Types of Zero Trust Network Solutions
The main technology solution used to deploy a zero trust network is Zero Trust Network Access (ZTNA). Gartner has identified two approaches vendors use when developing ZTNA solutions: endpoint-initiated ZTNA and service-initiated ZTNA.
This type of solution follows the Cloud Security Alliance (CSA) Software Defined Perimeter (SDP) specification, an early standard for zero trust networks. It typically follows this process:
- An agent is installed on the authenticated end user’s device, which sends information about the security context to a controller.
- The controller requests authentication from the device’s user and returns a list of allowed applications.
- The controller provides a connection from the device through a gateway, protecting the service from direct Internet access, denial of service (DoS) attacks and other threats originating from public networks.
- When the controller establishes a connection, some products remain in the data path. Others remove themselves and allow the device and service to interact directly.
Pros and cons
The advantage of this type of ZTNA is that it provides detailed information about the context of the connecting device. It is also possible to conduct health checks on the device and ensure it is updated and has been scanned for malware.
The disadvantage is that it is only relevant for managed devices. They are very difficult to deploy on personal devices. These may be used exclusively when the company uses a Bring Your Own Device (BYOD) policy, or occasionally when employees log into services from their home or from mobile devices.
In some cases this issue can be alleviated by using Unified Endpoint Security (UES), which users might be more willing to deploy on personal devices, and can serve as the agent in the ZTNA process.
This type of solution is aligned with the Google BeyondCorp framework—a pattern created by Google for implementing zero trust in organizations. It works as follows:
- A connector, installed on the same network as the application, establishes and maintains an outbound connection to a cloud service provider.
- Users connect to the cloud service, and the cloud service authenticates users via an enterprise identity management technology.
- The cloud provider checks the user’s authorization to access protected applications.
- Only after successful authentication and authorization, traffic passes from the cloud service to the application, located behind the firewall.
This architecture isolates applications from direct access through a proxy. There is no need to open corporate firewalls for inbound traffic. However, the organization becomes dependent on the service provider’s network, and must ensure that the provider offers a sufficient level of security.
Pros and cons
The advantage of service-initiated ZTNA is that it is an attractive method for unmanaged devices, because there is no need for an agent on each end-user device.
The downside is that in some ZTNA solutions, the application’s protocol must be based on HTTP/HTTPS, which limits the solution to web applications. Applications using protocols like Secure Shell (SSH) or Remote Desktop Protocol (RDP) may not be supported.