Zero Trust Network Access (ZTNA) is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike VPNs, which grant complete access to a LAN, ZTNA solutions default to deny, providing only the access to services the user has been explicitly granted. It is important to understand the security gaps and benefits ZTNA solutions can provide organizations as more remote users join the network.
With ZTNA, access is established after the user has been authenticated to the ZTNA service. The ZTNA service then provisions access to the application on the user’s behalf through a secure, encrypted tunnel. This provides an added layer of protection for corporate applications and services by shielding otherwise publicly visible IP addresses.
Like software-defined perimeters (SDP), ZTNA leverages the concept of a dark cloud, preventing users from seeing any applications and services that they don’t have permission to access. This introduces protection against lateral attacker movement, where a compromised endpoint or credentials would otherwise permit scanning and pivoting to other services.
VPNs were designed to grant complete access to a LAN, offering a private, encrypted tunnel for remote employees to connect to the corporate network. While this may seem like a practical solution, VPN unfortunately lacks the flexibility and granularity to control and see exactly what users can do and which apps they can access. Once a user is granted access, they can access anything on the network, leading to security gaps and policy enforcement problems.
ZTNA, on the other hand, provides secure remote access to applications based on granular access control policies. It offers continuous checks on users as they connect to their apps, instead of the “once verified you are in” approach that VPNs take. Thus, ZTNA provides a “never trust, always verify” least-privelege approach, constantly vetting user, device and app behavior throughout a users session.
A key area of focus for many organizations today is replacing outdated VPN technologies that deliver network access to their remote and hybrid workforces with a more modern ZTNA solution that overcomes performance bottlenecks and simplifies management. Typically these VPN replacement initiatives are driven by a number of factors:
VPN solutions were not designed for the rapid scale, high-performance and consistent delivery of advanced security services now required to securely connect hybrid users to the plethora of applications they now require to get their jobs done. Thus, organizations have started replacing outdated VPN deployments with ZTNA solutions.
Identity-based authentication and access control found in ZTNA services provide an alternative to IP-based access control typically used with most VPN configurations which help to reduce an organization’s attack surface. ZTNA also allows organizations to implement location or device-specific access control policies to prevent unpatched or vulnerable devices from connecting to corporate services. This alleviates common VPN-related challenges where BYOD remote users are granted the same level of access as users at a corporate office, despite the fact that they often have fewer security controls in place. Some agent-based ZTNA solutions provide a pre-authentication trust assessment of the connecting user and device, including device posture, authentication status and user location. However, the rapid shift to remote and hybrid work, coupled with the rapid rise in cloud adoptions, has exposed significant gaps in initial, or 1.0, iterations of ZTNA.
Zero Trust Network Access 2.0 overcomes the limitations of legacy ZTNA solutions, providing secure connections to deliver better security outcomes for businesses with hybrid workforces. ZTNA 2.0 delivers:
The biggest shift seen in networking and security over the past 24 months has been that work is no longer a place we go to but rather an activity we perform. Hybrid work is our new normal, which means our apps and users are now everywhere and anywhere, dramatically increasing our attack surface. In parallel, we’ve also seen an increase in the sophistication and volume of cyberattacks attempting to take advantage of this massively increased attack surface.
Current ZTNA 1.0 solutions only solve some of the problems associated with direct-to-app access. In particular, ZTNA 1.0 solutions:
Like SDP, however, ZTNA does not provide inline inspection of user traffic from the application after the user establishes a connection. This can lead to potential security issues when a user’s device or credentials become compromised or in the case of a malicious insider who uses their access to a resource to disrupt the application or host.
Secure access service edge (SASE) is the convergence of wide area networking, or WAN, and security services in a cloud-delivered services “edge” designed to help organization modernize their networking and security infrastructures to accommodate the needs of hybrid environments and hybrid workforces. SASE solutions consolidate multiple point products, including ZTNA, Cloud SWG, CASB, FWaaS, and SD-WAN, into a single integrated service, reducing network and security complexity while increasing organizational agility.
There are many ways to start the SASE journey, and ZTNA is one of them. Secure access service edge (SASE) solutions that incorporate ZTNA 2.0 identity-based authentication and granular access control capabilities provide a more complete, holistic approach.
Learn more about the evolution of ZTNA in this blog.
ZTNA differs from traditional Virtual Private Networks (VPNs) in several ways:
The key components of a ZTNA solution include:
The benefits of implementing ZTNA include:
Organizations can transition to a Zero Trust Network Access model by following these steps: