Eugene Raynor

What is Zero Trust Network Access (ZTNA) and why is it the future of cloud network security?

Eugene Raynor

Jan 31, 2022

11 min read

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) refers to a set of technologies that provide safe and secure remote access to an organization’s apps, tools, and services, while adhering to the access control regulations specified by IT.

It is based on the “Zero Trust” concept, which states that no entity should be trusted, regardless of whether they are inside or outside the corporate security perimeter. Rather, each user or device must be securely verified and authenticated before being granted access to only the necessary company resources.

ZTNA is a critical element of the Secure Access Service Edge (SASE) security model, which, in addition to ZTNA, comprises of next-gen firewall (NGFW), SD-WAN, CASB, SWG, and other services together in a cloud native platform, which ultimately transform the concept of a network perimeter from static enterprise data centres to a more dynamic, cloud-delivered solution.

What is the importance of ZTNA?

Let’s assume a scenario where all the users, devices, and applications your company employs are given access and visibility to every other entity within the organization. This scenario poses an obvious security risk. Once a user is authenticated into the enterprise network, there is no layer of isolation that separates application access from network access.

This means that once a user gains access to the network, they gain complete visibility into all the private apps and services that your organization hosts, along with sensitive details including the IP address of all the devices connected to the network.

Now, compare this with a scenario where an entity, once connected to the network, is given access and visibility to just the required corporate applications and services, and only after a successful identification and verification is completed. Moreover, the existence of all other corporate infrastructure is kept hidden from the said entity. This scenario is what ZTNA enables organizations to achieve.

To put it simply, ZTNA restricts common access to the enterprise network. How? By isolating each and every corporate application and service that is hosted by your organization, and providing access to ONLY the apps and services that a user or entity is authorized to use. This way, a user/device that is authorized to access a specific app or service, will have zero visibility into any and all of the remaining apps and services that your organization uses.

This in turn, reduces risks to the network, including potential vulnerabilities from lateral movement of malware and other threats from compromised devices.

Is Zero Trust model the final frontier in enterprise security?

VPN vs ZTNA – Old vs new?

Virtual private networks (VPNs) are the traditional technology that most businesses employ to handle network access in the enterprise. When users connect to a VPN, they gain access to your entire corporate network as well as all of its resources. Providing such levels of access and visibility to your users could prove to be a risky strategy.

ZTNA, on the other hand, only allows access to the apps and services that have been requested, and by default, blocks access to and hides all the other apps and data from the user.

Furthermore, VPNs are static, treating users and devices the same regardless of where they are or what they require access to.

5 reasons to consider moving from VPN to ZTNA

1: Network and application level isolation  Does not provide isolation between network and application-level access.  Restricts user access to specific applications, limiting the lateral movement of threats in the event of a cyberattack. 
2: Visibility into user activity  Provides no visibility into the user actions once inside the corporate network.   Logs every user action and enables visibility and monitoring into user behavior and threats. 
3: Endpoint security evaluation  Does not consider the risks posed by end-user devices. A compromised device can easily connect to the network and infect malware on private apps and resources.  Continuously validates the security posture of connected devices and enables adaptive access to resources. When a threat is detected, the device is automatically disconnected. 
4: Supporting a distributed workforce  Rerouting traffic from a distributed workforce through a centralized VPN hub causes constraints in bandwidth and performance, as well as a poor user experience.  Users can directly connect to essential apps and services housed in cloud environments or private data centers in a secure and scalable manner. 
5: Cost optimization  Requires the procurement of expensive VPN hardware and brings about the need to manage the complex infrastructure setup at data centers.  Being cloud-based, ZTNA eliminates the need to setup complicated VPN infrastructure at data centers, and helps provide enterprises with scalable solutions. 

How does Zero Trust Network Access (ZTNA) work?

When compared to traditional network security solutions, ZTNA takes a fundamentally different approach to providing secure remote access to private applications. It takes a user-to-application approach rather than a traditional network security approach.

    • Application vs network access

ZTNA separates access between applications and the network. Connecting to a network may not necessarily grant users with access to the applications within the network. This isolation reduces risks to the network, such as threats from compromised devices.

    • Dark cloud and hidden IP addresses

ZTNA does not expose IP addresses to the network. By making outbound-only connections, ZTNA ensures that both network and application infrastructure are made invisible to unauthorized users, thereby adopting the concept of a “dark cloud” that makes the network impossible to find.

    • Endpoint security and additional elements

Unlike traditional access control solutions that grant users and devices access to the network once their identity has been authenticated, ZTNA incorporates endpoint security and additional elements including user location, timing, and frequency of requests, the apps and resources being requested, and more, as factors in access control decisions. As a result, even though a user’s identity has been verified, if their device is not trusted or secure, or the sign attempt seems suspicious, access to the network is denied.

    • Encrypted TLS vs MPLS-based connections

Traditional corporate networks are built on private MPLS connections. However, in the case of ZTNA, encrypted Internet connections are used instead of MPLS-based WAN connections. Therefore, by making use of the public internet and utilizing TLS encryption to keep network traffic private, the enterprise network becomes de-emphasized, and the internet becomes the new corporate network. This transformation in turn, enables organizations to seamlessly secure and manage remote and distributed workforces.

Moreover, ZTNA can cater to both managed and unmanaged devices. In the case of managed devices, an agent-based approach is followed, whereas in the case of unmanaged or BYOD devices, a service-based approach is adopted.

Zero Trust and cybersecurity with Hexnode MDM

Agent-based vs service-based ZTNA

Agent-based ZTNA requires the installation of an ‘agent’ application on all endpoint devices, whereas a service-based (or cloud-based) ZTNA uses browser-initiated sessions to connect devices for authentication and network/application access.

In the case of managed devices, an agent-based approach can be followed, where a client or agent is installed on managed devices. This agent is responsible for fetching the device and user information, including identity, security posture, and the circumstances of sign in, and sharing it with the ZTNA service. Once the information fetched is successfully verified, a connection is established with the network and the required applications.

In the case of unmanaged or BYOD devices, an agentless approach can be followed, where the devices connect to the ZTNA service through a cloud-based, browser-initiated ZTNA session, that fetch the identity, security posture, and sign in information of the requesting user or device. On successful authentication, a connection is established with the network and the required applications.

Key considerations when choosing agent-based or service-based ZTNA

Organizations thinking about implementing ZTNA in the enterprise should take into consideration what kind of ZTNA solution best suits their needs.

  • If your company needs to securely authenticate a rising mix of corporate and BYOD devices, agent-based ZTNA could be a good fit.
  • If, on the other hand, an organization’s primary goal is to secure certain cloud-based apps, then service-based ZTNA could be an effective option.
  • It is also important to note that service-based ZTNA deployments are confined to the application protocols supported by web browsers. As a result, they may seamlessly integrate with cloud applications but may be difficult to implement with on-premise infrastructure.

Stand-alone ZTNA vs ZTNA-as-a-Service

Stand-alone ZTNA requires the company to deploy and manage all aspects of the ZTNA network that may reside at the cloud or data center. Although this works well for enterprises with on-premises infrastructure, the deployment, management, and maintenance of stand-alone ZTNA services can prove to be burdensome for many small and medium businesses who have their infrastructure more focused on the cloud. For these businesses, ZTNA-as-a-Service proves to be the better option.

Similar to how SaaS models lease software services to users, ZTNA-as-a-service is a cloud service model where vendors lease ZTNA hardware and services from a cloud service provider, thereby allowing businesses to save costs that would otherwise be spent on purchasing their own hardware.

This model thereby enables IT to take advantage of the vendor or cloud provider’s infrastructure for everything from deployment to policy management, while also ensuring efficiency and maximum cost optimization.

What are the benefits of Zero Trust Network Access (ZTNA)?

To effectively support a distributed workplace environment, modern organizations must have their digital assets available anywhere, at any time, on any device. However, these assets must also be secured against unauthorized access, without undergoing the burden of bottlenecking traffic through the corporate security stack. This requirement is satisfied by the ZTNA model, by –

  • Dividing the corporate network into multiple software-defined perimeters, thereby preventing lateral movement of threats and reducing the potential attack surface of a breach.
  • Preventing the discovery of private corporate applications on the network by adopting a virtual dark cloud, and thereby eliminating chances of data exposure and potential DDoS attacks.
  • Enabling users to connect to legacy corporate applications hosted in private data centres, without facilitating the need to connect to the on-premises security stack.
Featured resource

Hexnode Identity and Access Management Solution

Identity and Access Management secure the IT environment while monitoring the individual network users who utilize resources such as organizational data, tools, and devices. Read this guide to get more insights on IAM solution and secure your devices.

Download datasheet

What are the use cases of Zero Trust Network Access?

  • Manage authentication and access

The primary purpose of ZTNA is to provide an advanced access control mechanism that authenticates a user based on their identity, security posture, and more. With location or device-specific access control policies, ZTNA can provide granular levels of security, preventing untrusted devices from accessing the organization’s resources.

How to ensure business security with identity and access management (IAM)

  • Function as a modern alternative to VPN

VPNs are inconvenient and slow for users, offer relatively less security, and are difficult to manage for a remote workforce. Moreover, securing remote workers via VPN would prove to be counter-productive and ultimately increase time and costs. Zero Trust Network Access on the other hand, provides fast and direct access to the corporate network and its hosted private applications, thereby reducing network complexity, cost, and latency, while significantly improving the ability to secure a remote workforce.

  • Secure and hide private apps from the public network

As organizations migrate their business-critical applications across multi-cloud and hybrid environments, they are faced with a serious dilemma of securing these corporate apps by using the public network. ZTNAs provide adaptable, context-aware access to private applications from any location on trusted devices, ensuring that only authorized users can see and access private apps within the network.

Is zero-trust the future of cloud network security? – How ZTNA leads to a SASE future

Recent findings from the Gartner market guide for Zero-Trust network access show that “By 2023, 75% of security failures will result from inadequate management of identities, access and privileges.” Why? Partly because enterprises employ a variety of solutions for cloud network management, which they then have to manage, operate and control. This in turn, leads to a lack of continuity between these solutions.

To address this situation, enterprises have begun to adopt zero-trust network access (ZTNA) and secure access service edge (SASE) solutions into their IT environments. In fact, it is estimated that 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA by 2023, and 40% of enterprises will have explicit strategies to adopt SASE by 2024.

Secure access service edge (SASE) – The sassy cloud strategy

This is because enterprise efficiency is enhanced when ZTNA and SASE are integrated. ZTNA enables businesses to securely authenticate users and devices by leveraging contextual information to authorize access.

Meanwhile, SASE combines the edge capabilities of the cloud along with its security offerings to provide a simplified cloud structure at the edge, as close as possible to the user. Together, integrating SASE with ZTNA enables organizations to manage and secure their infrastructure against any kind of potential attacks that may occur on the network – be it inside or outside.

Eugene Raynor

Seeking what's there lurking over the horizon.

Share your thoughts