This significantly diminishes the need for VPNs, and we fully expect them to become obsolete in our industry within in the next three to five years. We would estimate that at least half of alternative investment funds we interact with have adopted ZTNA in some form, with another 30-40% being in a strategy mode. ZNTA is definitely an accelerating trend, and we expect it to be the norm across the industry in the next 12 months.