ZTNA: Zero Trust Network Access

Zero Trust Model

What is the Zero Trust Model?

Traditional security models rely on a perimeter to secure the network, using access control tools like firewalls. However, today’s networks are complex and distributed, consisting of numerous interconnected network components like public clouds and endpoints like laptops, mobile phones, and Internet of Things (IoT) devices.

The zero trust model enables enterprises to secure complex networks by adopting a “never trust, always verify” approach. The goal is to allow remote and complex connectivity without compromising security by applying strict access mechanisms. Zero trust security implementations usually start with mapping out “protect surfaces” and defining least privileges.

What Are the Prerequisites for a Zero Trust Model?

Organizations that want to implement a zero-trust security framework must address the following issues first:

  • Identifying sensitive data and systems—zero trust requires mapping out an organization’s “protect surfaces”, understanding where sensitive data lives and who should have access to it.
  • Define least privileges—moving to a zero-trust security model places restrictions on users, devices, applications, and processes that want to access identified data. This requires a careful review of the business process, to discover what each business role should be able to access on a “need to know” basis.
  • Rapid threat detection and response—to adopt zero trust, an organization must have the ability to monitor threats in real time and rapidly respond. The ability to automatically respond to incidents is critical to effective implementation.

Related content: What is zero trust network access?

Zero Trust Model: Practical Considerations

The 3 W’s – Workforce, Workplace and Workloads

Traditional security models implement security according to the location by setting up a perimeter and then protecting it by restricting who is allowed to enter. Modern networks are complex architectures without a clear perimeter and require a different security approach.

The zero trust model offers security mechanisms that do not rely on a perimeter. Instead, zero trust implementations aim to protect the network from the 3Ws—workforce, workplace, and workloads. None of the Ws should be trusted because they can threaten the network.

1. Workforce

The workforce is composed of employees, typically classified as insider threats. For example, threat actors can steal employees’ credentials to commit fraud or breach a system. Zero trust security can help minimize the risks posed by insider threats, mainly by protecting users and devices against identity-based attacks like phishing scams.

Here are several security best practices and technologies that can help protect the network against workforce threats:

  • Multi-factor authentication—helps verify the identity of users, offers visibility into all devices, and enforces policies that secure access to all applications. These capabilities help ensure only legitimate users and devices are granted access to the network.
  • Single sign on (SSO)—enables access to all enterprise systems through one authentication mechanism, accessible from any device or location. Modern SSO solutions can provide unified access to systems across hybrid infrastructure.
  • Device posture check—ensures that devices connecting to enterprise systems meet minimal security requirements. For example, verifying that a device is not running a vulnerable software version, has relevant security patches, and is running antivirus.

2. Workload

Workloads are susceptible to vulnerabilities caused by misconfigurations, malicious attacks, and other threats. A workload can introduce threats into the network, allowing malicious software (malware) to cause damage in specific locations or move laterally across the network. Zero trust security can help minimize the attack surface.

Implementing zero trust for workload protection usually involves protecting and controlling the flow of information moving across the network. However, application workload protection can be complex when implemented for modern architectures, like multi-clouds and hybrid clouds transmitting data between on-premises data centers to endpoints and cloud environments.

Here are several practices to consider when implementing zero trust for workloads protection:

  • Microsegmentation—helps contain threats within one segment of the network to prevent lateral movement.
  • Machine learning—provides automation and intelligence to identify abnormal workload behavior and reduce the attack surface proactively.

3. Workplace

Workplaces of the past were restricted to brick-and-mortar buildings. Today’s remote work paradigms have created a distributed workplace that is no longer restricted to a specific location. This type of workplace relies on connectivity to enable the workforce to access network resources, and each connected device can potentially introduce threats into the network.

The zero trust model protects the network against endpoint threats while allowing users to access network resources, typically by implementing software-defined access. It helps ensure that IT and security teams can still gain visibility into users and devices despite the lack of perimeter. This visibility enables teams and tools to identify threats and control all connections established within the network.

Leverage Modern Tools and Architecture

In many cases, traditional network security tools do not meet the requirements of an end-to-end zero trust model. This means traditional tools must be replaced, or complemented, by more advanced tools that provide additional layers of security.

Here are a few examples of tools commonly used to meet the requirements of a zero trust framework:

  • Network micro-segmentation
  • Next generation firewall (NGFW)
  • Single sign on (SSO)
  • Multi-factor authentication (MFA)
  • Advanced threat protection solutions such as eXtended Detection and Response (XDR)

Apply Detailed Policies

Once an organization establishes the skills and technologies needed to build a zero-trust framework, actual implementation comes down to defining and implementing policies that can be applied to a variety of security tools.

A zero trust policy is a set of rules that allows access to specific resources according to strict standards. The policy should describe precisely which users, devices and applications can access which data and services, from where, via which devices or networks, and when. Once policies are set, administrators can configure security tools to accept connections meeting the authorization rules in the policy and deny all others.

Monitor and Alert on Anomalies

The goal of zero trust is not only to minimize unauthorized access, but also to identify and stop anomalous access in real time. This requires putting robust monitoring and alerting in place, which enable security personnel to react to security incidents, understand whether current policies are effective, and identify exploited vulnerabilities.

It’s important to remember that even with a zero trust framework, nothing is completely secure. The organization must be able to capture malicious activity when it occurs. Leverage automated incident response capabilities, such as security automation and orchestration (SOAR), to run automated playbooks when zero trust systems detect an anomaly.

Learn more in our guide: How to implement zero trust?


  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.