When analysts ask me what is next for zero trust network access (ZTNA) the answer is clear: user-based risk scoring. This may sound oddly specific, but as threats grow more sophisticated, it’s critical for ZTNA solutions to verify not only user identity and device security but also user behavior.
One of the main tenets of ZTNA is checking a device’s status continuously instead of assuming trust after one round of verification when it connects to the network. This means verifying the device’s security posture before connecting to applications or data centers and throughout the session. Different ZTNA solutions manage these continuous checks in different ways. For example, some may recheck a device after a set time or at a specific trigger, like a change in security status or a request to visit a suspicious website.
Unfortunately, many ZTNA offerings on the market say they are running continuous checks but aren’t following through. What’s more, many solutions don’t break an active session even if they identify something suspicious. This undermines one of the main benefits of ZTNA – the ability to stop potential bad actors before they can wreak havoc on the network.
And even if a ZTNA solution is working properly by checking devices continuously and ending suspicious sessions, it can only offer so much protection. Attackers are becoming more adept at bypassing network security checks and posing as legitimate users.
At Fortinet, we’re implementing user-based risk scoring into our ZTNA solution to offer an additional layer of security. Fortinet ZTNA does this by leveraging information from our Endpoint Detection and Response (FortiEDR) and security information and event management (FortiSIEM) offerings to understand the user’s activities throughout their session.
Here are some examples of how user-based risk scoring improves security:
- It can identify if the same user is logged into both the New York City office and the San Jose office and break those sessions to reauthenticate.
- It can flag if a user plugs in a USB device when that’s not something they normally do. USB flash drives allow users to store data that can then be transferred between devices and are a significant concern if they contain sensitive data and are then lost.
- It can warn IT teams if a user is downloading an extremely large volume of files, even if they should have access to this data. (In a ZTNA scenario that only authenticated a user and checked a device’s security posture, this suspicious behavior would be allowed to continue.)
- It can flag if a user starts moving large amounts data across the network, between applications or simply to different locations
- It understands if a user accessing a SaaS application has an abnormal experience, including a crash, data loss, or failure to respond. All of these anomalous application behaviors can indicate something malicious is happening, which means the session should be broken for further investigation.
While some behaviors are obvious issues, others might simply raise the level of concern such that if it happens multiple times, the risk score exceeds the threshold and active sessions can be suspended.
And despite the granular verifications that ZTNA user-based risk scoring allows, end users will still have a streamlined, efficient experience. These checks, which happen in the background, can be highly customized to specific environments and risk areas, so only behaviors that are truly atypical are stopped for a deeper review.
In the example listed above, where a user is downloading a large number of files (suspicious behavior), an organization could make a rule that this would only be flagged if the user is logging in from an odd location. This flexibility makes user-based risk scoring a powerful way to enhance ZTNA.
A zero-trust mindset means assuming that a breach will happen and taking steps to minimize how long it lasts and the breadth of data compromised. With user-based risk scoring, ZTNA drills deeper into suspicious behavior to make detection and mitigation even faster. As bad actors find new and nefarious ways to infiltrate devices and steal credentials, user-based risk scoring will only grow in importance.
Fortinet’s Zero Trust Network Access (ZTNA) solution provides industry-leading secure application access, protecting users and devices during every session. Fortinet delivers ZTNA capabilities as part of our FortiGate Next-Generation Firewall (NGFW), covering users while remote or in the office. Learn more about Fortinet’s ZTNA offering here.
