What is Zero Trust Network Access (ZTNA)?

ZTNA definition

ZTNA is a security concept that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validated. Before being granted or kept access to applications and data their security configuration and posture need to be checked. This approach assumes that no user or system should be trusted by default, whether it's inside or outside the organization's perimeter.

Key takeaways:

• ZTNA is a security concept that assumes no user or system should be trusted by default, requiring constant validation and authorization.

• It offers increased visibility, better data protection, and efficient automation, making it suited for modern business environments.

• ZTNA ensures that remote employees connecting from unsupervised networks are continually verified and authenticated, reducing the risk to the enterprise.

• It's particularly beneficial for businesses that have transitioned to multi-cloud environments.

• ZTNA is part of Secure Access Service Edge (SASE), a unified framework that includes various cloud-native cybersecurity solutions.

How does ZTNA work?

Zero Trust Network Access uses a Zero Trust security model to implement secure remote access to a company's resources. With a built-in cohesion to the Zero Trust security model, it aims to secure the network from internal and external threats. It's done by enforcing strict verification procedures before each access session.

ZTNA has an edge in terms of security compared to other remote access solutions like VPNs. VPN implementation usually entails full user access to a specific network, while ZTNA restricts it to a limited range of applications or services. This approach is less risk-prone and is more suited for modern business environments.

At its core, ZTNA combines user validation with network invisibility. With ZTNA, connected devices aren’t aware of what other network resources are connected, nor do they have any means of accessing them. The second part of the formula ensures that users are validated and authenticated before access is granted. Here’s how this framework could be broken down:

1. Separation between network access and application access

While VPN has no distinction between the two, ZTNA separates network from application access. This introduces additional obstacles for bad actors infiltrating the network, reducing overall risks.

2. Outbound-only connections

ZTNA allows only outbound connections, making application infrastructure and network invisible to unauthorized users — they’re locked out. In turn, IP addresses aren’t exposed to the public internet, making the network impossible to pinpoint.

3. Limited application access

ZTNA uses native app segmentation to ensure users only access specific applications rather than the whole network. This mitigates the risks that could arise from overly permissive network user access.

4. User-to-application approach

Instead of focusing on network security, this approach focuses more on application security. End-to-end network components that directly participate in application access are in focus. This also means discarding highly secure MPLS lines in favor of encrypted tunnels.

ZTNA is both more secure and better adapted to today’s cybersecurity challenges. With users working from anywhere, ZTNA helps businesses to manage the online risks they’re facing. It’s a cloud-based approach accepting connections from managed and unmanaged devices, with much greater flexibility than traditional network setups.

Benefits of ZTNA

ZTNA allows network expansion while keeping the potential risks in check. It’s also especially appealing to businesses that have transitioned to multi-cloud environments. As resources are scattered across multiple locations, ZTNA gives much better access to them. In comparison, perimeter-based solutions like VPNs are slowly phased out.

1. Better network visibility

As the allowed connections are severely reduced in number, this also cleans up the network overview. The only allowed connection has to pass through a strict set of parameters, so there are more parameters to use for tracking. These aspects can improve network visibility, including timestamps, application log-ins, access requests, and user actions. It also means abnormal behavior flagging for real-time analysis and investigation is much easier.

2. Increased data protection

Isolated access to an organization’s network also means less leeway to threaten it. Even when some weak link is exploited, ZTNA puts strict restraints on what can be done with them. Privilege escalation is hampered due to authentication requirements, while the rest of the network is inaccessible. These built-in constraints make damage mitigation much easier.

This helps to achieve not only the network’s security but also protects the most sensitive data of your organization. ZTNA implementation can make a key difference between being breached and pulling through with the company’s reputation intact.

3. Mitigates remote employee risks

Remote employees are connecting from unsupervised networks with unmanaged devices, increasing the total attack surface. It’s one of the major challenges to an enterprise’s IT staff, as most workplaces have adapted a hybrid work approach.

ZTNA largely solves this problem by enforcing a requirement to verify and authenticate at every access level. The user is allowed inside if the device meets security requirements and there are no other red flags.

4. Time-efficient automatizations

Continuous monitoring is at the foundation of ZTNA. It’s a highly autonomous approach to network security management, and after preconfiguring specific parameters, the system can be left on its own. Various automation takes decisions of access requests based on the set rules and analyzes each situation’s context.

The gathered data can also be reused for in-depth analysis. So, this serves as the additional team member, and its use extends to additional areas. IT teams implementing ZTNA are freed to focus on different tasks, passing mundane administrative checks to the software.

Top ZTNA use cases

1. Limiting remote access

If you’re looking into how to strike a balance between work-from-home and business network security, ZTNA might be a godsend. ZTNA provides access to specific applications without giving too much freedom to roam the internal network.

It’s a much more efficient solution that doesn’t clog up internal bandwidth. Users are connecting directly to where the resources are hosted, improving performance. Not to mention that application access is denied by default unless the user has passed authentication.

2. Better alternative to VPNs and MPLS

There aren’t many technologies that allow closed-off networking that would be viable in a business setting. For instance, multiprotocol label switching (MPLS) requires additional hardware like routers and switches interconnected via leased lines or other links. One of the most expensive setups you could deploy is above the budget for many small to medium businesses.

VPNs are a much cheaper alternative using public internet and encrypted tunnels, but if your user base relies on cloud services, this isn’t a viable option either. ZTNA solves the drawbacks of both former connectivity technologies. It reduces network complexity and provides direct access to the cloud, improving connection performance.

3. Internal network isolation

Most remote work tools expose more enterprises’ internal resources than the employees would need for their job functions. Usually, this is due to the limited network segmentation options available. This severely contributes to the number of risks an enterprise is facing.

ZTNA implements the least privileged access framework to prevent damage from potential data breaches. Users are granted only the minimal rights to perform in their job role. A data breach would limit the data that hackers could expose.

How to implement ZTNA?

ZTNA can be implemented in these ways: using special software on each client device or a cloud service. Depending on the connection method and the location of the ‘agent’ (special software application), ZTNA setups come in two types:

Agent-based (or endpoint-initiated) — requires installing special software on the device which will be used to connect to specific applications.

Service-based (or service-initiated) — is added directly to the network between the user’s device and the accessed application. The special connector often comes with a ZTNA cloud service but can also be deployed on-premises.

This brings us to the two delivery modes in which ZTNA could be deployed:

Standalone — all ZTNA elements in their entirety are deployed and managed by the organization that is using the service. This gives a much broader control over the ZTNA network and makes an organization responsible for cloud maintenance.

As-a-service — an organization is bringing ZTNA access from a ZTNA provider. The service maintenance falls on the provider’s shoulders, while the enterprise can use the already established infrastructure. This simplified approach is optimal for most organizations that don’t want to create everything from scratch.

ZTNA user flow

While the user’s flow can vary depending on the setup model, here’s an approximate ZTNA process chain:

1. The user initiates an application access request using an established secure channel.
2. The Zero Trust controller processes the request from the used user’s endpoint (in endpoint-initiated setup) or by the network connector (in a service-initiated model), authenticating
3. If the authentication is passed, the user is let through. Otherwise, the access is denied
4. At this stage Zero Trust controller may implement additional authentication steps like MFA, checking device attributes, and other data
5. If no defense mechanism is triggered, the user is granted to use a specific application

The process could be repeated for each application or customized in other ways.

ZTNA and VPN

Both ZTNA and VPN are technologies that are used to provide remote access to private networks. The difference is how they operate, and they're also suited to different scenarios.

ZTNA requires both the user and the device to be authenticated. Only then it grants access based on specific policies like the user's role, the device's security posture, location, and other context-aware factors. It also creates individual secure tunnels for specific applications.

Meanwhile, VPN provides a secure tunnel between a user's device and the internal network. Once connected, a VPN grants access to the entire network, not just specific applications. This also makes it challenging to fine-grain controls over individual applications.

All in all, organizations for a more modern and robust security posture should turn to ZTNA. On the other hand, smaller organizations with less complexity and traditional on-premises environments should turn to VPNs.

ZTNA and SASE

Secure Access Service Edge is a collection of frameworks unifying many cloud-native cybersecurity solutions into a single concept. ZTNA is one-fifth of SASE, while the other four components focus on different areas.

In SASE setups, the ZTNA controller’s function is passed on to points of presence (PoPs) located as close to the dispersed user base. Devices connect to PoPs directly and, after being validated, are allowed to request application access. ZTNA controller’s function is passed to SASE PoPs, so a separate connector agent isn’t needed.

SASE attempts to create a holistic cybersecurity framework that would address a much wider scope of online threats. It still needs the deployment and a plan for how it could be introduced into the existing network, considering used hardware and legacy device support.

Using SASE solution de facto means using ZTNA with additional parts that SASE entails, like SD-WAN, SWG, CASB, ZTNA, and FWaaS.