What is Zero Trust Network Access (ZTNA)?


 

Zero trust network access (ZTNA), also known as the software-defined perimeter (SDP), is a set of technologies and functions that make it safe for people who work from home to access internal applications. A trust model that adapts over time is used. Trust is never implicit, and access is granted on a need-to-know, least-privileged basis, defined by granular policies. ZTNA makes it easy and safe for people who aren’t at home to use private apps from anywhere. It doesn’t put the apps on the network or show them to the internet.

The term “zero trust security” is a big one these days. Zero trust network access (ZTNA) is the strategy behind a successful zero trust model. Many organizations are now putting zero trust at the top of their lists.

It’s hard to figure out how to get to zero trust as an ideology, so ZTNA gives businesses a clear, defined path to follow. Besides ZTNA, which is part of the secure access service edge (SASE) security model, it also has next-generation firewall (NGFW), SD-WAN, and other services in a cloud native platform.

How does it work?

While securing a remote workforce has grown vital, network-centric solutions such as virtual private networks (VPNs) and firewalls expose an attack surface. On the basis of these four key principles, ZTNA adopts a fundamentally different approach to secure remote access to internal applications.

  1. It entirely decouples application provisioning from network provisioning. This isolation mitigates network threats, such as infection by compromised devices, by granting access to only authorized users who have been authenticated access to specified applications.
  2. It establishes outbound-only connections, effectively concealing the network and application infrastructure from unauthorized users. IP addresses are never revealed to the internet, resulting in the creation of a “darknet” that renders the network untraceable.
  3. It’s native app segmentation ensures that application access is allowed on a one-to-one basis after users are permitted. Authorized users have access to only a subset of the network’s applications, not to the entire network. Segmentation mitigates the danger of malware and other risks spreading via lateral movement.
  4. It takes a user-to-application approach rather than a network-centric approach to security. The network is deemphasized, and the internet is repurposed as the new corporate network, utilizing end-to-end secured TLS micro-tunnels rather than MPLS.

ZTNA is fundamentally distinct from network-centric solutions in terms of architecture. ZTNA is frequently 100 percent software-defined, removing the administrative burden associated with controlling appliances. Additionally, ZTNA enables enterprises to streamline their inbound stacks by eliminating the need for VPNs and VPN concentrators, DDoS protection, global load balancing, and firewall appliances.

There are two primary architecture models for ZTNA. The next section discusses the service-initiated ZTNA architecture. For further information, consult Gartner’s ZTNA Market Guide.

Use Cases

VPN alternatives

VPNs are cumbersome and slow for consumers, provide inadequate security, and are difficult to operate, which is why businesses wish to lessen or remove their dependency on them. According to Gartner, “by 2023, 60% of companies will have phased out the majority of their remote access VPNs in favor of ZTNA.”

Secure multiple cloud access

Securing hybrid and multicloud access is the most often used ZTNA entry point for enterprises. With more businesses using cloud applications and services, 37% of them are turning to ZTNA for multicloud security and access control.

Reduced risk to third parties

The majority of third-party users have elevated privileges and access apps primarily through unmanaged devices, both of which create dangers. ZTNA considerably decreases third-party risk by ensuring that external users never acquire network access and that only authorized users have access to permitted apps.

Accelerated integration

Integration can take years during conventional mergers and acquisitions as firms converge networks and deal with overlapping IPs. ZTNA significantly reduces and simplifies the time and management required to complete a successful M&A transaction, while also delivering instant benefit to the business.

Considerations

  • Does the vendor need the installation of an endpoint agent? Which operating systems are supported? What type of mobile device? How well behaves the agent when confronted with other agents? Nota bene: ZTNA technologies that do not support clientless use frequently cannot support use cases involving unmanaged devices (e.g., third-party access, BYOD).
  • Is the offering limited to web applications, or may older (data center) applications benefit from the same level of security?
  • Certain ZTNA products are available in part or whole as cloud-based services. Is this consistent with the organization’s security and residency policies? Nota bene: Gartner suggests that companies prefer providers that offer ZTNA as a service, as these are easier to deploy, more available, and offer enhanced protection against DDoS attacks.
  • To what extent does partial or complete cloaking, or allowing or forbidding inbound connections, constitute a necessity for the isolated application’s security?
  • Which authentication standards are supported by the trust broker? Is it possible to integrate with an on-premises directory or cloud-based identification service? Is there integration between the trust broker and the organization’s existing identity provider?
  • How geographically diversified are the vendor’s worldwide entry and exit points (also known as edge locations and/or points of presence)?
  • Does the trust broker remain resident in the data path after the user and user device pass authentication?
  • Is the solution integrated with third-party unified endpoint management (UEM) providers, or can the local agent use device health and security posture to make access decisions? With which UEM vendors has ZTNA partnered?