What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) is fast becoming a “must-have” in enterprise cybersecurity. ZTNA’s increasing prevalence is partly due to its inclusion in the popular Secure Access Service Edge (SASE) model converging network and security together. However, there is more to ZTNA than just SASE.

An Introduction to ZTNA

ZTNA is a distinct realization of the broader “Zero Trust” security paradigm. Understanding what ZTNA is and why it is important today requires an awareness of its connections to related concepts. This article explores the meaning of ZTNA and its current relevance and relationships, focusing on today’s need to limit access rights based on user identity and increase security by minimizing lateral movement across networks.

To understand ZTNA, it’s useful to have a good grasp of what it’s replacing.

The problems with traditional VPN security: Allowing broad access by default

Traditionally, remote access to corporate networks has been achieved through Virtual Private Networks (VPNs).  Upon receiving log in credentials like a username and password, the VPN either allows or denies access to a user. But here’s where the problem lies. A VPN is said to work on the premise of “default allow,” meaning it admits users with verified credentials to the network by default. Once the VPN grants access to the network, that access is typically “flat,” meaning the user has very broad access across the network to all sorts of data, applications, and other digital resources.

How ZTNA improves security: Trust no one at the outset

ZTNA, in contrast, works under the “default deny” policy. It trusts no one at the outset. Only after verifying the user’s identity—often by the parameters of their device, location, and so forth—will it grant access rights limited only to those resources for which they are specifically granted permission. The user then communicates with those resources through an encrypted tunnel.

Benefits of ZTNA: Less lateral movement

Under the ZTNA approach, there is a greatly reduced chance for the user to make “lateral movements” across the corporate network, in other words obtaining data and files not typically accessible on a corporate network. Ideally, a ZTNA solution will spin up a secure IPsec network tunnel for each system used. And, that tunnel doesn’t pass through the ZTNA solution directly. Rather, the ZTNA system is there to authorize communications, not serve as the conduit for them.

Why is ZTNA important?

ZTNA is growing in adoption and relevance today for a variety of reasons. At one level, the number of potential threat surfaces on a cloud-enabled corporate network has simply outpaced the capabilities of traditional access control models. “Default allow” is deficient in a world where attackers can buy network credentials on the dark web and easily impersonate corporate users. The ability of attackers with either stolen credentials or access exploits to move laterally across networks further amplifies the risk.

More WFH business models, more cloud apps, more interest in ZTNA

The work-from-home (WFH) trend has also led to increased interest in ZTNA. Both remote access challenges and the need for more applications in the cloud call for more security protections. Security issues aside, VPNs are just not ideal for large-scale remote access, because they can present challenges when trying to meet the demands of a huge at-home workforce. Here are some WFH security do’s and don’ts.

With a high proportion of employees needing to log onto the corporate network from home, ZTNA emerges as a superior approach. With ZTNA, any digital asset for which access is not granted will remain invisible to the user. ZTNA makes it as if each user has his or her separate VPN, customized at that moment to the specific solution or information they need to access. Furthermore, ZTNA enforces user access rights on cloud-based applications.

Is ZTNA the same as the Zero Trust Model?

ZTNA is a network-level realization of the overall “Zero Trust” model of cybersecurity.

What is a Zero Trust model of security?

Zero Trust turns traditional security paradigms on their heads. Instead of assuming that a credentialled user is allowed to access to resources as defined by their role or an Access Control List (ACL), Zero Trust initially makes no resources available to anyone, that is until due diligence has been done. Thus, with Zero Trust, all files and applications are completely off limits by default—until the user can be verified and a unique access session is established. This is worth mentioning, because there are numerous Zero Trust solutions on the market, but not all of them are ZTNA. Some have to do with granular database permissions and the like.

Zero Trust is not new

While it feels new to many, the concept of Zero Trust is not new at all. In fact, it’s been around for over 20 years as the “original best practice” for firewalls and network security. But you can see why it’s resurging now. Today’s business models and the evolving threat landscape make broad Zero Trust approaches more important, due to the expanded network access points from hybrid networks and work-from-home accessibility. The attack surface is bigger today than it has ever been, making Zero Trust network access essential.

How does ZTNA fit into the SASE framework?

ZTNA is one of the core elements of SASE, which is rapidly becoming the predominant network and security paradigm. Providing a way for people to securely connect virtually any device from any location, SASE solutions combine these capabilities into one cloud-based platform:

  1. ZTNA
  2. Software-Defined Wide Area Network (SD-WAN)
  3. Cloud Access Service Broker (CASB)
  4. Secure Web Gateway (SWG)
  5. Firewall-as-a-Service (FWaas) 

SASE operates at the network “edge,” but in truth, that “edge” is now everywhere: at home, on the road, on premises, in offices and beyond. All users are effectively the network edge today. Thus, there’s a natural alignment between ZTNA and SASE, because remote users need fine-grained access controls. ZTNA comprises the most complete realization of that objective.

While ZTNA is not intrinsic to the SD-WAN vision, it naturally complements SD-WAN—just as SD-WAN complements SASE. SD-WAN edge points could serve as access/policy-enforcement points for a ZTNA. Or, an SD-WAN solution could be the mechanism for managing the connections from users to services, and so forth.

How does an enterprise implement ZTNA?

Putting a ZTNA solution into operation can be challenging, but the good news is that it works best with an incremental approach to deployment. There need not be a “rip and replace” experience. Instead, the best practice is to identify a subset of users that can be migrated to ZTNA from an existing VPN solution. Alternatively, ZTNA can substitute for a proposed VPN upgrade. IT staff are often eager volunteers for this kind of duty.

In working with this pilot group, IT teams identify the systems and assets on the corporate network that individual users need to access. Such information typically resides in the enterprise directory, and more often than not, this exercise reveals that the directory needs a cleanup regarding legacy access rights that a user should no longer have because of a change in role. The process can also highlight globally granted access rights that should no longer be global, and so forth, as these policies run counter to Zero Trust principles. Thus, there are many side benefits to implementing ZTNA.

ZTNA in Conclusion

ZTNA is becoming more common in the enterprise. The rising level of security threats, coupled with the work-from-home trend, make it a natural evolution in network access. The increasing prevalence of SASE also makes ZTNA a technology that many companies are now considering. Deploying ZTNA can be a step-by-step process that works in tandem with tidying up outdated access control policies. Organizations that are not currently evaluating ZTNA should undoubtedly put it on their radars.