ZTNA: Zero Trust Network Access

Zero Trust Framework

Explaining the Zero Trust Framework

The traditional network security model was perimeter-focused and based heavily on trust. The fundamental idea was that all threats originated from outside of the network and that anyone inside of the network perimeter was a trusted insider. By deploying defenses at the network perimeter, enterprises attempted to identify malware and other threats,blocking them from ever entering the network.

This approach to network security has multiple problems, including the dissolving network perimeter, the potential for insider threats, and the fact that network security solutions provide imperfect protection. To address these issues, John Kindervag, then a vice president and principal analyst for Forrester Research, developed the concept of a zero trust security strategy, which is based on the concept that any trust within a security policy is a potential vulnerability.

A zero trust security strategy moves from implicitly trusting insiders and distrusting outsiders to not extending trust to anyone automatically. Instead, access and permissions are granted on a case-by-case basis driven by business needs and role requirements. For a good introduction to zero trust, read up on zero trust architecture.

What is a Zero Trust Network?

Implementing zero trust principles within an organization’s environment requires the development of a zero trust network. A zero trust network is one that implements and enforces zero trust policies, such as zero trust network access (ZTNA) or Software Defined Perimeter (SDP), consistently across an organization’s entire environment.

Below, we describe how to move from a legacy, perimeter-based security model to a zero trust network that is capable of meeting and managing modern cyber threats.

Step 1: Identify a Protect Surface

Managing access to corporate assets is a central tenet to a zero trust security strategy. As mentioned earlier, zero trust policies provide access to resources on a case-by-case basis driven by role-based access controls. And to be able to manage access to resources, enterprises need to know what these resources are.

A critical stage in developing a zero trust network is to define the protect surface, which is composed of the resources that an enterprise wishes to secure. A protect surface is composed of an organization’s DAAS:

  • Data: One of the most common reasons to adopt a zero trust strategy is to avoid data breaches and meet compliance requirements for data protection regulations. Identifying and classifying an organization’s data is essential for appropriately managing access to these resources.
  • Assets: The modern enterprise has a wide range of corporate assets, including traditional computers, mobile devices, cloud-based resources, and Internet of Things (IoT) devices. The rise of remote work and mobile devices means that many companies struggle to maintain visibility into their entire asset catalog. Addressing these visibility gaps is crucial to an effective zero trust deployment.
  • Applications: Applications are valuable resources for any business and a common target of cyberattacks. Exploitation of application vulnerabilities can provide an attacker with access to valuable data or a foothold from which they can exploit other targets. Enterprises need a complete listing of their corporate applications to develop a strategy for securing them.
  • Services: The growth of the cloud means that many organizations are using or offering cloud-based services. These services also represent potential vulnerabilities and attack vectors for cybercriminals and need to be identified and protected as well.

Step 2: Explore Interdependencies

Zero trust networks operate on the principle of least privilege. This means that users are only granted the permissions they require to do their jobs.

To appropriately assign these permissions, enterprises need to understand what access and permissions their employees and IT assets required to fulfill their roles. The best way to accomplish this is to monitor what activities are performed during the organization’s daily business.

By monitoring the corporate network, enterprises can develop a map of the communications and interdependencies between its DAAS, infrastructure, services, and users. Based on viewing these network flows, it is possible to determine which communications should be permitted as part of a zero trust policy and which should be blocked as being inappropriate or unnecessary.

This exploration of the dependencies and communication patterns within an organization’s network helps set the stage for deploying a zero-trust strategy, but this is not the only benefit. If anomalous or suspicious flows are detected, this can kick off incident response activities that help enterprises root out infections within their networks.

Step 3: Implement Microsegmentation

Access controls are typically enforced at network boundaries where traffic is routed through a network security appliance. To implement a zero trust strategy, enterprises need to have many of these boundaries to provide granular protection and access control for corporate resources.

Creating network boundaries throughout the corporate network requires implementing microsegmentation. Microsegmentation places each corporate asset within its own perimeter and performs traffic monitoring and filtering at Layer 7.

This Layer 7 monitoring is essential for achieving the required visibility for zero trust. The rise of cloud computing and service-based delivery models means that Layer 3/4 traffic analysis no longer provides the granularity and visibility needed to determine the purpose of network traffic. With Layer 7 analysis, enterprises can view application-layer data and include it in their access control decisions.

When developing a micro segmentation policy, the Kipling Method can be a useful resource. It defines a zero trust policy based on the answer to six questions, including:

  1. Who is making the request?
  2. What is the resource being requested?
  3. Where is the request coming from?
  4. When was the request made?
  5. Why does the user need access to that resource?
  6. How is the user requesting access?

By answering these questions, enterprises can determine whether or not a particular request is compliant with corporate security policies. For example, access to a particular resource may be permitted only from certain computers, but a request for it may be made from a remote worker’s device. Even if the worker has legitimate access to the resource, the request should not be granted if it comes from the wrong device. Knowing not only who but where is critical to making the correct access control decision.

Getting Started on Your Zero Trust Journey

Recent events have demonstrated that traditional security strategies simply aren’t working. Data breaches are a daily occurrence, ransomware attacks are on the rise, and other cyber threats have not gone away. There is a greater need for businesses to secure their remote workforce than ever before.

Implementing a zero trust network is a multi-stage process, but the most important step is selecting the right security solutions to implement corporate zero trust policies. Legacy security solutions lack the reach or security granularity to enforce zero trust policies. ZTNA is an integral component of Gartner’s Secure Access Service Edge (SASE) framework, presenting an ideal alternative for legacy solutions.

SASE makes implementing zero trust simple and painless. With SASE, all traffic flows through a SASE Point of Presence (PoP), allowing Layer 7 traffic analysis and security policy enforcement. SASE also has the ability to enforce zero trust policies for a remote workforce with ZTNA, which is increasingly vital for the modern enterprise. Learn more in the following link about ZTNA capabilities of SASE.

Cato Networks is a leader in the SASE space and has been recognized multiple times in Gartner’s ZTNA Market Guide as a provider of the networking and security solutions that companies will need in the future. To learn more about how to use SASE to implement zero trust, contact us. Alternatively, you can request a demo to see the capabilities of Cato SASE Cloud for yourself.


  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.