ZTNA: Zero Trust Network Access

What is ZTNA (Zero Trust Network Access)?

Zero Trust Network Access, also known as software-defined perimeter (SDP), is a modern approach to securing access to applications and services both for users in the office and on the road. How ZTNA works is simple: deny everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

By contrast, once legacy network solutions authenticate users, they implicitly gain access to everything on the same subnet. Only a password prevents unauthorized users from accessing a resource. ZTNA flips that paradigm. Users can only “see” the specific applications and resources explicitly permitted by their company’s security policy.

 

How ZTNA works

 

ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Legacy networks assumed a fixed perimeter. A stack of security applications kept inappropriate external traffic out of the network. Fixed perimeters today, though, are both vulnerable and ineffective. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

 

How ZTNA works

 

 

ZTNA vs SDP

The terms ZTNA and SDP are used interchangeably today. The concepts are closely related.

A Software-Defined Perimeter (SDP) provides an integrated security architecture that is otherwise hard to achieve with existing security point products. According to the Cloud Security Alliance, SDP is agnostic of the underlying IP-based infrastructure and secures all connections using that infrastructure.

In theory, SDP does not have to adhere to Zero Trust principles — deny all unless otherwise authorized. In practice, all SDP solutions today are Zero Trust solutions.

How Does ZTNA Work?

A robust Zero Trust Architecture should perform four essential functions:

  • Identify involves inventory and categorization of systems, software, and other resources. This stage enables baselines to be set for anomaly detection.
  • Protect involves the handling of authentication and authorization. The protect function covers the verification and configuration of the resource identities that zero trust is based upon, and integrity checking for software, firmware, and hardware.
  • Detect deals with identifying anomalies and other network events. The key here is continuous, real-time monitoring to proactively detect potential threats.
  • Respond handles the containment and mitigation of threats once they are detected.

These four functions are coupled with granular application-level access policies set to default-deny. The result is a workflow that looks like the following:

  1. Over a secure channel, a user connects to and authenticates against a Zero Trust controller (or a controller function). MFA (multi-factor authentication) is used for added security.
  2. The controller implements the necessary security policy, which depending on implementation, could check various device attributes, such as the device certificate and presence of current antivirus, and real-time attributes such as the user’s location.
  3. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity.

What are the Use Cases of ZTNA?

ZTNA fits many use cases. Here are some of the most common:

Deploy a VPN Alternative – Connect mobile and remote users more securely than legacy VPN. ZTNA is more scalable, provides one security policy everywhere, works across hybrid IT, and offers more fine-grained access. Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises would phase out VPN and use ZTNA instead. To learn more, read about securing your remote workforce with ZTNA.

Reduce the Risk of Third-Party Access – Give contractors, vendors, and other third parties access to specific internal applications — and no more.

Reduce the Risk from the Internet of Things (IoT) – Create secure silos for IoT devices, preventing IoT vulnerabilities from compromising the rest of the network.

Hide Highly Sensitive Applications from View – Rendering applications “invisible” to unauthorized users and devices enables ZTNA to reduce the risk posed by insider threats.

Facilitate M&A integration – ZTNA reduces and simplifies the time and management needed to ensure a successful merger or acquisition and provides immediate value to the business.

How to Implement ZTNA?

There are two primary approaches to implementing ZTNA. One is client-initiated and the other is service-initiated.

In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. This context typically includes factors such as geographic location, date, and time as well as deeper information such as whether the device is compromised with malware or not. The controller prompts the user on the device for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The gateway shields applications from being accessed directly from the internet and protects them from distributed denial of service attacks. The user can only access applications that are explicitly allowed.

An artifact remains in the data path – which is encrypted end-to-end – once the controller establishes connectivity in order to provide a periodic posture assessment to the trust broker (controller).

The illustration below shows a conceptual model of client-initiated ZTNA.

conceptual model of client-initiated ZTNA.

Source: Gartner (April 2019), ID: 386774

 

In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. Users that request access to the application are authenticated by a service in the cloud, which is followed by validation by an identity management product such as a single sign-on tool. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy.

Note that no agent is required on the user’s device, making this a good option to provide connectivity and access to applications from unmanaged devices.

The illustration below shows a conceptual model of service-initiated ZTNA.

conceptual model of service-initiated ZTNA.

Source: Gartner (April 2019), ID: 386774

ZTNA and SASE

With SASE the SDP controller function becomes part of the SASE PoP and there’s no need for an SDP connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

But ZTNA is only a small part of Secure Access Service Edge (SASE). Once users are authorized and connected to the network, IT leaders still need to protect against network-based threats. They still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.

SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable. See how simple setting up ZTNA is by watching our demo on how to configure ZTNA.

Read more about the ZTNA capabilities of SASE.

What is Zero Trust Architecture?

Zero trust architecture is a design that implements zero trust principles, namely applying granular access controls and only trusting endpoints that are explicitly granted access to a given resource. Zero Trust Architecture represents a fundamental shift from traditional castle-and-moat solutions such as Internet-based VPN appliances for remote network access. With those traditional solutions, once an endpoint authenticates, they have access to everything on the same network segment and are only potentially blocked by application-level security. Learn more about zero trust architecture and how it works today.

Learn More

Explaining the Zero Trust Framework

A zero trust network enforces a zero trust security model, where access to corporate resources is granted or denied on a case-by-case basis driven by role-based access controls. We explain how developing a zero trust network is a multi-stage process, including identifying a “protect surface,” determining how the network works, and deploying micro-segmentation to enforce zero-trust policies.

Learn More

Zero Trust Principles: What is Zero Trust Security?

Zero trust has become a well-known buzzword due to its ability to improve corporate cybersecurity and network visibility. Zero trust is based on the principle that access to corporate assets should only be granted to legitimate users on a case-by-case basis. We take a look at the core principles of zero trust and how to implement a zero trust strategy within your organization.

Learn More

Secure the Remote Workforce: Deploying Zero Trust Access

Global Workplace Analytics estimates that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. What does this mean for the remote access worker? Organizations must adjust to make it very quick and easy to give highly secure access to any and all remote workers.

Learn More

The Gartner ZTNA Market Guide for Secure Access

With the shift to work from home (WFH) there’s been a lot of talk about VPN and its successor, zero trust network access (ZTNA). But ZTNA is in fact far broader than “just” more secure remote access for your workforce. It describes a whole new access paradigm that’s key to SASE and reflects the changes to today’s business.

Gartner detailed the ZTNA paradigm shift in its updated Market Guide for Zero Trust Network Access. The 18-page document provides an excellent overview of ZTNA technology, where it’s headed, the risks and the opportunities.

Learn More

FAQ

  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.

LEARN MORE ABOUT CATO REMOTE ACCESS