ZTNA: Zero Trust Network Access

Secure the Remote Workforce: Deploying Zero Trust Access

Deploying Zero Trust Access

The global pandemic has forced knowledge workers to move out of their offices en masse to the isolated environment of their homes. Most will return to the office at some point, even if only part-time, as companies adjust to social distancing measures meant to keep employees safe. Global Workplace Analytics estimates that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. Others may never return to an official office, opting to remain a work-from-home (WFH) employee for good.

The suddenness of having to turn so many people into remote workers has put a real strain on network security. There was little, if any, time to develop and execute a secure remote access strategy that provides the same level of security protections that workers have in the office. This has introduced a range of cybersecurity risks and challenges, and a need for real Zero Trust Access solutions regardless of where people work.Deploying Zero Trust Access


VPNs Are Giving Way to Zero Trust Security

The tech industry is moving toward a much more secure user access model known as Zero Trust Network Access (ZTNA). It’s also called the software-defined perimeter (SDP). How ZTNA works is simple: deny everyone and everything access to a resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs. This is the basic tenant underlying ZTNA architectures.

Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user device. Access is granted on a least-privilege basis according to security policies.

This granular-level control is also why Zero Trust Network Access complements the identity-driven approach to network access that SASE (Secure Access Service Edge) demands. With ZTNA built-in to a cloud-native network platform, SASE is capable of connecting the resources of the modern enterprises — sites, cloud applications, cloud datacenters, and yes, mobile and remote users — with just the right degree of access.

Security Integration Is Key to Effectively Enforcing Zero Trust Security Policies

Like VPNs, firewalls, and Intrusion Prevention solutions, there are point solutions for ZTNA on the market. In fact, many networks today are configured with an array of standalone security and remote access solutions. This lack of product integration is a real drawback for a number of reasons. First, it increases the probability of misconfigurations and inconsistent security policies. Second, it increases network latency as traffic must be inspected separately by each device. And finally, the lack of integration makes holistic threat detection all but impossible, as each appliance has its own data in its own format. Even if that data is aggregated by a SIEM, there is considerable work to normalize data and correlate events in time to stop threats before they can do their damage.

In addition, Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren’t addressed by ZTNA standalone offerings. This is where having ZTNA fully integrated into a SASE solution is most beneficial.

SASE converges Zero Trust Network Access, NGFW, and other security services along with network services such as SD-WANWAN optimization, and bandwidth aggregation into a cloud-native platform. This means that enterprises that leverage SASE architecture receive the benefits of Zero Trust Network Access, plus a full suite of converged network and security solutions that is both simple to manage and highly-scalable. The Cato SASE solution provides all this in a cloud-native platform.

Cato’s SASE Platform Simplifies Secure Remote Access for WFH

What does this mean for the remote access worker? The Cato SASE platform makes it very quick and easy to give highly secure access to any and all remote workers.

Cato provides the flexibility to choose how remote and mobile users securely connect to resources and applications. Cato Client is a lightweight application that can be set up in minutes and which automatically connects the remote user to the Cato Cloud. Clientless access allows optimized and secure access to select applications through a browser. Users simply navigate to an Application Portal – which is globally available from all of Cato’s 57 PoPs – authenticate with the configured SSO and are instantly presented with their approved applications. Both approaches use integrated ZTNA to secure access to specific network resources.

A Zero Trust approach is essential for a secure remote workforce, and Cato’s solution allows an easy and effective implementation of ZTNA.

For more information on how to support your remote workforce, get the free Cato eBook Work From Anywhere for Everyone.


  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.