How zero trust architecture is ideal for 5G and LTE Wireless WAN at the network edge
Despite years of perimeter-based network security through Virtual Private Networks (VPN), data breaches happen often enough to keep any IT team on its toes. From 2020-2021, there were more than 5,000 confirmed data breaches across dozens of industries, including healthcare, financial services, and manufacturing (2022 Verizon Data Breach Investigations Report), leaving security teams wondering: what is ZTNA and is it the best solution to keep networks safe?
With complex networks, cloud-based applications replacing data centers, and a shift toward more remote workforces, protecting critical information is an increasingly difficult task for enterprises. Vast quantities of data are stored on computers and other connected devices through a wide-area network (WAN), and these ever-expanding attack surfaces pose harmful risks to an organization’s security.
Since VPN end-to-end tunneling protocol entered the networking scene in the 1990s, it’s been the standard to mitigate these risks and securely connect sites, vehicles, IoT, and remote workers. But even traditional VPN architecture, which relies heavily on perimeter-based security, isn’t foolproof and must evolve to become more secure, simple, and scalable. To sufficiently protect a WAN, that evolution should include the adoption of 5G zero trust strategies to ensure data is available only to those with direct access.
What is ZTNA and how does it increase end-to-end security?
Zero Trust Network Access (ZTNA) is becoming the standard security practice for hybrid WANs for good reason. With a zero trust architecture, administrators can build granular policies, eliminate risky default access, and allow isolated user-to-resource access.
Compared to legacy WAN edge security technologies, which require complex access control lists or individual firewall policies to manually block access to resources, ZTNA policies simplify managing isolated user-to-application access, thereby reducing the potential attack surface.
What are the primary WAN edge security challenges that enterprises face?
Visible IP addresses
Publicly exposed Internet Protocol (IP) addresses are an easy way for an enterprise to lose valuable data and resources to hackers. These IP addresses, which allow devices to communicate within a network’s perimeter, are unique to each device and can be identified through network scanning techniques to discover the network topology and move laterally through the network.
Traditional VPN architectures aim to provide secure, encrypted connections over public networks to protect IP addresses. But following a zero-trust approach, which masks public IP addresses to prevent network topology discovery, is much more secure and can be very effective in preventing lateral movement.
Network complexity and lack of IT resources
Configuring a network with wired and wireless connections can be tricky — especially when it comes to traditional VPNs. Due to their complex infrastructure, VPNs are difficult to adjust once established, their firewall security practices are less reliable when it comes to protecting large enterprise networks, and any troubleshooting takes a substantial amount of time, which most IT teams don’t have.
Nearly 55% of senior IT professionals rank lack of automation as the no. 1 challenge in security operations and management, reflecting their inability to manually investigate and respond to notifications across increasingly complex networks (Insight Enterprises Inc., 2021).
As businesses expand across many distributed sites using cellular and wired broadband connections, IT teams are spread thin trying to establish secure connections and monitor activity. Putting a zero trust solution that enables automation and intuitive orchestration allows end-to-end secure communications between users and IoT devices and their applications in the data center and cloud.
What benefits does Zero Trust Network Access provide compared to traditional VPNs?
In a growing network, simplicity and security are key. Rather than building encrypted tunnels — an extremely time-intensive and complex process — automatic VPN functionalities like built-in tunnel orchestration and simplified network configuration help streamline the process and reduce the chance of human error. With Cradlepoint NetCloud Exchange (NCX) Secure Connect, secure tunnels can be built in just a few simple steps, saving time and resources.
During configuration, the deployment and management of IP addresses can be a tedious task. Each device on a network must be assigned an IP address, which is then tracked and managed by IT teams through either an IP address management platform or an extensive spreadsheet. With many IP addresses to monitor, overlap can be helpful because a single IP address can be assigned to more than one device on a network.
Using private NAT techniques, NCX Secure Connect allows network administrators to overlap IP addresses and enables name-based routing to simplify configuration. With name-based routing, administrators can use a logical name to describe networks and sites (e.g., “Idaho branch”) so they are easier to locate and track. Secure Connect makes IP addresses undiscoverable through the NCX Service Gateway, denying external access and significantly reducing the attack surface.
Secure Connect sets the foundation for ZTNA, allowing IT teams to build policies for connecting users to specific resources instead of to broad network segments. These policies can be as granular as needed to make it easier to identify, assign, and manage isolated user-to-resource access. For example, in a retail scenario, a security team might need access to various applications, including video surveillance, badge readers, alarms, and more. In this case, they would be given access to those applications and nothing else. These attribute-based policies provide different levels of access based on the user and make the rest of the network undiscoverable, thus preventing hackers from infiltrating the network.
Exploring use cases for a zero trust solution
Remote work access
Remote work isn’t going anywhere — by 2025, the number of remote workers is expected to be nearly double what it was pre-pandemic (Future Workforce Report, 2021). In the age of wireless and hybrid WAN connectivity and remote workforces, secure connectivity should be a top priority for IT teams.
A work-from-anywhere model means employees request access to sensitive information from locations with unique IP addresses to get their jobs done. Using a NCX’s Secure Connect solution, enterprises can replace these IP addresses with personified titles like “Samantha’s house” to simplify configuration and management. Overlaying NCX’s ZTNA service to Secure Connect allows for user-based access policies to ensure that the remote worker only has access to the resources that are required to perform their job effectively.
Widely distributed kiosks
Companies in nearly every industry use kiosks to make their services easier to access. As enterprises scale and manage thousands of kiosks nationwide, network security is increasingly at risk. For example, a kiosk operating on a large, shared network segment might be monitored by a third-party consultant who has the same access as an internal employee on that segment. If the consultant brings a compromised host to the kiosk network, all other network segments the internal employee has access to are now at risk. With NetCloud Exchange, there is no such thing as a shared segment — only completely isolated connections between the consultant and the kiosk and the internal employee and the kiosk. The consultant and the employee are never on the same shared segment and are entirely blind to one another, preventing the consultants compromised host from ever impacting the internal employee.