You’ve probably heard the term ” Zero Trust Network,” or “zero trust,” or something like it a hundred times. And like most people, you might have thought it was just an industry catchphrase meant to convey a sort of healthy paranoia about network accessibility, or IT security in general. Like being “buttoned up,” digitally speaking.
But Zero Trust Network Access is a thing. And now we’re going to explain it a bit.
What is Zero Trust Network Access?
It is important to note that ZTNA is a concept or capability rather than a specific product. Several IT, networking and security suppliers implement ZTNA in different ways. Over time, they will implement ZTNA to replace aging VPN infrastructure and as part of an overall Secure Access Service Edge architecture.
ZTNA a product or service that creates an identity/context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. This broker verifies the identity, context and policy adherence of the specified participants before allowing access to them. They also prohibit lateral movement in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.
What is Zero Trust Network Access, in English?
Well, unlike VPNs, which grant complete access by default, ZTNA solutions default to deny. They provide only the access the user has been explicitly granted. It is important to understand the security gaps and benefits ZTNA can provide as more remote users join the network.
In short, ZTNA requires strong, regular authentication and authorization of devices and users.
How Does ZTNA Work?
Access is established after the user has been authenticated. The ZTNA service then provisions access to the application on the user’s behalf. It is done through a secure, encrypted tunnel. This provides an added layer of protection for corporate applications and services by shielding otherwise publicly visible IP addresses.
Like software-defined perimeters, ZTNA leverages the concept of a dark cloud. This prevents users from seeing any applications and services that they don’t have permission to access. In turn, this prrotects against lateral attacker movement, where a compromised endpoint or credentials would otherwise permit scanning and pivoting to other services.
By contrast, VPNs are designed to grant complete access to a LAN. They offer a private, encrypted tunnel for remote employees to connect to the corporate network. This may seem like a practical solution. But VPN unfortunately lacks the flexibility and granularity to control and see exactly what users can do and which apps they can access. Once a user is granted access, they can access anything on the network. And that leads to security gaps and policy enforcement problems.
Benefits of Zero Trust Network Access
Identity-based authentication and access control found in ZTNA provide an alternative to IP-based access typically used with most VPNs. This helps reduce an organization’s attack surface. ZTNA also allows organizations to implement location or device-specific access control policies. Such a capability prevents unpatched or vulnerable devices from connecting to corporate services. And that alleviates common VPN-related challenges where BYOD remote users are granted the same level of access as users at a corporate office, even though they often have fewer security controls in place. Some agent-based ZTNA solutions provide a pre-authentication trust assessment of the connecting user and device, including device posture, authentication status and user location. However, the rapid shift to remote and hybrid work, coupled with the rapid rise in cloud adoptions, has exposed significant gaps in initial, or 1.0, iterations of ZTNA.
ZTNA 2.0
Zero Trust Network Access 2.0 overcomes the limitations of legacy ZTNA solutions. And it provides secure connections to deliver better security outcomes for businesses with hybrid workforces. In short, ZTNA 2.0 delivers Least-priveledged access, Continuous trust verification, and Continuous security inspection. ZTNA 2.0 also protects all data and protects all applications, unlike ZTNA 1.0
Drawbacks of Zero Trust Network Access
ZTNA does not provide inline inspection of user traffic from the application after the user establishes a connection. This can lead to potential security issues. Examples would be when a user’s device or credentials become compromised. Another would be the case of a malicious insider who uses their access to a resource to disrupt the application or host.
Other drawbacks are Mapping access rights. This means deciding on and defining who or what needs access to what data and resources requires time, effort and sometimes additional tools.
Entrenched products and services – In other words, winning political battles with people who are all-in on an incumbent technology can be a challenge to getting ZTNA launched and implemented into all logical use cases.
End-user friction -Nobody likes change. Many organizations have seen pushback based on the “need” to avoid disruption to end users. Most IT departments have had a few deployment projects flop because of foundered resistance to change among the user population.
Cost – A ZTNA system can be expensive. It can be hard to justify if it is not displacing other spending.Try to identify and pursue offsetting savings as a part of the deployment planning for ZTNA.
ZTNA use cases
The main use cases for ZTNA include Remote work/VPN replacement, Internal firewall replacement, Network access control replacement, Terminal services/VDI replacement, and Private WAN replacement.
How do I get it, and who sells it?
Just about any product or service provider promising SASE or SSE services should provide a cloud-modeled ZTNA service that can, at the very least, fill the VPN use case for remote users. Such vendors include Cato Networks, Cloudflare and Zscaler.
ZTNA can also be approached from a more appliance-based angle, so vendors such as Fortinet also offer ZTNA. So does Palo Alto.
Of course, you can call reach out to Corporate Armor or call 877-449-0458 to learn more about the Zero Trust Network Access, and whether it’s right for you. We can also help you put together your own ZTNA framework. Thanks for reading!
What Zero Trust Network Access does
Controls whether network traffic is allowed to flow based on policy |
Treats policy as dynamic in real time |
Defaults to blocking all traffic |
Allows a traffic flow only when a policy explicitly allows it |
Verifies the identities of all parties to a network flow before allowing it |
Verifies, as best it can, that endpoints are still secure |
Does not grant implicit trust to any entity on the network at any time |
Can be context-aware, with policies that take into account anything from time of day to location of a user or endpoint |