Atblog920

1 day ago  Sean Gallagher is a Senior Threat Researcher at Sophos. Previously, Gallagher was IT and National Security Editor at Ars Technica, where he focused on information security and digital privacy issues, cybercrime, cyber espionage and cyber warfare. Sophos Linux Protection; Sophos Mobile 9.6; Sophos Enterprise Console 5.5.2; Sophos Managed Threat Response for Windows; Sophos Managed Threat Response for Windows Server; Sophos Managed Threat Response for macOS; Sophos Managed Threat Response for Linux; What's new in Sophos Central; Endpoint release notes. We would like to show you a description here but the site won’t allow us.

The branch office of one

Prior to the pandemic, there was already a shift in networking underway, with an increasing percentage of the workforce beginning to work from home – at least part-time. This trend has dramatically accelerated over the last year, with the vast majority of organizations either mandating their employees work from home, or strongly encouraging it.

This has transformed many organizations almost overnight into a highly-distributed model with hundreds, if not thousands, of one-person branch offices. The “branch office of one” has become the new normal for many organizations.

This massive shift has created a similarly massive challenge for many IT organizations, who have been scrambling to implement VPN access for their remote workers. As just one example, utilization of our Sophos Connect VPN client with XG Firewall has shot up over 10x to more than 1.4 Million active clients in recent months.

And while VPN technology has been a savior and has served us well, it was never really designed for this new world. VPN can be difficult to deploy and enroll new staff, it can be challenging for end-users to use and creates unnecessary friction, and it does not provide the kind of granular security that most organizations require.

Gartner’s recent report, Solving the Challenges of Modern Remote Access, also highlights the challenges with VPN: licensing, efficiency, relevancy, and suitability for the task.

Protecting your data

If it wasn’t enough that IT organizations are grappling with this massive shift in remote working, the whole industry has come under siege by bad actors and hackers attempting to take advantage of the current situation with increasing attacks on corporate systems and data. The latest Sophos 2021 Threat Report provides an excellent look at how cybercriminals have upped their game.

With a massive collection of branch offices of one and an ever-increasing need for tighter security that is transparent and frictionless, what are the options?

We’re actively working to get Sophos ZTNA, or zero trust network access, into your hands as fast as possible. To help overcome some of the challenges you’re facing with remote workers, it provides a simpler, better, more secure solution to connect your users to important applications and data.

Zero trust network access

ZTNA is founded on the principle of zero trust and is all about verifying the user. It typically leverages multi-factor authentication to prevent stolen credentials from being a source of compromise, then validates the health and compliance of the device to ensure it’s enrolled, up to date, and properly protected. ZTNA then uses that information to make policy-based decisions to determine access and privilege to important networked applications.

Benefits of ZTNA compared to remote access VPN

While remote access VPN continues to serve us well, ZTNA offers a number of added benefits that make it a much more compelling solution:

• More granular control: ZTNA allows more granular control over who can access certain applications and data, minimizing lateral movement and removing implied trust. VPN is all-or-nothing: once on the network, VPN generally offers access to everything.
• Better security: ZTNA includes device and health status in access policies to further enhance security. VPN does not consider device status, which can put application data at risk to a compromised or non-compliant device.
• Easier to enroll staff: ZTNA is much easier to roll out and is better when it comes to enrolling new employees. VPN involves more challenging and difficult setup and deployment.
• Transparent to users: ZTNA offers “just works” transparency to users with frictionless connection management. VPN can be difficult and prone to initiating support calls.

Overall, ZTNA offers a welcome solution to connecting the branch office of one.

Sophos ZTNA

Sophos ZTNA is a brand new cloud-delivered, cloud-managed product to easily and transparently secure your important business applications with granular controls.

Sophos ZNTA consists of three components:

• Sophos Central provides the ultimate cloud management and reporting solution for all your Sophos products, including Sophos ZTNA. Sophos ZTNA is fully cloud-enabled, with Sophos Central providing easy deployment, granular policy management, and insightful reporting from the cloud.
• Sophos ZTNA Gateway will be available as a virtual appliance for a variety of platforms to secure networked applications on-premise or in the public cloud. AWS and VMware ESXi support will be available initially, closely followed by support for Azure, Hyper-V, Nutanix, and others.
• Sophos ZTNA Client provides transparent and frictionless connectivity to controlled applications for end users based on identity and device health. It is super easy to deploy from Sophos Central, with an option to deploy alongside Intercept X with just one click or instead work standalone with any desktop AV client. It will initially support MacOS and Windows, and later Linux and mobile device platforms as well.

Coming soon

The early access program (EAP) for the initial version of our ZTNA solution will kick off in the next couple of weeks, so stay tuned for additional news. I hope you will all join us in test-driving Sophos ZTNA to make it the best product it can be for launch!

Sophos Zero Trust Network Access (ZTNA) is a new product category that will soon have a presence on the Sophos Partner Portal and later on Sophos.com as well. Continue reading to learn more about what’s coming, access a collection of frequently asked questions and revisit the recent SophSkills recording in case you missed it.

What is ZTNA All About?

If you missed the recent SophSkills session, this video presentation covers everything you need to know about why ZTNA is so important and what Sophos ZTNA will look like. You can also grab the PowerPoint file here.

ZTNA is founded on the principle of zero trust. ZTNA is all about verifying the user, typically with multi-factor authentication to prevent stolen credentials from being a source of compromise, then validating the health and compliance of the device: is it enrolled, is it up to date, is it properly protected? And then using that information to make decisions based on policies to control access and privilege to important networked applications.

What are the Benefits of ZTNA (compared to remote access VPN)?

While remote access VPN continues to serve us well, ZTNA offers a number of added benefits that make it a much more attractive solution:

• More Granular Control: ZTNA allows more granular control over who can access applications and data minimizing lateral movement and improving segmentation. VPN is all-or-nothing: once on the network, VPN generally offers access to everything.
• Better Security: ZTNA removes implicit trust and incorporates device status and health in access policies that further enhances security. VPN does not consider device status which can put application data at risk to a compromised or non-compliant device.
• Easier to Enroll Staff: ZTNA is much easier to roll-out and enroll new employees, especially if they are working remotely. VPN is more challenging and difficult setup and deploy.
• Transparent to Users: ZTNA offers “just works” transparency to users with frictionless connection management. VPN can be difficult and prone to initiating support calls.

Overall, ZTNA offers a welcome and much better solution to connecting remote workers or the branch office of one.

What is Sophos ZTNA?

Sophos ZTNA is a brand new cloud-delivered, cloud-managed product to easily and transparently secure important networked applications with granular controls. It’s scheduled to enter early access in February.

Sophos ZNTA consists of three components:

• Sophos Central – provides the ultimate cloud management and reporting solution for all Sophos products including Sophos ZTNA. Sophos ZTNA is a fully cloud enabled with Sophos Central providing easy deployment, granular policy management, and insightful reporting from the cloud.
• Sophos ZTNA Gateway – will come as a virtual appliance for a variety of platforms to secure networked applications on-premise or in the public cloud with AWS and VMware ESXi support initially closely followed by Azure, Hyper-V, Nutanix, and others.
• Sophos ZTNA Client – provides transparent and frictionless connectivity to controlled applications for end-users based on identity and device health. It will integrate with Synchronized Security for Heartbeat and device health. It is super easy to deploy from Sophos Central, with an option to easily deploy alongside Intercept X with just one click, or it can work stand-alone with any desktop AV client (obtaining health status from Windows Security Center). It will initially support Windows, followed by macOS and later Linux and mobile device platforms as well.

Here’s a basic block diagram of Sophos ZTNA at work:

Frequenty Asked Questions about Sophos ZTNA:

What are the key dates?

The Early Access Program (EAP) will get underway in February. Launch is expected to be around mid-year 2021.

What applications can be protected?

Sophos ZTNA can provide protection for any networked application hosted on the company’s on-premise network, or in the public cloud or any other hosting site. Everything from RDP access to network file shares to applications like Jira, Wiki’s, source code repositories, support and ticketing apps, etc.

ZTNA cannot protect SaaS applications like SalesForce.com or Office365 because customers don’t own these applications which are public internet facing applications servicing many clients by design. Controlling access to these applications is already done effectively through multi-factor authentication, and if customers need more granular controls, then CASB is the technology that can help with access control to these types of applications. Sophos is also working on a SASE strategy that will include CASB as well in the future.

Sophos Protection

What client, gateway and identity platforms will be supported?

Client platforms will initially include a clientless option across all client platforms (EAP1), Native Windows and Mac support (EAP2) and then Linux and mobile device platforms (iOS and Android) following launch.

Gateway platforms will initially include AWS (public cloud) and VMware ESXi (virtual appliance) for EAP. This will be expanded to include other platforms like Azure, Hyper-V, Nutanix, K8S, and GCP following launch.

For identity, Sophos ZTNA will initially support Azure Active Directory (AD) for EAP 1 and Okta in EAP2. Supported directory services include Azure and on-premise AD. Customers can take advantage of Azure’s MFA options right away with support for third-party MFA solutions coming in a future release.

Is the Sophos ZTNA gateway hardware, virtual or cloud?

The Sophos ZTNA gateway is a virtual appliance only. There is no hardware version and it is not a hosted service. Customers can deploy as many Sophos ZTNA gateways as they need (for free) on any of the platforms mentioned above to protect their applications in the cloud (AWS, Azure, Nutanix, etc) or hosted in their data center or on-premise (using a virtual appliance).

Sophos It

Is ZTNA a stand-alone product or does it require another Sophos product?

Sophos ZTNA is a stand-alone product and does not require any other Sophos Products. It is managed by Sophos Central which is free, and obviously offers a ton of benefits when customers have other Sophos products. It can easily deploy alongside Intercept X, but Intercept X is not a requirement. Sophos ZTNA can work alongside any vendor’s desktop AV or firewall.

How will Sophos ZTNA client deployment work?

Sophos ZTNA will be an option to deploy alongside Intercept X and device encryption when protecting devices from Sophos Central. It will be added to this list…

Will ZTNA integrate with Sophos XG Firewall and Intercept X?

Sophos ZTNA is fully compatible with XG Firewall and Sophos Intercept X. In fact, it takes advantage of Security Heartbeat to assess device health which can be used in ZTNA policies. As mentioned above, deployment of the ZTNA client can easily happen as part of a CIX roll-out – it’s as simple as checking a box. Of course Sophos ZTNA can also work perfectly with other vendor desktop AV or firewall products, but it will work better together with other Sophos products such as XG Firewall and Intercept X.

There are plans to ultimately include ZTNA gateway functionality in the firewall, but for now, the biggest opportunity for ZTNA is providing it as a stand-alone solution that can work with any firewall.

How will licensing and pricing work?

Sophos ZTNA will be licensed on a user basis like our Endpoint products. And it is not per user-device, just per user, so if a user has 3 devices, they only require one license.

Customers can deploy as many ZTNA gateways as they need to protect all their apps. There is no charge for the gateway or for Central Management.

There will be a free trial at launch.

Sophos Free Home Antivirus

More of Your Frequently Asked Questions:

How does ZTNA compare to…

• DUO is an identity technology provider focused on multi-factor authentication (MFA) to help users verify their identity. Identity and MFA and thus DUO, are a part of a ZTNA solution. ZTNA also verifies device health. Sophos ZTNA will initially support Azure MFA and ultimately support Duo and other MFA solutions as well.
• NAC and ZTNA technologies may sound similar as they are both about providing access, but that’s where the similarities end. Network Access Control (NAC) is concerned about controlling physical access to a local on-premise network. ZTNA is concerned about controlling access to data and specific network applications regardless of what network they are on.
• While remote-access VPN has served us well, ZTNA has a number of benefits when compared to VPN as outlined above. Of course there will be some situations where VPN continues to be a good solution… where a relatively small number of people (e.g. the IT department) need broad access to network applications and services to manage them. And of course, VPN will still be instrumental for site-to-site connectivity. But for most organization’s users, ZTNA can replace remote-access VPN to provide a better, more granular security solution while being more transparent and easier for users.
• ZTNA is complimentary to a Firewall just like VPN is complimentary to a Firewall. Of course, the Firewall still plays a critically important role in protecting corporate network and data center assets from attacks, threats and unauthorized access. ZTNA bolsters a Firewall by adding granular controls and security for networked applications in the cloud or on-premise.
• ZTNA and Synchronized Security are both conceptually similar in that they both can use device health to determine network access privileges. In fact, Sophos ZTNA will use Security Heartbeat as a key component in assessing device health. If a user has a device with a Red Heartbeat, their application access can be limited through policy, just as their network access can be limited on the firewall. However, ZTNA goes further than Synchronized Security by also integrating user identity verification. ZTNA is also more about controlling privilege and access to applications while Synchronized Security is more about automated response to threats and preventing threats from moving or stealing data.
• SASE (pronounced “sassy”) or Secure Access Service Edge, is about the cloud delivery of networking and security and includes many components such as Firewalls, SD-WAN, Secure Web Gateways, CASB, and ZTNA designed to secure any user, on any network, anywhere through the cloud. So as you can see, ZTNA is a component of SASE and will be our initial offering into this segment and an essential part of our overall SASE strategy.

Competitors:

We know questions about competitors are always top of mind. We will be developing comprehensive competitive analysis as we get underway with the EAP and share that information soon.