Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a new approach for securing remote access to business applications both on-premises and in the cloud. ZTNA is an integral part of Gartner’s Secure Access Service Edge (SASE) and Security Service Edge (SSE) frameworks.

Unlike cloud-native ZTNA, traditional VPNs are poorly suited for the shift to the cloud and to the increase in work-from-home users. VPNs rely on appliances, such as firewalls or VPN concentrators, forcing remote users’ traffic to specific physical locations. This architecture adds latency and creates capacity constraints. Once connected through a VPN, users are trusted with access to all resources on the network, increasing the risk of malware propagation and data breach. And, to reach the VPN gateways, users must rely on the unpredictable.

Overall, legacy VPN architectures expose the enterprise to attacks and adversely impact the user experience, especially when accessing cloud applications. For this reason, understanding what zero trust architecture is and what it has to offer is an important step in upgrading your organization’s IT infrastructure.

Cato Solution:
Cloud-native Secure Remote Access (ZTNA) for Everyone and Everywhere


Cloud-native ZTNA delivers secure remote access as an integral part of a company’s global network and security infrastructure. A global, cloud-scale platform supports any number of remote users within their geographical regions. Performance improves with end-to-end optimized access to any application using a global private backbone. Risk is minimized before and after users access the network through strong authentication and continuous traffic inspection for threat prevention. Cloud-native ZTNA makes mobile access easy — easy to deploy, easy to use, and easy to secure.

“Cato’s mobile VPN is my secret BCP [business continuity plan] in my back pocket. If my global network goes down, I can be like Batman and whip this thing out.”

Stuart Gail,
Infrastructure Architect, Network and Systems Group

Challenge

Delivering a scalable, optimized, and secure remote access to all users and applications

Remote and mobile access to on premises and cloud applications is challenging legacy VPN appliance-based architectures. Cloud traffic is forced through chokepoints at physical locations adding latency. VPN concentrators are needed for global coverage, scale, and load balancing. And, unrestricted network access creates excessive security risk.

Remote and mobile access to on premises and cloud applications is challenging legacy VPN appliance-based architectures. Cloud traffic is forced through chokepoints at physical locations adding latency. VPN concentrators are needed for global coverage, scale, and load balancing. And, unrestricted network access creates excessive security risk.

Cato Solution

Cato ZTNA enables global, cloud-scale, optimized and secure access to everyone

Cato provides an integrated client-based and clientless remote access solutions as part of the Cato Cloud. Users benefit from optimized and secure access to all applications on-premises and in the cloud while at home or on the road. Cato enforces strong authentication and granular access control as well as deep packet inspection of all traffic against threats. Cato’s global, cloud-scale platform seamlessly supports any number of users and applications globally

Cato provides an integrated client-based and clientless remote access solutions as part of the Cato Cloud. Users benefit from optimized and secure access to all applications on-premises and in the cloud while at home or on the road. Cato enforces strong authentication and granular access control as well as deep packet inspection of all traffic against threats. Cato’s global, cloud-scale platform seamlessly supports any number of users and applications globally

Traditional Solutions vs. Cato Solution

Legacy VPN

Legacy VPN

Cato

Cato

Massively Scalable Architecture

Legacy VPN

Non-scalable client/server architecture

Legacy VPN requires specialized hardware appliances and regional concentrators, to cover a global workforce. Because the architecture is appliance-based, it is subject to capacity constraints, especially with a sudden increase in work-from-home users.

Cato

Cloud-scale infrastructure supporting multi-gig traffic

Cato ZTNA is an integral part of Cato Cloud, a global, cloud-native architecture. Cato seamlessly scales to support optimized and secure access to any number of globally distributed users without requiring setting up any additional infrastructure.

Secure Access and Authentication

Legacy VPN

Unrestricted network access is a high risk

Legacy VPN provides secure access to whole networks. This expands the attack surface and enables excessive access that increases the risk of compromise and data breach.

Cato

Application-specific access reduces risk

Cato Cloud enforces multi-factor authentication and granular application access policies that restrict access to approved applications, on premise and in the cloud. The user never gets unrestricted access to the network layer.

Continuous Threat Prevention

Legacy VPN

Access only, no continuous threat prevention

Legacy VPN rarely includes continuous deep packet inspection (DPI) to protect against threats post authentication. This enables propagation of threats inside corporate networks that emanate from compromised endpoints.

Cato

Post access protection against threats

Cato provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic regardless of source and destination. Protection is seamlessly extended to Internet access, as well as application access on-premises and in the cloud.

Optimal End-to-End Performance

Legacy VPN

No performance optimization

Legacy VPN requires mobile users to access resources across the public Internet. The increased latency and packet loss of public Internet routing undermines the user experience.

Cato

Built in global access optimization

With Cato, remote users access resources, on-premises and in the cloud, through Cato’s global private backbone which delivers a consistent and optimized user experience.

Business Continuity and Work from Home

Legacy VPN

VPN can’t support all users all the Time

Legacy VPN is designed to enable access for a subset of users over short periods of time. It’s not designed for 24×7 access to all users that are needed in business continuity scenarios.

Cato

Cato is built to deliver continuous access to everyone

Cato provides a globally distributed, cloud-scale platform to enable continuous access to all employees in the office, on the road, or at home.

Legacy VPN

Cato

Massively Scalable Architecture

Non-scalable client/server architecture

Legacy VPN requires specialized hardware appliances and regional concentrators, to cover a global workforce. Because the architecture is appliance-based, it is subject to capacity constraints, especially with a sudden increase in work-from-home users.

Cloud-scale infrastructure supporting multi-gig traffic

Cato ZTNA is an integral part of Cato Cloud, a global, cloud-native architecture. Cato seamlessly scales to support optimized and secure access to any number of globally distributed users without requiring setting up any additional infrastructure.

Secure Access and Authentication

Unrestricted network access is a high risk

Legacy VPN provides secure access to whole networks. This expands the attack surface and enables excessive access that increases the risk of compromise and data breach.

Application-specific access reduces risk

Cato Cloud enforces multi-factor authentication and granular application access policies that restrict access to approved applications, on premise and in the cloud. The user never gets unrestricted access to the network layer.

Continuous Threat Prevention

Access only, no continuous threat prevention

Legacy VPN rarely includes continuous deep packet inspection (DPI) to protect against threats post authentication. This enables propagation of threats inside corporate networks that emanate from compromised endpoints.

Post access protection against threats

Cato provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic regardless of source and destination. Protection is seamlessly extended to Internet access, as well as application access on-premises and in the cloud.

Optimal End-to-End Performance

No performance optimization

Legacy VPN requires mobile users to access resources across the public Internet. The increased latency and packet loss of public Internet routing undermines the user experience.

Built in global access optimization

With Cato, remote users access resources, on-premises and in the cloud, through Cato’s global private backbone which delivers a consistent and optimized user experience.

Business Continuity and Work from Home

VPN can’t support all users all the Time

Legacy VPN is designed to enable access for a subset of users over short periods of time. It’s not designed for 24×7 access to all users that are needed in business continuity scenarios.

Cato is built to deliver continuous access to everyone

Cato provides a globally distributed, cloud-scale platform to enable continuous access to all employees in the office, on the road, or at home.

Frequently Asked Questions

  • What is ZTNA?

    Zero Trust Network Access (ZTA) is a new application access technology. It provides enterprises with three key capabilities: strong authentication of users, application-specific access rights based on their profile, and continuous risk assessment throughout their session.

  • How is ZTNA related to Zero Trust?

    The concept of Zero Trust is built into ZTNA by restricting access to specific applications without granting full access to the underlying network. Historically, once on the network, through a VPN connection or by being in a corporate office, an endpoint was deemed trusted and could access any application (subject only to application-level security). This means the network itself is vulnerable to attacks from compromised endpoints. Zero Trust is a new model aimed to fix that problem by “never trusting” an endpoint on the network unless it was granted specific access.

  • How is ZTNA different from SDP?

    Zero Trust Network Access (ZTNA) is a synonym to SDP. These are two names for the same thing.

  • How is ZTNA different from VPN?

    Legacy VPN is a network access technology. Post authentication, it provides users with an IP address on the network that enables them to access any application on that network (subject only to application-level security). This is considered a risky way to deliver application access because it exposes the network as a whole to attack from compromised endpoints. In addition, VPN doesn’t include global access optimization and on-going threat prevention. ZTNA limits access to authorized applications only without exposing the underlying network and continuously monitors application access for anomalous and malicious activity.

  • What is the benefit of ZTNA as part of a SASE or SSE platforms?

    When ZTNA is converged into a SASE or SSE platform it leverages a cloud-native platform attributes of scalable, optimized, and secure global application access. First, it is built into a cloud platform, so no point solution has to be deployed. Second, it benefits from cloud scalability and elasticity to support very large number of users. Third, it is made available globally via the global backbone, so it doesn’t need to be distributed geographically and traffic from every endpoint to the application is fully optimized. Lastly, ZTNA traffic is inspected end to end with a full cloud-based security stack to stop threats and attacks.