With the rise in remote work, a significant number of workers are logging in from various devices and VPNs, which can increase cybersecurity vulnerabilities. As a result, many networking professionals are interested in the potential benefits of zero trust networking (ZTN) and zero trust access (ZTA), which control access to resources or applications based on verification of the user or device. An opinion article in CSO magazine states that Zero Trust Network Access (ZTNA) “…isn’t the most obvious naming convention, because although it’s called zero trust network access, it’s really all about brokered access for users to applications. So, it might have been clearer to call it zero trust application access, but for better or worse, it’s ZTNA.”
The CSO article also states, “Unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.” Hmmm… reducing the attack surface is a good thing, is it not? Fewer points of entry that are possible to exploit must therefore reduce the risk of Distributed Denial of Service (DDoS) attacks, right? Wrong. Implementing ZTNA may give networking professionals false sense of security that their networks will be protected from DDoS attacks. Unfortunately, whether one has a traditional or Zero Trust approach, there is still a risk of hit with a DDoS attack.
Why is that? To put it in simple terms, a DDoS threat actor doesn’t need role-based permission to access a network in order to send malicious traffic to public network addresses. Regardless of the network’s architecture, DDoS cybercriminals can come up with schemes to disrupt or take an application offline by sending junk packets of traffic from an army of reflection-amplification or botnet devices.
The IT analyst firm, Gartner, began recommending zero trust frameworks back in 2020, to secure applications and data rather than just a network. Regarding DDoS protection, Gartner suggests that the most successful way to protect applications and services is with a hybrid DDoS mitigation solution that has multiple layers: internal (such as anti-DDoS appliances, and web application firewalls), at the edge (outside the firewall, with an appliance) and external (such as cloud scrubbing centers, Internet Service Providers, and Content Delivery Networks).
Regardless of an organization’s network framework, DDoS planning and protection should be a key element of any organization’s cybersecurity defense posture. It is important to have one that provides unparalleled visibility into the traffic entering the network, with “single pane of glass” management and analysis of both detected and mitigated attacks, and an always on, automatic solution that functions 24/7 to detect and block both short, sub-saturating DDoS attacks as well as volumetric DDoS attacks.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.