ZTNA: Zero Trust Network Access

The Evolution of Zero Trust Security and 5 Key Components

What is Zero Trust Security?

The starting point of zero trust security is that all systems should control access, and deny access by default. Zero trust means designing security controls without implicit trust under the assumption that all accounts and devices are potentially compromised.

In the past, most organizations had a trusted corporate network, with employees connecting via on-premises workstations or remotely via VPN. Connections from outside were considered untrusted, while accounts authorized to access the network were considered trusted. This is no longer effective in today’s distributed IT environment. The zero trust mentality says that organizations can no longer afford to implicitly trust any entity within the network perimeter.

Recent changes to the security landscape, such as the transition to remote work and the growth in supply chain attacks, emphasize the need for zero trust. Components that were previously trusted, like an organization’s own employees and IT management components, can now be an instrument of attack. This makes it critical for organizations to adopt zero trust security models and supporting technology solutions, primarily Zero Trust Network Access (ZTNA).

Why has Zero Trust Security Emerged?

Traditional security techniques used location as an indicator of trust. An employee in an office was automatically trusted, given that this employee went through ID checks to enter the office and provided the right credentials to connect to the network. Everything within the perimeter of the organization and its network was trusted, and everything else was considered hostile.

However, threats can infiltrate the network and move laterally. Attackers can compromise a user account or otherwise gain access to a system within the perimeter. They can then gradually gain access to additional accounts and systems. Social engineering, malware, and malicious insiders are all common ways by which attackers can breach the network perimeter—violating the implicit trust model.

While it was always true that attackers could lurk inside the corporate environment, it is a much more serious concern in modern IT environments. The introduction of cloud services, mobile applications, and remote workers further undermines traditional border-based security models.

Related content: Read our guide to zero trust principles.

Zero Trust Security Drivers

Here are a few trends in the modern IT environment that are driving adoption of the zero trust security model.

Cloud Adoption

In the early days of the cloud, cloud migration raised serious security concerns. Organizations were hesitant to outsource IT infrastructure to a third party, concerned that they would lose control.

However, today the cloud has become ubiquitous, even for sensitive and mission critical workloads. Cloud adoption continues to grow, especially in the wake of COVID-19. Research shows most organizations increased their use of the cloud with the transition to remote work.

Cloud computing is changing the dynamics of enterprise access and security. A decentralized infrastructure means that any security technology based on peripherals or endpoints is no longer effective. A firewall cannot protect a SaaS application because the application is not hosted on the corporate network, and the server is outside the organization’s control. Security and access control must be implemented where data, users, and devices reside.

Bring Your Own Device

BYOD is a strategy that allows an organization’s employees to use their personal devices for work-related activities. These activities include tasks such as accessing email, connecting to a corporate network, accessing corporate applications and data.

BYOD devices may be laptops, smartphones, other mobile devices, and storage equipment like USB drives and external hard drives. BYOD has strong benefits for both employees (who enjoy improved productivity with devices of their choice) and companies (who eliminate the cost of purchasing and maintaining hardware). But it also poses serious security risks.

Organizations implementing BYOD must have a robust method for authenticating users on personal devices and performing contextual assessment of access requests. For example, users connecting from a personal device at 3 am should be treated differently than if the same users would connect from a workstation at the office at 2 pm.

Zero trust is highly suited to BYOD use cases, and provides a solution for granular, secure remote access to applications while reducing management overhead. Zero Trust Network Access (ZTNA) is a security solution that can address security, manageability, and user experience challenges for BYOD devices.

Modern Mobility

In today’s work environment, employees can work from anywhere and commonly perform work tasks outside business hours. This improves productivity but complicates security and access.

It is extremely common for employees to cross network boundaries, including networks that are considered hostile, on their route to accessing corporate systems. How can organizations allow secure, remote access to company resources?

Remote access services such as virtual private network (VPN), remote desktop service (RDS), virtual desktop infrastructure (VDI), and desktop as a service (DaaS) are commonly used. But these solutions are not designed for a mobile-first environment and are not sufficiently secure.

Zero trust solutions like ZTNA help organizations regulate and standardize remote access. On the one hand, they give employees the freedom to access the network from different locations at different times without being restricted to specific interfaces such as clunky virtual desktops. On the other hand, they smartly authenticate employees and limit access to sensitive resources in risky scenarios.

Related content: Read our guide to zero trust access.

5 Key Components of the Zero Trust Security Architecture

The proponents of zero trust emphasize that it is a paradigm, not a technology. Each organization may implement zero trust in different ways. However, there are five technology components emerging as essential components of zero trust.

1. Zero Trust Network Access (ZTNA)

A ZTNA solution is designed to implement and enforce a zero trust strategy across the corporate network. Users attempting to connect to an organization’s systems and applications are only allowed to connect if they specifically need access to perform their roles.

ZTNA can take several forms:

  • Gateway integration—ZTNA functionality can be implemented as part of a network gateway. Traffic crossing network boundaries is filtered by the gateway according to the defined access control policies.
  • SD-WAN—SD-WAN optimizes networking across an enterprise WAN. Secure SD-WAN solutions integrate a full security stack into the network infrastructure, and this can include ZTNA functionality. SD-WAN with built-in ZTNA can provide sophisticated, centralized access control.
  • Secure Access Service Edge (SASE)SASE is a broad solution that includes a secure web gateway (SWG), firewall as a service (FWaaS), cloud security access broker (CASB), and ZTNA. SASE provides a holistic solution to enterprise networking, which strongly supports the zero trust model.

2. Multi-Factor Authentication

MFA is the use of multiple methods to verify user identity before granting access. These checks may include security questions, email verification, text messages, security tokens, biometric ID checks, and more. Implementing MFA at every access point—both for ingress traffic flowing into the network and for connections within the network—is a foundation of zero trust.

3. Real-Time Monitoring

Real-time monitoring continuously evaluates the network to detect intruders and limit damage if internal systems are compromised. Effective monitoring can reduce “breakthrough time”—the amount of time a hacker needs to move laterally or escalate privileges, after initially penetrating an application or device.

Zero trust monitoring strategies must include automated components, typically based on behavioral profiling and anomaly detection, and rapid triage and response of incidents by security analysts.

4. Microsegmentation

Another important aspect of zero trust is network microsegmentation. Microsegmentation is the ability to create isolated perimeters within the network, allowing connections within each perimeter, but blocking access between them. This means that once a user or entity is authorized to access the network, they are limited to a specific, isolated space, with limited ability to move laterally and access other systems.

A crucial aspect of microsegmentation is that it is automated and centrally controlled by the zero trust solution. Zero trust technology must be able to adjust microsegmentation dynamically in response to changing security policies and current security conditions.

5. Trust Zones and Default Access Controls

Trusted Internet Connection (TIC) 3.0 is the latest version of an initiative by the US federal government aimed at standardizing management of external network connections. TIC lets an organization divide the network into trusted zones, allowing users to share data within zones, with centrally-defined default access controls but prohibiting access between zones.

Trust zones can only be used if all network traffic is encrypted and access to all systems is centrally controlled using a zero trust solution.

Zero Trust Security with Cato SASE Cloud

Cato’s zero trust solution – Cato SDP – provides a zero trust network for securely accessing on-premises and cloud applications via any device. With a Cato Client or Clientless browser access, users securely connect to the nearest Cato PoP using strong Multi-Factor Authentication.

Built into Cato’s SASE platform, Cato SDP delivers the following key capabilities:

  • Scalability: Cato SDP instantly scales to support optimized and secure access to an unlimited number of users, devices, and locations, without requiring additional infrastructure.
  • Access and Authentication: Cato SDP enforces multi-factor authentication and granular application access policies, which restrict access to approved applications, both on-premises and cloud. Users don’t get access to the network layer, reducing risk significantly.
  • Threat Prevention: Cato SDP provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic. Threat protection is seamlessly extended to Internet and application access, whether on-premises or in the cloud.
  • Performance: Cato SDP enables remote users to access business resources via a global private backbone, and not the unpredictable public Internet. This delivers a consistent and optimized experience to everyone, everywhere.


  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.