Zero Trust Network Access (ZTNA) and Zero Trust (ZT) are security models that are related, but often get wrongly conflated. In this article, I explore the definitions of ZTNA and ZT, showing how they overlap and enable each other—while also underscoring important differences between the two. ZTNA is about securing IT environments at the network level, making it a core element of broader ZT and Secure Access Service Edge (SASE) security models. As such, it’s a practical component, becoming more essential in securing today’s distributed environments.
ZTNA is a solution for securing remote access to an organization’s networks, data and applications based on the principle of Zero Trust. Using ZT principles, a ZTNA solution takes a “deny all by default” approach to any network access request. No person or device is trusted when access is requested. Only after the ZTNA solution has authenticated the user based on a range of criteria will the user/device be granted limited access privileges.
The connection occurs through a secure, encrypted tunnel. This approach provides additional security by blocking the user from seeing IP addresses of applications and services that he or she is not entitled to see. In this way, ZTNA is similar to the Software-Defined Perimeter (SDP), which hides data, apps and services from everyone but those with proper privileges. The ZTNA solution then continues to re-verify the user throughout the session.
ZTNA performs a comparable role to the virtual private network (VPN), but with some notable difference. Most VPNs use a “trust by default” policy, the opposite of ZTNA’s not trusting anyone or anything. Also, VPNs tend to grant flat access—once permission is given, the user can access everything on the network. The problem with this approach is that it enables a malicious user to move laterally across the network and potentially attack all of an organization’s digital assets. For this reason, many corporations are moving away from VPN in favor of ZTNA.
ZTNA offers several advantages. It’s more granular and context-aware than a VPN, with tighter control over access. It reduces the chance of lateral movement. ZTNA is also better than a VPN for managing access to digital assets that exist outside of an organization’s core network. This is becoming a common scenario today, which also explains the rising popularity of ZTNA.
ZTNA is an implementation of ZT, a broad, foundational cybersecurity model that can be applied to a wide variety of real-life scenarios. ZT is a concept and security model—not a defined solution. The fundamental law of ZT is to always deny access by default. If a user wants to access a database, he or she is not to be trusted without verification of identity. If a user wants to store a file, the request is similarly denied by default. Grants of access and usage privileges are handed out in the smallest possible increments. And, the privileges are to be repeatedly rechecked as the usage session proceeds. ZT can work at any level of granularity.
ZTNA and ZT get mixed up for several reasons. First, they are connected ideas. You cannot have ZTNA without ZT. However, it’s possible to have ZT without ZTNA. Also, ZTNA is a practical solution that is now on the market in various forms. It’s easy to think, “I’m doing ZT if I buy a ZTNA solution.” However, you’d only be partly correct. You can implement ZTNA and still be granting unfettered flat access to all sorts of digital assets for users who have cleared the ZTNA access rules or policies.
ZTNA is one of five core elements of SASE, according to Gartner’s early definition of the model. The question is why? Indeed, it is possible to create a secure access policy without ZTNA. However, it would not be as secure as it needs to be.
ZTNA is essential for SASE because it addresses one of the main purposes of SASE—the securing of distributed digital assets for remote users.
ZTNA helps with this mission by controlling access policies between users and digital assets, regardless of where they are located. It can handle any user and any device, from any location. It also offers dynamic security, able to adapt to users who are on the move.
Don’t miss the infoGraphic: 5 Reasons to Consider SASE for Remote Work
Some view ZTNA as a key first step toward implementing ZT. One reason has to do with the administrative challenges inherent in the ZT model. ZT is easy to understand in theory. In practice, it can be an unmanageable workload. Consider the following. Let’s say you have 1,000 users and 10 applications. If you want to grant individual privileges to users based on their right to access a resource, that means setting up individual trust profiles comprising up to 10,000 variations. For IT managers in real life, on planet earth, this is not happening.
The only way to deal with this operational challenge is to manage access policies by user role and network sub-segment. Users with finance roles get the right to access finance digital assets on the finance sub-segment, and so forth. ZTNA enables this process with relative ease in comparison to setting up individual trust profiles. It makes the concept of ZT easier to operationalize.
ZTNA and ZT overlap but they are different. ZTNA is an incarnation of the ZT security model, and a key requirement for SASE models and solutions, because it helps turn these conceptual ideals into more practical realities. While the concept of ZT has been around for more than 20+ years, operationalizing individual access policies by user role can be a challenge without the help of ZTNA technologies and SASE solutions. This helps explain why some view ZTNA as a key first step toward implementing ZT.
Ready to take your first steps toward ZT? Get a free network security consultation with Masergy.
Call us now to arrange a consultation (866) 588-5885.
Or arrange for a consultation through our request form.
Learn about what business leaders should do to create a technology-forward, future-ready enterprise.
What is EDR and how is different from XDR? Masergy explains that and more.
Companies today have more security weaknesses. Explore three common blindspots and how to turn on the light switch.
The best digital strategies foster an IT ecosystem where checks and balances allow emerging technologies to synthesize with security and the network.
A company applying for a cyber insurance policy must demonstrate that it has effective cybersecurity policies and countermeasures in place.
Security for cloud migration is the new imperative. Forrester’s best practices report includes these four key guidelines.
The accelerated transformation has spurred new governance phases. Rebalance innovation and security by putting these checks and balances in place.
How sustainable is your hybrid work strategy? It's time to unite the disciplines of connectivity, cybersecurity and collaboration.
As a leading managed security services provider, Masergy earns one of Cyber Defense Magazine’s most prestigious awards. Here’s why.
Comcast Business and Masergy have joined forces - We are your one provider for all your secure networking needs.
Masergy succeeds in making remote work actually work well for IT teams in the long run.
Masergy's Trevor Parks talks to Cybernews about security threats in modern multi-cloud environments.
The catalogue of security services abbreviations keeps getting longer. Here are some quick definitions and tips to help compare offerings.
The “Log4Shell" or “Log4j/Shell” vulnerability is one of the most serious cyber threats in recent history. Why is it such a serious concern and what can you do about it?
A growing number of cyberattacks and the explosion of hybrid work have pushed security resources to the brink, exposing the need for more managed services backed by machine learning.
How do you ensure you’re getting the right combination of security expertise and operational excellence all in one provider? These questions can help.