Zero Trust Network Access (ZTNA) and Zero Trust (ZT) are security models that are related, but often get wrongly conflated. In this article, I explore the definitions of ZTNA and ZT, showing how they overlap and enable each other—while also underscoring important differences between the two. ZTNA is about securing IT environments at the network level, making it a core element of broader ZT and Secure Access Service Edge (SASE) security models. As such, it’s a practical component, becoming more essential in securing today’s distributed environments.
ZTNA is a solution for securing remote access to an organization’s networks, data and applications based on the principle of Zero Trust. Using ZT principles, a ZTNA solution takes a “deny all by default” approach to any network access request. No person or device is trusted when access is requested. Only after the ZTNA solution has authenticated the user based on a range of criteria will the user/device be granted limited access privileges.
The connection occurs through a secure, encrypted tunnel. This approach provides additional security by blocking the user from seeing IP addresses of applications and services that he or she is not entitled to see. In this way, ZTNA is similar to the Software-Defined Perimeter (SDP), which hides data, apps and services from everyone but those with proper privileges. The ZTNA solution then continues to re-verify the user throughout the session.
ZTNA performs a comparable role to the virtual private network (VPN), but with some notable difference. Most VPNs use a “trust by default” policy, the opposite of ZTNA’s not trusting anyone or anything. Also, VPNs tend to grant flat access—once permission is given, the user can access everything on the network. The problem with this approach is that it enables a malicious user to move laterally across the network and potentially attack all of an organization’s digital assets. For this reason, many corporations are moving away from VPN in favor of ZTNA.
ZTNA offers several advantages. It’s more granular and context-aware than a VPN, with tighter control over access. It reduces the chance of lateral movement. ZTNA is also better than a VPN for managing access to digital assets that exist outside of an organization’s core network. This is becoming a common scenario today, which also explains the rising popularity of ZTNA.
ZTNA is an implementation of ZT, a broad, foundational cybersecurity model that can be applied to a wide variety of real-life scenarios. ZT is a concept and security model—not a defined solution. The fundamental law of ZT is to always deny access by default. If a user wants to access a database, he or she is not to be trusted without verification of identity. If a user wants to store a file, the request is similarly denied by default. Grants of access and usage privileges are handed out in the smallest possible increments. And, the privileges are to be repeatedly rechecked as the usage session proceeds. ZT can work at any level of granularity.
ZTNA and ZT get mixed up for several reasons. First, they are connected ideas. You cannot have ZTNA without ZT. However, it’s possible to have ZT without ZTNA. Also, ZTNA is a practical solution that is now on the market in various forms. It’s easy to think, “I’m doing ZT if I buy a ZTNA solution.” However, you’d only be partly correct. You can implement ZTNA and still be granting unfettered flat access to all sorts of digital assets for users who have cleared the ZTNA access rules or policies.
ZTNA is one of five core elements of SASE, according to Gartner’s early definition of the model. The question is why? Indeed, it is possible to create a secure access policy without ZTNA. However, it would not be as secure as it needs to be.
ZTNA is essential for SASE because it addresses one of the main purposes of SASE—the securing of distributed digital assets for remote users.
ZTNA helps with this mission by controlling access policies between users and digital assets, regardless of where they are located. It can handle any user and any device, from any location. It also offers dynamic security, able to adapt to users who are on the move.
Don’t miss the infoGraphic: 5 Reasons to Consider SASE for Remote Work
Some view ZTNA as a key first step toward implementing ZT. One reason has to do with the administrative challenges inherent in the ZT model. ZT is easy to understand in theory. In practice, it can be an unmanageable workload. Consider the following. Let’s say you have 1,000 users and 10 applications. If you want to grant individual privileges to users based on their right to access a resource, that means setting up individual trust profiles comprising up to 10,000 variations. For IT managers in real life, on planet earth, this is not happening.
The only way to deal with this operational challenge is to manage access policies by user role and network sub-segment. Users with finance roles get the right to access finance digital assets on the finance sub-segment, and so forth. ZTNA enables this process with relative ease in comparison to setting up individual trust profiles. It makes the concept of ZT easier to operationalize.
ZTNA and ZT overlap but they are different. ZTNA is an incarnation of the ZT security model, and a key requirement for SASE models and solutions, because it helps turn these conceptual ideals into more practical realities. While the concept of ZT has been around for more than 20+ years, operationalizing individual access policies by user role can be a challenge without the help of ZTNA technologies and SASE solutions. This helps explain why some view ZTNA as a key first step toward implementing ZT.
Ready to take your first steps toward ZT? Get a free network security consultation with Masergy.
Learn about what business leaders should do to create a technology-forward, future-ready enterprise.
Companies today have more security weaknesses. Explore three common blindspots and how to turn on the light switch.
The best digital strategies foster an IT ecosystem where checks and balances allow emerging technologies to synthesize with security and the network.