ZTNA: Zero Trust Network Access

ZTNA: Zero Trust Network Access

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access, also known as software-defined perimeter (SDP), is a modern approach to securing access to applications and services both for users in the office and on the road. How ZTNA works is simple: deny everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and data security via micro-segmentation that can limit lateral movement if a breach occurs.

With legacy network solutions based on VPN, authenticated users implicitly gain access to everything on the same subnet. Only a password prevents unauthorized users from accessing a resource. ZTNA flips that paradigm. Users can only “see” the specific applications and resources explicitly permitted by their company’s security policy.

Benefits of ZTNA

ZTNA allows organizations to apply zero trust security to their networks. ZTNA can contribute to several use cases that can help improve an organization’s security posture:

  1. Enabling microsegmentation—ZTNA allows organizations to segment their networks into smaller parts and establish a software-defined security perimeter to protect each part of the network. This approach reduces the attack surface and prevents lateral movement.
  2. Minimizing account breach risk—ZTNA minimizes the damage attackers can cause by compromising a user account. Even if an attacker manages to breach an account, the access level remains restricted, and the attacker cannot move through the network or perform sensitive tasks like privilege escalation.
  3. Mitigating insider threats—traditional security solutions cannot identify or protect against malicious insiders like rogue employees. The zero trust model restricts the damage caused by insider threats by ensuring each user has the least privilege access required. ZTNA also provides visibility to help track malicious insiders.
  4. Obfuscating internal applications—ZTNA makes applications unavailable over the public Internet. This can help protects companies from data leaks, ransomware, and other Internet-based threats.
  5. Securing cloud access—ZTNA allows organizations to restrict access to their applications and cloud environments based on business requirements. Every entity (i.e., user or application) has an assigned role in the ZTNA model, with clearly defined access permissions to use cloud infrastructure.
  6. Supporting compliance—the principle of least privilege enhances compliance with company and industry standards. The organization has more control over how employees use each application and data and can verify that all usage is authorized.

ZTNA Use Cases

ZTNA fits many use cases. Here are some of the most common:

  • VPN Alternative – Connect mobile and remote users more securely than legacy VPN. ZTNA is more scalable, provides one security policy everywhere, works across hybrid IT, and offers more fine-grained access. Gartner projected that by 2023, 60% of enterprises would switch from VPN to ZTNA.
  • Reduce third-party risk – Give contractors, vendors, and other third parties access to specific internal applications — and no more. Hide Sensitive Applications – Render applications “invisible” to unauthorized users and devices. ZTNA can significantly reduce the risk posed by insider threats.
  • Secure M&A integration – ZTNA reduces and simplifies the time and management needed to ensure a successful merger or acquisition and provides immediate value to the business.

Related resources:

How Does ZTNA Work?

ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Legacy networks assumed a secure network perimeter with trusted entities inside, and untrusted entities outside. Today the perimeter is gone. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to address those changes.

With ZTNA, application access can dynamically adjust based on user identity, location, device posture, and more. ZTNA is a cloud-based service that accepts connections from both managed and unmanaged devices, verified identity, and authorizes access to company assets- whether in an on-premises data center or in the cloud.

The 4 Functions of ZTNA

ZTNA performs four essential functions:

  1. Identify – map all systems, applications and resources that users may need to access from remote.
  2. Enforce – define the access conditions policies under which specific individuals can or cannot access specific resources.
  3. Monitor – log and analyze all access attempts of remote users to resources, making sure enforced policies adhere to the business requirements.
  4. Adjust – modify misconfiguration. Either increase access privileges or reduce to support optimal productivity while minimizing risk and exposure.

ZTNA User Flow

The ZTNA user workflow looks like the following:

  1. Over a secure channel, a user connects to and authenticates against a Zero Trust controller (or a controller function). MFA (multi-factor authentication) is used for added security.
  2. The controller implements the necessary security policy, which depending on implementation, could check various device attributes, such as the device certificate and presence of current antivirus, and real-time attributes such as the user’s location.
  3. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity.

Related resources:

How to Implement ZTNA?

There are two primary approaches to implementing ZTNA. One is agent-based and the other is service-based.

Agent-Based ZTNA

In agent-based ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. This context typically includes factors such as geographic location, date, and time as well as deeper information such as whether the device is compromised with malware or not. The controller prompts the user on the device for authentication.

After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway. The gateway shields applications from being accessed directly from the internet and from unauthorized users or devices. The user can only access applications that are explicitly allowed.

The illustration below shows a conceptual model of agent-based ZTNA.

Source: Gartner (April 2019), ID: 386774


Service-Based ZTNA

In service-based ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. Users that request access to the application are authenticated by a service in the cloud, which is followed by validation by an identity management product such as a single sign-on tool. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy.

Note that no agent is required on the user’s device, making this a good option to provide connectivity and access to applications from unmanaged devices.

The illustration below shows a conceptual model of service-based ZTNA.

Source: Gartner (April 2019), ID: 386774



With Secure Access Service Edge (SASE) the ZTNA controller function becomes part of the SASE PoP and there’s no need for an SDP connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW).

But ZTNA is only a small part of Secure Access Service Edge (SASE). Once users are authorized and connected to the network, IT leaders still need to protect against network-based threats. They still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.

SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and a private backbone.

Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.

Related resources:

What is Zero Trust Architecture?

Zero trust architecture is a design that implements zero trust principles, namely applying granular access controls and only trusting endpoints that are explicitly granted access to a given resource. Zero Trust Architecture represents a fundamental shift from traditional castle-and-moat solutions such as Internet-based VPN appliances for remote network access. With those traditional solutions, once an endpoint authenticates, they have access to everything on the same network segment and are only potentially blocked by application-level security. Learn more about zero trust architecture and how it works today.

Zero Trust Security and 5 Key Components

Recent changes to the security landscape, such as the transition to remote work and the growth in supply chain attacks, emphasize the need for zero trust. Understand the key drivers of zero trust security, and the main technologies that make up the zero trust security stack.

Zero Trust Network: Why You Need It and 5 Steps to Get Started

In the past, network security was mainly based on defending the perimeter. Systems like firewalls and intrusion detection/prevention systems (IDS/IPS) were deployed at the network edge, and were tasked with stopping intruders from penetrating the network. In a zero trust network, these tools are still used, but are complemented with advanced measures to stop attackers while already inside the corporate network.

Secure the Remote Workforce: Deploying Zero Trust Access

Global Workplace Analytics estimates that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. What does this mean for the remote access worker? Organizations must adjust to make it very quick and easy to give highly secure access to any and all remote workers.

How to Implement Zero Trust: 5 Steps and a Deployment Checklist

A zero trust security model can help enterprises improve security of data and IT resources while gaining extended visibility into their ecosystem. Zero trust implementation typically includes at least five steps, which include adding microsegmentation to the network, adding multi-factor authentication, and validating endpoint devices.

Zero Trust Solutions: 5 Solution Categories and How to Choose

Zero trust solutions are security toolkits that incorporate network access controls and security measures to implement the principle of zero trust, which regards all users and entities as potentially malicious until proven safe. Implementing zero trust networks often requires organizations to combine multiple tools and processes.