Zero trust network access (ZTNA) provides security teams with a modern solution to the new way businesses operate and their assets are accessed. However, organizations should be aware that not all ZTNA solutions are equal.
A common approach is to use a security access service edge (SASE) platform that provides granular, adaptive, and context-aware policies for securely connecting to private applications hosted across multiple clouds or data centers from remote locations and devices.
What Is ZTNA?
Zero Trust Network Access (ZTNA) is an architecture that replaces traditional VPN infrastructure by providing users with direct connectivity to applications via secure tunnels. It is a cybersecurity best practice and offers several key advantages over conventional security technologies such as VPNs.
Most remote work tools expose enterprises to more risks than needed to function. This is because users connect from unsupervised networks using personal devices that cannot be validated as completely secured. ZTNA mitigates these risks by granting access to only the applications required for users to complete their jobs. It also hides application infrastructure from the public internet, creating a “dark cloud” that is almost impossible to scan for services and reduces the attack surface for hackers.
The architecture provides access through an agent or client installed on authorized devices and shares the device’s security context with a ZTNA service. It then provisions connectivity from the device to the applications using a secure tunnel only for verified users. This enables enterprises to reduce their attack surface and increase security resilience while ensuring user productivity.
The process works by leveraging continuous verification of each device’s identity and security posture, device type, and user. It also requires outbound connections, which makes it impossible for attackers to reach internal services over the bare internet. ZTNA is often implemented as part of a larger digital transformation project that replaces traditional VPNs with SD-WAN or Secure Access Service Edge (SASE) technology.
What Are the Benefits of ZTNA?
With Zero Trust, administrators can easily control who can access which resources. This is especially valuable for modern organizations that rely heavily on remote and hybrid work. Administrators can limit granting access to third parties like contractors or suppliers to only what they need to do their jobs and for only as long as necessary.
ZTNA can also help improve network visibility. It can include parameters such as time stamps of application log-ins, device security posture, and more in its analysis of user behavior to detect anomalies, giving more context for administrators to evaluate what is happening on the network. It can also provide more control and protection against attacks such as malware by enforcing policies such as requiring multi-factor authentication on personal devices or restricting connection requests from unpatched devices.
Lastly, it can protect data and applications even when they reside outside the organization’s network, an increasingly common scenario in today’s multi-cloud environments. This can be accomplished through micro-segmentation or an agent-based system that verifies the user and their device, then routes them to a secure gateway that shields those applications from the internet.
In addition, a zero-trust solution integrated into a holistic SASE or ZTNA architecture can be easier to deploy, use and manage. It can also be integrated into other technologies such as next-gen endpoint, cloud security, and MDR to offer full, unified, and easy-to-use protection, detection, and response across the enterprise.
What Are the Challenges of ZTNA?
Unlike traditional security solutions, zero trust verifies each connection and only allows access to internal resources after validating identity and context. This approach prevents unauthorized devices, users, and threats from gaining entry to the network and spreading across the organization. It also protects organizations from the financial and reputational damage caused by security breaches.
However, implementing ZTNA requires an organizational shift in security mindset and practices. It can also involve a change in infrastructure to support the solution. For example, companies need to move from a perimeter-based security model to one that provides an inbound gateway for each user and a secure tunnel to internal applications. They must also deploy and enforce a continuous verification system.
The most significant challenge with ZTNA is the change in how IT teams manage security. Traditional solutions assume that devices and users are trustworthy. This assumption can be false, especially for BYOD devices. It is important to understand the risks of this assumption and mitigate them with policies that verify and validate identity through multiple methods.
Another challenge with zero trust is that it requires an up-front investment in software, infrastructure, and training. However, many organizations can save money in the long run by moving to a zero-trust strategy. They can do this by replacing expensive hardware like VPN and VPN concentrators, DDoS protection appliances, and global load balancing appliances with a service-initiated Zero Trust approach that delivers functionality through cloud services.
What Are the Solutions for ZTNA?
Zero trust solutions can be deployed in various ways, depending on the organization’s security and networking needs. It can be implemented as a standalone solution inserted into the existing network ecosystem or used to replace VPNs in a larger transformation project that also upgrades to SD-WAN or Software Defined Perimeter (SDP).
Regardless of deployment method, ZTNA solutions should provide centralized control and visibility, enabling administrators to monitor all applications, assets, and users in a single dashboard. The security controls should include account-compromise mitigation, such as preventing connection attempts from unpatched devices and ensuring that users are authenticated using a trusted identity.
In addition to reducing the attack surface and risk, Zero Trust Network Access solutions should eliminate the need for MPLS connections by connecting users directly to applications via encrypted tunnels. ZTNA can be implemented with either an agent on the endpoint or a service-based gateway that communicates with the IdP or SSO to authenticate users, determine privileges, and create a context-based access policy.
Many IT decision-makers still need help understanding how ZTNA is a cybersecurity best practice that doesn’t require significant changes to the current network architecture. Opposition is typically centered on specific scenarios the new solution does not address. Still, IT leaders can counter these objections by explaining how the solution will reduce complexity and cost while enhancing security.