Even if you work in cybersecurity, you might be surprised at just how common cyberattacks can be. According to research from Rubrik Zero Labs, an astonishing 94% of IT and security leaders reported that their organizations had experienced a significant cyberattack last year. The same study revealed that an average of 30 malicious attacks were brought to senior leaders’ attention in 2023. In this tense atmosphere, where incursion seems inevitable, it’s no surprise that security teams are embracing the Zero Trust approach to security.
Zero Trust Network Access (ZTNA) is based on the concept of Zero Trust (ZT) security, which is based on the principle of denying all access requests by default and assuming a “trust but verify” posture towards all activity. It’s a paradigm, not a product.
ZT involves closing off access until a user’s identity is confirmed. From there, ZT then grants only the bare minimum access privileges the user needs to complete a given task, e.g., if you request access to a particular cloud storage bucket, that’s all the access you’re going to get. It is possible to apply the Zero Trust access model to applications, databases, storage, and more.
ZTNA is also a security model (not a product) that applies Zero Trust principles to network access. This includes verifying user identities (and device identities) and then re-verifying them throughout their connection with the network. Verification processes vary, but might include restricting access by user role, analyzing network traffic to weed out suspicious device usage patterns, or checking device location.
ZTNA hides much of the network, too. This concept is sometimes referred to as the software-based perimeter or perimeterless security. With ZTNA, a device has no knowledge of any other infrastructure or aspect of the network, except what it’s connected to.
ZTNA is primarily replacing Virtual Private Networks (VPNs), which are a key element of traditional network security. A VPN acts as a gateway to the network. Once it authenticates a user, it sets up an encrypted “tunnel” connection between the user and the network, perhaps using Point-to-Point Tunneling Protocol (PPTP) or OpenVPN, among others.
There are several security problems with VPNs, including the fact that they are generally set up to trust a user who presents the right login credentials. This exposes the network to the risk of unauthorized access from attackers who have stolen credentials or devices. Then a VPN tends to connect the user to an entire local area network (LAN), with access to whatever digital assets are connected to it. Depending on the network monitoring configuration, system admins may not be able to see what assets the user has accessed on the network.
ZTNA takes an entirely different approach. A ZTNA solution never trusts a user until it verifies that user’s identity using factors that are more probative than the possession of credentials, e.g., device location, device ID, and so forth. From there, ZTNA protocols only allow user access to select areas of the network—and nothing else. ZTNA also offers an alternative to proxy servers, and SSH tunneling, among other network connection technologies.
A network with ZTNA functions according to certain core principles, most importantly:
Application access, not network access: ZTNA typically allows access to one application at a time, versus granting access to an entire network.
Hiding IP addresses: ZTNA does not allow IP addresses to be exposed to the network. The user/device cannot see anything on the network beyond the service or application they are connected to.
No MPLS: ZTNA does not use multiprotocol label switching (MPLS), but rather encrypts Internet connections over Transport Layer Security (TLS), creating “encrypted tunnels” between the user and the target application.
Network control: ZTNA uses dynamic, real-time policies to determine where network traffic can flow, but blocks all traffic by default and only permits traffic when allowed by an explicit policy.
Identity verification: ZTNA never implicitly trusts any user, device, or entity on the network, and consistently verifies identities before allowing them on the network.
Context awareness: ZTNA accounts for contextual factors when verifying identity, such as geographic location of an endpoint or user, the time of day, etc.
Cloud-based security: Applying ZTNA principles to cloud access, regardless of where the end user is located and which cloud platform he or she is trying to access.
With traditional network security, you might have multiple VPNs, internal firewalls, and virtual desktop infrastructure (VDI) all working to shield applications from attackers. The complexity of this approach is inherently fragile, creating greater risk exposure.
ZTNA is a better countermeasure for applications than traditional network security models. ZTNA combines access controls for networks and applications into a single solution. With ZTNA, there’s less risk of attackers or insiders moving laterally across networks. Access controls can also be more granular and context-aware than is generally possible with traditional modes of network security.
The Internet-based access provided by VPNs risks exposing an application’s IP addresses, which exposes the application to attack. ZTNA does not create this risk because the ZTNA approach never shares IP addresses.
Two major factors make ZTNA more important than ever for application access: the cloud and remote work.
ZTNA for Cloud Computing Architectures: Most organizations today have deployed applications across hybrid architectures that span on-premises data centers, private clouds, and public cloud platforms. But their networks typically only connect to on-premises infrastructure and private clouds. Public cloud access may go through the network, but that sort of “U-Turn” traffic is inefficient and bad for network load management. Instead, cloud access may be direct, or through a Cloud Access Security Broker (CASB). These approaches are usually deficient, in security terms, because they trust users and their devices implicitly. ZTNA removes this risk by requiring user and device verification before granting access to applications on the public cloud.
ZTNA for Remote Work: The shift to remote and hybrid work also stresses the VPN model. With employees logging in from home Internet connections on personal devices, VPNs get overloaded. And, the potential for malicious actors to impersonate employees goes up, so the policy of trusting users implicitly will result in bad outcomes. ZTNA restricts access in ways that reduce the risk posed by remote work.
ZTNA features vary by solution, but effective realization of zero trust principles at the network access level will always require the following features and capabilities:
Data Loss Prevention (DLP): A ZTNA solution should provide robust DLP functions that detect possible data breaches or data exfiltration. This might involve monitoring data transmissions using regular expression (regex) and data matching, along with blocking and encryption.
Scalability and performance: ZTNA should facilitate (not hinder) productive network connections for end users. To achieve this goal, the ZTNA solution has to scale easily, be dynamic and responsive, and deliver high performance connectivity.
Support for BYOD: It is now common for organizations to have "Bring-your-own-device” (BYOD) policies, especially for remote work use cases. ZTNA needs to support BYOD, a capability typically realized through an “agentless” approach.
Advanced Threat Protection (ATP): With malicious actors growing more sophisticated, it is essential that ZTNA mitigate the risk of advanced threats with countermeasures such as behavior-based analysis and other modes of advanced threat protection that surpass existing signature-based techniques and the like.
Granular Visibility and Reporting: ZTNA system owners and other stakeholders need to be able to see how the ZTNA solution is working on a timely, granular basis, e.g., seeing how specific users are interacting with an application in real time. Reporting should be similarly detailed and customizable, as needed.
SASE support: ZTNA is an acknowledged component of the emerging and increasingly popular secure access service edge (SASE) model. However, you can’t assume that every ZTNA solution provides the same degree of SASE support. SASE also includes cloud access security brokers (CASBs) and secure web gateways (SWGs), among other elements, each of which must interact easily with ZTNA if SASE is to work effectively. The right ZTNA solution will demonstrate the kind of functionality and administrative characteristics you need for your SASE deployment.
Microsegmentation: Dividing networks into narrow segments helps mitigate the risk of lateral movement by attackers, especially those who have escalated their access privileges. This is known as microsegmentation. ZTNA can support microsegmentation, either directly as part of the ZTNA solution’s functionality, or indirectly, working in tandem with network management platforms.
ZTNA should be the preferred security model for any organization with a multi-cloud environment, which can span cloud platforms and software-as-a-service (SaaS) applications. Users can log in from anywhere on any device. This is great for productivity, but terrible from a security perspective, especially if single sign on (SSO) leads to “flat” access to all clouds and implicit trust.
The potential problem is that SSO is a great convenience, enabling users to jump onto the multi-cloud environment and get work done. If ZTNA creates an obstacle to productivity, that’s going to be an issue. The right ZTNA solution will enable you to balance access control with end user experience.
ZTNA strengthens cloud-based security models by reducing the chance of a malicious actor gaining unauthorized access to cloud data or applications as a result of misplaced trust. It does so by restricting access only to verified users and devices, and then by limiting access only to specific digital assets. Even if a malicious actor gains access, the attacker will have limited ability to move laterally inside cloud platforms and between them.
ZTNA can simplify access control across cloud platforms, but success is dependent on execution. A unified ZTNA solution that works on different clouds is probably optimal. Each of the major platforms, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure has its own native ZTNA toolset. However, it may be more efficient and secure not to rely on three separate solutions when one can do the job. Tasks will inevitably fall between the cracks if you’re trying to keep up with three solutions. The path to success here may require a more comprehensive investment in a secure access service edge (SASE) solution that incorporates ZTNA into a multi-cloud model by design.
ZTNA is supplanting VPNs as the go-to mode of network security. ZTNA reduces risks to data and applications from malicious actors who gain unauthorized access to the network. It does this by not trusting any user or device by default, but rather always verifying identities—and then granting the minimum access privileges.
But implementing ZTNA is not a trivial undertaking. The overall best practice is to approach a ZTNA deployment incrementally, incorporating ZTNA into your existing network security models. For example, you may want to expose one network segment or application to ZTNA as a first step and expand from there. It’s important to pay attention to the balance between security and user accessibility and user experience.
ZTNA can potentially create some administrative overhead as you figure out who is allowed to get onto which network segment, and so forth. You don’t want to add a burden to end users. One process that’s helpful is to use a tool that automatically discovers where network flows occur. From there, you can start to sort out access policies that align with these current usage patterns.
Getting to ZTNA success requires a combination of factors. One is choosing the right solution, or solution components. Planning matters, as does figuring out the best way to phase ZTNA into your network security operations. “Rip and replace” is an ill-advised strategy. Careful thinking will pay off, such as determining if and how ZTNA will become part of a SASE project. If you pay proper attention to these aspects of ZTNA, you will likely find yourself on the path to an effective ZTNA implementation.
Zero Trust Network Access (ZTNA) applies the Zero Trust security model to networks. A ZTNA solution never trusts a user or device without first verifying identity. Then, it only grants the minimum access privileges and continues to re-verify identity.
Zero Trust is the overall security model on which ZTNA is based. There are Zero Trust approaches to application access, database privileges, and more.
VPN differs from ZTNA in several ways, including implicitly trusting users and devices and enabling “flat” access to the entire network once the VPN tunnel has been established. ZTNA, in contrast, usually makes it impossible for the user to see network segments beyond which he is granted permission to access.
ZTNA use cases include standard network access, but also access to cloud instances, and hybrid or multi-cloud environments.