ZTNA: Zero Trust Network Access

Zero Trust Solutions: 5 Solution Categories and How to Choose

What Are Zero Trust Solutions?

Zero trust solutions are security toolkits that incorporate network access controls and security measures to implement the principle of zero trust, which regards all users and entities as potentially malicious until proven safe. Implementing zero trust networks often requires organizations to combine multiple tools and processes.

Zero trust security solutions offer a range of security and monitoring features that protect a network from security breaches. For instance, a zero trust security solution combines multiple processes to authenticate a user, offering additional security measures such as multi-network management, segmentation, and monitoring.

5 Zero Trust Solution Categories

Zero trust is not a technology—it is a security paradigm. This means that many existing technologies can be used to implement a zero trust architecture. In addition, new solution categories are emerging that are built from the ground up for a zero trust security model.

1. Multi-Factor Authentication (MFA) and Single Sign On (SSO)

An important part of a zero trust implementation is to ensure that trust is not based on the network segment the user operates in, but on explicit identity verification. In addition, usernames and passwords can be easily compromised by attackers and are no longer suitable as a single form of authentication. To enable zero trust, you can leverage:

  • MFA—combines multiple forms of authentication to ensure robust authentication of user identities, and reduce the impact of credential theft.
  • SSO—allows users to sign in with one set of credentials and access all enterprise applications, according to their account’s authorization. This removes the need for multiple passwords, enables central control over user accounts, and is also more convenient for users.

2. IAM

A key requirement of zero trust is identity-driven security. This is powered by the identity and access management (IAM) systems, which are typically cloud-based. An IAM system provides capabilities such as:

  • Lifecycle management for internal and external users
  • Central identity governance
  • Privileged access management (PAM)
  • Role-based and attribute-based access controls (RBAC and ABAC)
  • Just-in-time (JIT) access enabling personnel to access systems on an as-needed basis, allowing for emergency or exception-based access

Using these capabilities, modern IAM systems can help you enforce least privilege access across the organization. You can also enforce permissions based on time and location of the user to reduce the attack surface. This ensures every user—whether an in-house employee, third-party contractor, or customer—has access only to the systems and operations they actually need for their role.

3. Zero Trust Network Access (ZTNA)

ZTNA, previously known as software-defined perimeter (SDP), is an advanced access solution that only allows users to connect to an application if they need it to perform their roles. User permissions are defined using roles that directly map to the employee’s organizational role.

A ZTNA solution first authenticates a user, verifies its identity, and links it to roles defined in the organization. All access to systems on the internal network pass through the ZTNA system. ZTNA allows traffic to pass to a specific system, or blocks access, depending on the result of authentication and the user’s predetermined roles.

ZTNA solutions are a replacement for virtual private networks (VPN). VPNs offer a secure way to connect to a network, but give users access to the entire network and all its resources, which is not compatible with zero trust. ZTNA creates a software-based perimeter that granularly defines which data centers, environments, and specific applications a user should have access to.

Learn more in our guide to ZTNA

4. Secure Access Service Edge (SASE)

Secure Access Service Edge (SASE) is a cloud-based service that provides wide access networking (WAN), remote access, and security functionality. SASE extends networking capabilities to wherever the organization operates—in the local data center and in one or more public clouds.

SASE is a service that packages several technology solutions within it:

  • ZTNA—described above.
  • SD-WAN—a virtual WAN architecture that improves agility and reduces costs for wide area networks, leveraging any available data service including MPLS, broadband, and wireless.
  • Firewall as a service (FWaaS)—provides a managed firewall wherever the organization runs software services.
  • Secure web gateway (SWG)—manages remote access for users.
  • Cloud access security broker (CASB)—performs security policy enforcement for on-premises resources or users accessing the cloud.

Learn more in our guide to SASE

Zero Trust Networks vs. Virtual Private Network (VPN)

Virtual Private Networks (VPNs) allow users to remotely access a corporate network. Client software deployed on the user’s device communicates with a VPN server or appliance in the corporate network via an encrypted channel.

While VPN enables communication over a secure channel, its weakness is that it assumes the user’s device is trusted. If the user provides correct credentials, they are allowed complete access to the network. Therefore, if the device or the user’s account is compromised, or attackers exploit a VPN vulnerability, they can move laterally across the corporate network.

VPNs are not compatible with a zero trust security model. To achieve zero trust, ZTNA replaces VPN, allowing granular access to resources on the network. Each user is allowed access based on their role and the current security context – for example, the device they are using and the time of day. ZTNA authorizes each access request, continually verifying that users are authorized to access network resources.

How to Choose Zero Trust Solutions?

To determine which zero trust solution works best for you, consider these key points:

  • Vendor support—do you need to install an endpoint agent and support all operating systems and mobile devices? Monitor the agent’s behavior in the presence of other agents and verify what devices and operating systems the vendor supports.
  • The type of zero trust technology—for instance, a ZTNA broker that you need to install and manage or zero trust network access as a service (ZTNAaaS).
  • Security posture assessments—does the vendor allow you to assess the security posture of managed and unmanaged devices or do you need to use a unified endpoint management (UEM) tool?
  • User and entity behavior analytics (UEBA)—does the solution include UEBA functionality to identify suspicious activity within the protected network?
  • Global distribution—the geographical diversity of entry and exit points (i.e., edge locations and POPs). Determine what edge/physical infrastructure providers or colocation facilities the vendor uses.
  • Legacy application support—determine if there is security support for legacy applications in addition to web applications.
  • Compliance with industry standards—prefer a vendor that meets stringent security standards. A zero trust provider should at least have ISO 27001 certification, and preferably should meet SOC2 security requirements.
  • The licensing model—check the license type (i.e., by bandwidth or per user) and verify the protocol for exceeding usage during the term of the contract (i.e., whether there is a grace period, requirement to provide a true-up payment, or loss of access).

FAQ

  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.