What is Zero Trust Network Access (ZTNA)?
Zero Trust Network Access (ZTNA) is fast becoming a “must-have” in enterprise cybersecurity. ZTNA’s increasing prevalence is partly due to its inclusion in the popular Secure Access Service Edge (SASE) model converging network and security together. However, there is more to ZTNA than just SASE.
An Introduction to ZTNA
ZTNA is a distinct realization of the broader “Zero Trust” security paradigm. Understanding what ZTNA is and why it is important today requires an awareness of its connections to related concepts. This article explores the meaning of ZTNA and its current relevance and relationships, focusing on today’s need to limit access rights based on user identity and increase security by minimizing lateral movement across networks.
To understand ZTNA, it’s useful to have a good grasp of what it’s replacing.
The problems with traditional VPN security: Allowing broad access by default
Traditionally, remote access to corporate networks has been achieved through Virtual Private Networks (VPNs). Upon receiving log in credentials like a username and password, the VPN either allows or denies access to a user. But here’s where the problem lies. A VPN is said to work on the premise of “default allow,” meaning it admits users with verified credentials to the network by default. Once the VPN grants access to the network, that access is typically “flat,” meaning the user has very broad access across the network to all sorts of data, applications, and other digital resources.
How ZTNA improves security: Trust no one at the outset
ZTNA, in contrast, works under the “default deny” policy. It trusts no one at the outset. Only after verifying the user’s identity—often by the parameters of their device, location, and so forth—will it grant access rights limited only to those resources for which they are specifically granted permission. The user then communicates with those resources through an encrypted tunnel.
Benefits of ZTNA: Less lateral movement
Under the ZTNA approach, there is a greatly reduced chance for the user to make “lateral movements” across the corporate network, in other words obtaining data and files not typically accessible on a corporate network. Ideally, a ZTNA solution will spin up a secure IPsec network tunnel for each system used. And, that tunnel doesn’t pass through the ZTNA solution directly. Rather, the ZTNA system is there to authorize communications, not serve as the conduit for them.
Why is ZTNA important?
ZTNA is growing in adoption and relevance today for a variety of reasons. At one level, the number of potential threat surfaces on a cloud-enabled corporate network has simply outpaced the capabilities of traditional access control models. “Default allow” is deficient in a world where attackers can buy network credentials on the dark web and easily impersonate corporate users. The ability of attackers with either stolen credentials or access exploits to move laterally across networks further amplifies the risk.
More WFH business models, more cloud apps, more interest in ZTNA
The work-from-home (WFH) trend has also led to increased interest in ZTNA. Both remote access challenges and the need for more applications in the cloud call for more security protections. Security issues aside, VPNs are just not ideal for large-scale remote access, because they can present challenges when trying to meet the demands of a huge at-home workforce. Here are some WFH security do’s and don’ts.
With a high proportion of employees needing to log onto the corporate network from home, ZTNA emerges as a superior approach. With ZTNA, any digital asset for which access is not granted will remain invisible to the user. ZTNA makes it as if each user has his or her separate VPN, customized at that moment to the specific solution or information they need to access. Furthermore, ZTNA enforces user access rights on cloud-based applications.
Is ZTNA the same as the Zero Trust Model?
ZTNA is a network-level realization of the overall “Zero Trust” model of cybersecurity.
What is a Zero Trust model of security?
Zero Trust turns traditional security paradigms on their heads. Instead of assuming that a credentialled user is allowed to access to resources as defined by their role or an Access Control List (ACL), Zero Trust initially makes no resources available to anyone, that is until due diligence has been done. Thus, with Zero Trust, all files and applications are completely off limits by default—until the user can be verified and a unique access session is established. This is worth mentioning, because there are numerous Zero Trust solutions on the market, but not all of them are ZTNA. Some have to do with granular database permissions and the like.
Zero Trust is not new
While it feels new to many, the concept of Zero Trust is not new at all. In fact, it’s been around for over 20 years as the “original best practice” for firewalls and network security. But you can see why it’s resurging now. Today’s business models and the evolving threat landscape make broad Zero Trust approaches more important, due to the expanded network access points from hybrid networks and work-from-home accessibility. The attack surface is bigger today than it has ever been, making Zero Trust network access essential.
How does ZTNA fit into the SASE framework?
ZTNA is one of the core elements of SASE, which is rapidly becoming the predominant network and security paradigm. Providing a way for people to securely connect virtually any device from any location, SASE solutions combine these capabilities into one cloud-based platform:
- Software-Defined Wide Area Network (SD-WAN)
- Cloud Access Service Broker (CASB)
- Secure Web Gateway (SWG)
- Firewall-as-a-Service (FWaas)
SASE operates at the network “edge,” but in truth, that “edge” is now everywhere: at home, on the road, on premises, in offices and beyond. All users are effectively the network edge today. Thus, there’s a natural alignment between ZTNA and SASE, because remote users need fine-grained access controls. ZTNA comprises the most complete realization of that objective.
While ZTNA is not intrinsic to the SD-WAN vision, it naturally complements SD-WAN—just as SD-WAN complements SASE. SD-WAN edge points could serve as access/policy-enforcement points for a ZTNA. Or, an SD-WAN solution could be the mechanism for managing the connections from users to services, and so forth.
How does an enterprise implement ZTNA?
Putting a ZTNA solution into operation can be challenging, but the good news is that it works best with an incremental approach to deployment. There need not be a “rip and replace” experience. Instead, the best practice is to identify a subset of users that can be migrated to ZTNA from an existing VPN solution. Alternatively, ZTNA can substitute for a proposed VPN upgrade. IT staff are often eager volunteers for this kind of duty.
In working with this pilot group, IT teams identify the systems and assets on the corporate network that individual users need to access. Such information typically resides in the enterprise directory, and more often than not, this exercise reveals that the directory needs a cleanup regarding legacy access rights that a user should no longer have because of a change in role. The process can also highlight globally granted access rights that should no longer be global, and so forth, as these policies run counter to Zero Trust principles. Thus, there are many side benefits to implementing ZTNA.
ZTNA in Conclusion
ZTNA is becoming more common in the enterprise. The rising level of security threats, coupled with the work-from-home trend, make it a natural evolution in network access. The increasing prevalence of SASE also makes ZTNA a technology that many companies are now considering. Deploying ZTNA can be a step-by-step process that works in tandem with tidying up outdated access control policies. Organizations that are not currently evaluating ZTNA should undoubtedly put it on their radars.
Interested in how SD-WAN can improve your business?
Call us now to arrange a consultation (866) 588-5885.
Or arrange for a consultation through our request form.
Ransomware cases grew 150% in 2020 with nearly 8 in 10 American companies experiencing attacks. Learn how Ransomware works, how it's spread, and how to defend against it.
SIEM and SIEMaaS
Understand the trends and pressures that make Security Information and Event Management (SIEM) an essential element of a robust security strategy.
What is Network Automation?
Networks are time and labor-intensive, making automation highly desirable. But what can be automated and when will networks be fully autonomous? Here are the answers.
AIOps – A Masergy Guide
AIOps (a key enabler of Autonomous Networking) is technology that uses machine-learning algorithms to automate & optimize an organization's IT operations, particularly its network.
A Guide to Endpoint Security
Learn how Endpoint Security can protect devices like desktops, laptops, mobile phones & tablets from cyber attacks such as ransomware, phishing, & more.
Cloud Networking – A Masergy Guide
Cloud networking involves building a network using cloud services rather than hardware. Here’s an introduction and how Masergy’s cloud network works.
Digital Transformation – A Masergy Guide
A digital transformation can elevate your enterprise to a new level of agility and increase your competitive advantage. Learn how these secure global networks and cloud-based team collaboration solutions can put you in control, ready to face the future with confidence.
This 101 class explains why Cybersecurity is important and how it works, while exploring the differences between Cloud Security.
Want an introduction to SASE? Are you curious to know how it works, the basic features, and the key differentiators of Masergy’s SASE solution? Get all the answers here.
Want an introduction to SD-WAN? Are you curious to know how it works, the basic features, and the key differentiators of Masergy’s SD-WAN solutions? Get all the answers here.
Cloud Access Security Broker (CASB) solutions are complex software systems designed for businesses with users who access cloud-based data and services that act as automated security mediators between users and cloud service providers. Learn how CASB helps to mitigate cybersecurity risks.
Masergy partners with Cisco, so clients can get industry-leading applications backed by leading network services. Here’s an FAQ guide to our partnership.
Want an overview of security, the primary technologies used, and what a managed security service provider does? Here are the answers to your frequently asked questions.