ZTNA: Zero Trust Network Access

What is Zero Trust Architecture?

Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing fluff from the real value. Fortunately, unlike many buzzwords, there is plenty of substance around zero trust.

Earlier this year the National Cybersecurity Center of Excellence (a part of the United States Government’s National Institute of Standards and Technology) published their Implementing a Zero Trust Architecture project, a standards-based approach to implementing Zero Trust Architecture.

So, what exactly is the substance behind zero trust and how can you identify solutions that meet your enterprise’s needs? Let’s take a look.

This is part of an extensive series of guides about data security.

What is Zero Trust Network Architecture? A crash course

In simple terms, zero trust is based on these principles: apply granular access controls and do not trust any endpoints unless they are explicitly granted access to a given resource. Zero Trust Network Architecture is simply a design that implements zero trust principles and yields what is known as Zero trust Network Access (ZTNA).

Zero Trust Architecture represents a fundamental shift from traditional castle-and-moat solutions such as Internet-based VPN appliances for remote network access. With those traditional solutions, once an endpoint authenticates, they have access to everything on the same network segment and are only potentially blocked by application-level security.

In other words, traditional solutions trusted everything on the internal network by default. Unfortunately, that model doesn’t hold up well for the modern digital business. The reason zero trust has become necessary is enterprise networks have changed drastically over the last decade, and even more so over the last six months.

Remote work is now the norm, critical data flows to and from multiple public clouds, Bring Your Own Device (BYOD) is common practice, and WAN perimeters are more dynamic than ever. This means enterprise networks that have a broader attack surface are strongly incentivized to both prevent breaches and limit dwell time and lateral movement in the event a breach occurs. Zero Trust Architecture enables micro-segmentation and the creation of micro-perimeters around devices to achieve these goals.

How Zero Trust Architecture works

While the specific tools used to implement Zero Trust Architecture may vary, the National Cybersecurity Center of Excellence’s ‘Implementing a Zero Trust Architecture’ project calls out four key functions:

Identify. Involves inventory and categorization of systems, software, and other resources. Enables baselines to be set for anomaly detection.
Protect. Involves the handling of authentication and authorization. The protect function covers the verification and configuration of the resource identities zero trust is based upon as well as integrity checking for software, firmware, and hardware.
Detect. The detect function deals with identifying anomalies and other network events. The key here is continuous real-time monitoring to proactively detect potential threats.
Respond. This function handles the containment and mitigation of threats once they are detected.

Zero Trust Architecture couples these functions with granular application-level access policies set to default-deny.

The result is a workflow that looks something like this in practice:

Users authenticate using MFA (multi-factor authentication) over a secure channel
Access is granted to specific applications and network resources based upon the user’s identity
The session is continuously monitored for anomalies or malicious activity
Threat response occurs in real-time when potentially malicious activity is detected
The same general model is applied to all users and resources within the enterprise, creating an environment where true micro-segmentation is possible.

How SDP and SASE enable Zero Trust Architecture

SDP (software-defined perimeter) which is also referred to as ZTNA (Zero Trust Network Access) is a software-defined approach to secure remote access. SDP is based on strong user authentication, application-level access rights, and continuous risk assessment throughout user sessions. With that description alone, it becomes easy to see how SDP makes it possible to implement Zero Trust Architecture.

When SDP is part of a larger SASE (Secure Access Service Edge) platform, enterprises gain additional security and performance benefits as well. SDP with SASE eliminates the complexity of deploying appliances at each location and the unpredictability that comes from depending on the public Internet as a network backbone. Additionally, with SASE, advanced security features are baked-in to the underlying network infrastructure. In short, SDP as a part of SASE enables Zero Trust Architecture to reach its full potential. In turn, this simplifies securing a remote workforce with ztna.

For example, the Cato SASE platform implements zero trust and delivers:

  1. Integrated client-based or clientless browser-based remote access
  2. Authentication via secure MFA
  3. Authorization based upon application-level access policies based on user identities
  4. DPI (deep packet inspection) and an intelligent anti-malware engine for continuous protection against threats
  5. Advanced security features such as NGFW (next-generation firewall), IPS (intrusion prevention system), and SWG (secure web gateway)
  6. Optimized end-to-end performance for on-premises and cloud resources
  7. A globally distributed cloud-scale platform accessible from all network edges
  8. A network backbone supported by 50+ PoPs (points of presence) and a 99.999% uptime SLA

Interested in learning more about SDP, SASE, and Zero Trust Architecture?

If you’d like to learn more about SDP, SASE, or Zero Trust Architecture, please contact us today or sign up to demo the Cato SASE platform. If you’d like to learn more about how to make a secure and modern approach to remote work for the enterprise, download our eBook Work from Anywhere for Everyone. Alternatively, to see how easy it is to set up your organization with ZTNA, watch our demo on how to configure ZTNA.


See Our Additional Guides on Key Data Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of Data Security.

Zero Trust Network Access

Learn about the Zero Trust security paradigm and zero trust network access (ZTNA) solutions used to implement it.

Cyber Security

Learn about tools and practices that can help you protect your organization against cyber threats.

Authored by Imperva

Splunk Architecture

Learn about Splunk, a popular log management and analysis platform, and how to manage and secure it.

Authored by Coudian



  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.