Zero trust network access (ZTNA) is a network security solution, made up of various tools and technologies, for providing remote users with secure access to resources. It is often used interchangeably with the term ‘software defined perimeter’ (SDP).
The foundation of zero trust network access (ZTNA) is the zero trust security model. With zero trust, access is given only to authorized users, and only to the specific resources they require – this is known as least privilege access. When zero trust solutions are implemented properly, unauthorized users cannot gain access to corporate resources under any circumstances.
ZTNA enables secure and seamless connectivity, regardless of the user’s device or user location.
Zero trust network access (ZTNA) is often integrated as part of a secure access service edge (SASE) solution, providing context aware access to internal resources. In an era where a distributed workforce has become the norm, implementing a network security solution like this has become an incredibly important aspect of an organization’s security posture.
A SASE solution is a cloud native platform that combines SD-WAN capabilities with various network security services. As well as ZTNA, SASE solutions often include other services like CASB, SWG, FWaaS, and RBI.
ZTNA works by confirming user identity and device identity before allowing direct access to resources on a corporate network. This is done through defined access control policies, based on zero trust.
Here are some of the core principles of a ZTNA service:
In order to implement zero trust principles, ZTNA provides direct application access separately from network access.
ZTNA only uses outbound connections, through an encrypted tunnel. This ensures that unauthorized users are unable to see the network or application infrastructure, and shields IP addresses for added protection.
Any user traffic to an organization’s resources must pass through the ZTNA solution. Access privileges are given only after the user’s identity is confirmed, through multi-factor authentication. This process is done per application, ensuring secure access to all private applications.
Zero trust network access (ZTNA) is seen as a more modern, comprehensive, and secure approach to remote access than oft-used traditional security solutions, like virtual private networks (VPNs).
VPNs were originally designed to provide secure access to an on-premises data center. Now, many organizations are finding themselves with a far more complex setup, whereby remote workers require secure connections to a variety of different resources, such as cloud and web applications, and from many end user devices. Doing this through a VPN often requires the user to carry out inefficient, overly complicated processes.
In addition, VPNs provide a user with full access to a network once connected, which allows for lateral movement in the event of a security breach. In contrast, a ZTNA service provides granular access control for remote users, through software defined perimeters at the resource level.
Another drawback is that VPNs don’t always play nicely with other IT, business, and security systems used by an organization.
Since a VPN is hardware based, it can’t scale as easily as ZTNA, limiting its use for larger organizations with an increasingly remote workforce. It also requires installation on user devices, which leaves unmanaged devices unable to connect to the network.
Apart from being an attractive alternative to a VPN, there are a few other reasons an organization might adopt ZTNA:
ZTNA solutions can be used to reduce 3rd-party risk, as they allow secure connectivity to specific resources from outside the network, without granting access to the rest of the resources on the network. This keeps business critical applications isolated and protected from unauthorized access.
Many organizations implement ZTNA to improve their security posture when they are adopting SaaS offerings and cloud applications. At this point, they may find that their existing network security infrastructure, possibly originally designed for data center access, is no longer sufficient.
ZTNA provides organizations with many advantages.
Due to the cloud-based nature of ZTNA, it is extremely easy to scale the solution to support a growing network of applications, users, and devices. Security policies and user authorizations can be added, changed, and removed as the need arises.
Organizations can use ZTNA to split their network into many individual segments at the application level, which, aside from the obvious security advantages, also allows for increased network visibility and easier management.
In the event that compromised devices or stolen user credentials allow an unauthorized user to gain access to the network, the attack surface is greatly reduced – with access limited to the private applications available to the compromised user. This granular access, based on zero trust architecture, prevents lateral movement through the network.
ZTNA allows organizations to create policies based on user location, device posture, and more. This ensures reduced risk of exposure to cyber threats when compared to a VPN, where on-premises workers and BYOD users with mobile devices connect with the same level of network access.
According to Gartner, there are two main categories of ZTNA solutions – agent initiated ZTNA, and service initiated ZTNA.
With this type of ZTNA, there is an agent installed on each end-user device. The agent transmits data about the device to a controller – this data may include location, date, time, and more. The controller then requests user authentication to confirm user identity. Once the user and device are successfully authenticated, and the user is granted access, the controller provisions the connection through a gateway. This prevents the application from being accessed by the Internet or unauthorized users.
As an agent must be installed on every device, this type of ZTNA does not support unmanaged devices.
Service initiated ZTNA is agentless – a connector uses outbound connections from the application’s network to the service provider’s cloud. When user access is required, a service in the cloud authenticates the user and carries out a validation process, such as single sign-on (SSO). All traffic to and from the application must pass through the provider’s cloud, preventing unauthorized access.
As no agent installation is required, this form of ZTNA can also provide application access to remote users with unmanaged devices.
Here are some questions you should ask the vendor when choosing your ZTNA solution: