Which factors should organizations consider when choosing a ZTNA solution?

In Gartner’s recent Market Guide for Zero Trust Network Access , Steve Riley, Neil MacDonald, and Lawrence Orans outline several factors organizations should consider when choosing a ZTNA solution: Does the vendor require that an endpoint agent be installed? What operating systems are supported? What mobile devices? How well does the agent behave in the presence of other agents? Does the offering support only web applications, or can legacy (data center) applications gain the same security advantages? Some ZTNA products are delivered partly or wholly as cloud-based services. Does this meet the organization’s security and residency requirements? NOTE: Gartner recommends that enterprises favor vendors that offer ZTNA as a service, as services are easier to deploy, more available, and provide better security against DDoS attacks. To what extent is partial or full cloaking, or allowing or prohibiting inbound connections, a part of the isolated application’s security requirements? What authentication standards does the trust broker support? Is integration with an on-premises directory or cloud-based identity services available? Does the trust broker integrate with the organization’s existing identity provider? How geographically diverse are the vendor’s entry and exit points (referred to as edge locations and/or points of presence) worldwide? After the user and device pass authentication, does the trust broker remain resident in the data path? Does the offering integrate with unified endpoint management (UEM) providers, or can the local agent determine device health and security posture as factors in the access decision? What UEM vendors has the ZTNA vendor partnered with? Read more.

Resources > Security Terms Glossary > What Is a Zero Trust Architecture

What Is Zero Trust Architecture?

Q: What is a zero trust architecture?

Zero trust network access, previously known as a software-defined perimeter , has gained popularity in recent years as organizations seek ways to connect users to their applications and data when it’s increasingly likely that neither users nor applications will be sitting on the network. To become digitally enabled, organizations must make their systems, services, APIs, data, and processes accessible anywhere, anytime, from any device over the internet. To do so securely, they are leveraging ZTNA to provide the precise, contextual access necessary, while shielding services from attackers. ZTNA offers significant benefits in user experience, agility, adaptability, and simplified policy management, and cloud-based ZTNA offers the added benefits of scalability and ease of adoption. Gartner developed ZTNA to provide a model for eliminating the excessive trust extended to employees and partners as they connect to applications and data using traditional technologies, such as VPNs. The ZTNA model is based on the idea that nothing can be trusted until it proves itself to be trustworthy and, once trust is established, it must be continually reassessed as the context—user’s location, device, application, etc.—changes. Learn more about zero trust network access.

Watch and learn

Zero Trust Architecture Definition

Zero trust architecture is a security architecture built to reduce a network's attack surface, prevent lateral movement of threats, and lower the risk of a data breach based on the core tenets of the zero trust approach, by which implicit trust is never granted to any user or device.

The zero trust security model puts aside the traditional "network perimeter"—inside of which all devices and users are trusted and given broad permissions—in favor of least-privilege access controls, granular microsegmentation, and multifactor authentication (MFA).

Zero Trust Architecture and Zero Trust Network Access

Before we examine different zero trust architectures in more detail, let's distinguish between these two interrelated terms:

A zero trust architecture (ZTA) is a design that supports zero trust principles, such as airtight access management, strict device and user authentication, and strong segmentation. It’s distinct from, and in many ways designed to replace, a “castle and moat” architecture, which trusts anything inside by default.
Zero trust network access (ZTNA) is a zero trust use case that offers users secure access to applications and data when the users, apps, or data may not be inside a traditional security perimeter, which has become increasingly common in the age of the cloud and hybrid work.

To put the two together, zero trust architecture provides the foundation organizations need to deliver ZTNA and make their systems, services, APIs, data, and processes accessible from anywhere, at any time, and from any device.

Benefits of Zero Trust Architecture

A zero trust architecture provides the precise, contextual user access you need to run at the speed of modern business while protecting your users and data from malware and other cyberattacks. As the bedrock of ZTNA, an effective zero trust architecture helps you:

Grant safe, fast access to data and applications for remote workers, including employees and partners, wherever they are, improving the user experience
Provide reliable remote access as well as manage and enforce security policy more easily and consistently than with legacy technology like VPNs
Protect sensitive data and apps on-premises or in a cloud environment, in transit or at rest, with tight security controls, including encryption, authentication, and more
Stop insider threats by no longer granting default, implicit trust to any user or device inside your network perimeter
Restrict lateral movement with granular access policies down to the resource level, reducing the likelihood of a breach
Detect, respond to, and recover from successful breaches more quickly and effectively to mitigate their impact
Gain deeper visibility into the what, when, how, and where of users’ and entities’ activities with detailed monitoring and logging of sessions and actions taken
Assess your risk in real time with detailed authentication logs, device and resource health checks, user and entity behavior analytics, and more

(Adapted in part from “Implementing a Zero Trust Architecture,” a NIST Special Publication)

How Does Zero Trust Architecture Work?

Before we go on, let’s back up and summarize how a traditional network architecture works.

Legacy wide area networks (WANs) were built using a hub-and-spoke design, connecting remote offices to applications in a data center. To access applications on the trusted network, a user only needs to be inside its perimeter, which is secured with perimeter firewalls, hence the term “castle and moat.”

Today’s workers are everywhere, and applications have moved to SaaS and public clouds, but legacy architectures still require users to be on the corporate network—locally or via VPN—to access apps, even in the cloud. Meanwhile, using public clouds expands your attack surface and risk, and backhauling all traffic through perimeter firewalls creates a network security bottleneck that slows you down at best and provides inadequate protection at worst.

That’s why modern organizations need a zero trust architecture. Watch our short video for a simple rundown.

Watch our video

Zero trust architecture delivers ZTNA, providing user-to-app segmentation that secures access in a fundamentally different way from network segmentation and other traditional models. Next, let’s look at how ZTNA is implemented and delivered.

Two Approaches to Implementing Zero Trust Network Access

Providers of zero trust solutions can help you deliver ZTNA in two distinct ways.

Endpoint-initiated ZTNA

Here, an endpoint or end user initiates access to an application. A lightweight agent installed on an endpoint communicates with a controller, which authenticates the user's identity and provisions connectivity to a specific application the user is authorized to access. The need to install an agent or other local software on mobile devices and unmanaged BYOD/IoT devices can make endpoint-initiated ZTNA difficult or even impossible to implement.

Service-initiated ZTNA

Here, a broker initiates connections between users and applications. A connector residing in your data center or cloud establishes connections from your business apps to the broker. After user authentication, the traffic passes through the ZTNA service and directly to the user's endpoint. This doesn't require an endpoint agent, making it useful for securing unmanaged devices and granting access for partners and customers. Some service-initiated ZTNA can use browser-based access for web apps.

Two Delivery Models for Zero Trust Network Access

Beyond your implementation model, you can adopt ZTNA as a standalone product or as a service. Each approach has unique characteristics, and your organization's specific needs, security strategy, and ecosystem ultimately determine the best choice.

ZTNA as a Standalone Product

Standalone ZTNA offerings require you to deploy and manage all elements of the product. The infrastructure sits at the edge of your environment, whether that’s in your data center or a cloud, and brokers secure connections between users and applications. Some cloud infrastructure as a service providers offer ZTNA capabilities as well.

Characteristics

Your organization is 100% responsible for deploying, managing, and maintaining ZTNA infrastructure
Some vendors support both standalone and cloud-service ZTNA offerings
Standalone deployment is a good fit for cloud-averse enterprises

Conceptual Model of Endpoint-Initiated ZTNA

ZTNA as a Cloud Service

With ZTNA as a cloud-hosted service, you use a vendor’s infrastructure for security policy enforcement. You buy user licenses and deploy lightweight connectors that sit in front of your applications in all environments, and the vendor delivers the connectivity, capacity, and infrastructure. Access is established through brokered connections between users and applications, effectively decoupling application access from network access and never exposing IPs to the internet.

Characteristics

Deployment is easier since you don't need infrastructure
Management is simpler, with one admin portal for global enforcement

Automation selects optimal traffic pathways for the fastest access to all users globally

Some cloud-delivered services allow for a software package to be deployed on-premises. The software runs on your infrastructure but is still delivered as part of the service and managed by the vendor.

Learn more about on-premises ZTNA.

Video: Understanding Zero Trust Architecture

Understanding the Gartner-recommended zero trust network architecture

Zscaler Zero Trust Network Access

We’re proud to offer Zscaler Private Access™, the world’s most deployed ZTNA platform, built on the unique Zscaler zero trust architecture. ZPA applies the principles of least privilege to give users secure, direct connections to private applications while eliminating unauthorized access and lateral movement. As a cloud native service, ZPA can be deployed in hours to replace legacy VPNs and remote access tools with a holistic zero trust platform.

Zscaler Private Access delivers:

Peerless security, beyond legacy VPNs and firewalls
Users connect directly to apps, not the network, minimizing the attack surface and eliminating lateral movement.

The end of private app compromise
First-of-its-kind app protection, with inline prevention, deception, and threat isolation, minimizes the risk of compromised users.

Superior productivity for today's hybrid workforce
Lightning-fast access to private apps extends seamlessly across remote users, HQ, branch offices, and third-party partners.

Unified ZTNA for users, workloads, and devices
Employees and partners can securely connect to private apps, services, and OT/IoT devices with the most comprehensive ZTNA platform.

Ready to find out more, or see Zscaler Private Access in action? Request a custom demo now.

Learn more about ZTNA

Check out these additional resources:

Industry analysis: Zero Trust Adoption Report | Cybersecurity Insiders
Article: What Is Zero Trust Network Access (ZTNA)?
Article: What Is Zero Trust?
White paper: Why IT leaders should consider a zero trust network access strategy