Zero Trust Network Access (ZTNA) is an IT security solution that provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies. ZTNA differs from virtual private networks (VPNs) in that they grant access only to specific services or applications, where VPNs grant access to an entire network. As an increasing number of users access resources from home or elsewhere, ZTNA solutions can help eliminate gaps in other secure remote access technologies and methods.
When ZTNA is in use, access to specific applications or resources are granted only after the user has been authenticated to the ZTNA service. Once authenticated, the ZTNA then grants the user access to the specific application using a secure, encrypted tunnel which offers an extra layer of security protection by shielding applications and services from IP addresses that would otherwise be visible.
In this manner, ZTNAs act very much like software defined perimeters (SDPs), relying on the same ‘dark cloud’ idea to prevent users from having visibility into any other applications and services they are not permissioned to access. This also offers protection against lateral attacks, since even if an attacker gained access they would not be able to scan to locate other services.
Authentication and Access – The primary use for ZTNA is to provide a highly granular access mechanism based on a user’s identity. Where IP-based VPN access offers broad access to a network once authorized, ZTNA offers limited, granular access to specific applications and resources. ZTNA can provide more levels of security with location- or device-specific access control policies, which can keep unwanted or compromised devices from accessing the organization’s resources.
This access can be contrasted with some VPNs that offer employee-owned devices the same access privileges that on-premises admins are granted.
Holistic control and visibility – Since ZTNA does not inspect user traffic after authentication, there could be an issue if a malicious employee uses their access for nefarious purposes, or if a user’s credentials are lost or stolen. By incorporating ZTNA into a secure access service edge (SASE) solution, an organization can benefit from the security, scalability, and network capabilities needed for secure remote access, as well as post-connection monitoring to prevent data loss, malicious action, or compromised user credentials.
ZTNA offers a way to connect users, applications, and data, even when they do not reside on the organization’s network, a scenario increasingly common in today’s multi-cloud environments where micro-services based applications can reside on multiple clouds as well as on-premises. Modern organization need to have their digital assets available anywhere, anytime, from any device by a distributed user base.
ZTNA fills this need by offering the granular, context-aware access for business-critical applications, without having to expose other services to possible attackers.
The ZTNA model was coined by Gartner to help eliminate the granting of excessive trust to employers, contractors, and other users who only need very limited access. The model expresses the concept that nothing is to be trusted until proven trustworthy, and more importantly that trust must be reauthenticated whenever anything about the connection (location, context, IP address, etc.) changes.
There are several differences between VPNs and ZTNA. Primarily, VPNs are designed to offer network-wide access, where ZTNAs grant access to specific resources and require reauthentication frequently.
Some shortcomings of VPNs when compared to ZTNAs are:
Resource utilization – As the number of remote users grows, the load on the VPN can lead to unexpectedly high latency and can demand new resources be added to the VPN to meet growing demand or peak usage times. This can also strain manpower for the IT organization.
Flexibility and Agility – VPNs do not offer the granularity of ZTNA. Additionally, it can be challenging to install and configure VPN software on all the end user devices that need to be connected to enterprise resources.Conversely, it is much easier to add or remove security policies and user authorization based on their immediate business needs. ABAC (attribute based access control) and RBAC (role based access control) in ZTNAs simplify this task.
Granularity – Once within a VPN perimeter, a user gains access to the entire system. ZTNAs take the opposite approach, granting no access at all, unless an asset – application, data, or service – is specifically authorized for that user.
In contrast to VPNs, ZTNAs provide continuous identify verification based on identity authentication. Each user and each device are verified and authenticated before they are granted access to specific applications, systems, or other assets.
VPNs and ZTNAs can be used in combination with each other, for example to strengthen security on a particularly sensitive network segment, providing an extra security layer should the VPN be compromised.
There are two approaches to ZTNA implementation, endpoint initiated and service-initiated.
As the name implies, in an endpoint-initiated zero trust network architecture the user initiates access to an application from an endpoint connected device, similarly to an SDP. An agent installed on the device communicates with the ZTNA controller, which provides authentication and connects to the desired service.
Conversely, in a service-initiated ZTNA, the connection is initiated by a broker between application and user. This requires a lightweight ZTNA connector to sit in front of the business applications that are located either on-premises on at cloud providers. Once the outbound connection from the requested application authenticates the user or other application, traffic will flow through the ZTNA service provider, isolating applications from direct access via a proxy. The advantage here is that no agent is required on end user devices, making it more attractive for unmanaged or BYOD devices for consultant or partner access.
There are also two delivery models for zero trust network access: Stand-alone ZTNA or ZTNA as a service. Here are the major differences:
Stand-alone ZTNA requires the organization to deploy and manage all elements of the ZTNA, which sits at the edge of the environment (cloud or data center) brokering secure connections. Although this fits in well with organizations that are cloud-averse, deployment, management, and maintenance become added burdens.
With ZTNA as a cloud-hosted service, organizations can take advantage of the cloud provider’s infrastructure for everything from deployment to policy enforcement. In this case the organization simply acquires user licenses, deploys connectors in front of secured applications, and lets the cloud provider/ZTNA vendor deliver the connectivity, capacity, and infrastructure. This simplifies management and deployment, and cloud-delivered ZTNA can ensure that the optimal traffic path is selected for the lowest latency for all users.
Gartner estimates that over 90 percent of organizations are implementing ZTNA as-s-service.