The concept of zero trust security has become a massive buzzword over the last few years. While many organizations have shifted priorities to adopt zero trust, zero trust network access (ZTNA) is the technology behind achieving a true zero trust model.
Zero trust network access (ZTNA), also known as the software-defined perimeter (SDP), is a set of technologies that operates on an adaptive trust model, where trust is never implicit, and access is granted on a “need-to-know,” least-privileged basis defined by granular policies. ZTNA gives users seamless and secure connectivity to private applications without ever placing them on the network or exposing apps to the internet.
While the path to zero trust as an ideology is vague, ZTNA provides a clear, defined framework for organizations to follow.
Unlike network-centric solutions like VPNs or FWs, ZTNA takes a fundamentally different approach to securing access to internal applications based on these four core principles:
ZTNA completely isolates the act of providing application access from network access. This isolation reduces risks to the network, such as infection by compromised devices, and only grants application access to authorized users.
ZTNA makes outbound-only connections ensuring both network and application infrastructure are made invisible to unauthorized users. IPs are never exposed to the internet, creating a “darknet” which makes the network impossible to find.
ZTNA’s native app segmentation ensures that once users are authorized, application access is granted on a one-to-one basis. Authorized users have access only to specific applications rather than full access to the network.
ZTNA takes a user-to-application approach rather than a network-centric approach to security. The network becomes deemphasized and the internet becomes the new corporate network, leveraging end-to-end encrypted TLS micro-tunnels instead of MPLS.
Even from an architecture perspective, ZTNA works fundamentally different from network-centric solutions. ZTNA’s are most often 100% software-defined, eliminating the enterprises overhead of managing appliances. ZTNA’s also result in inbound stack simplification as organizations no longer require their VPN, DDoS, Global Load balancing, and FW appliances. There are two key ZTNA architecture models. Below we highlight the service-initiated ZTNA architecture. Read Gartner’s ZTNA Market Guide for more details.
While ZTNA has many use cases, most organizations choose to start in one of the following four areas:
Organizations want to eliminate or lessen their VPN usage. Since VPNs are slow for users, offer poor security, and are difficult to manage, Gartner predicts that “By 2023, 60% of enterprises will phase out most of their remote access VPNs in favor of ZTNA.”
Securing hybrid and multi-cloud access is the most popular place for organizations to start their ZTNA journey. With more companies adopting cloud, 37% of them are turning to ZTNA in the near future to enable their multi-cloud strategy.
Most third-party users receive over-privileged access which creates a security gap for the enterprise. ZTNA significantly reduces third-party risk by ensuring external users never gain access to the network and that only authorized users gain access to permitted applications.
With traditional M&A’s, integration can span multiple years as organizations must converge networks and deal with overlapping IPs. ZTNA reduces and simplifies the time and management needed to ensure a successful M&A and provides immediate value to the business.
In Gartner’s recent Market Guide on Zero Trust Network Access, Steve Riley, Neil MacDonald, and Lawrence Orans outline several things organizations should consider when choosing a ZTNA solution:
Does the vendor require that an endpoint agent be installed? What OSs are supported? What mobile devices? How well does the agent behave in the presence of other agents? NOTE: ZTNA technologies that do not support clientless use are often unable to support unmanaged device use cases, e.g., third-party access, BYOD, etc.
Does the offering support only web applications, or can legacy (data center) applications gain the same security advantages?
Some ZTNA products are delivered partly or wholly as cloud-based services. Does this meet the organization’s security and residency requirements? NOTE: Gartner recommends that enterprises favor vendors that offer ZTNA as a service, as services are easier to deploy, more available, and provide better security against DDoS attacks.
To what extent is partial or full cloaking, or allowing or prohibiting inbound connections, a part of the isolated application’s security requirements?
What authentication standards does the trust broker support? Is integration with an on-premises directory or cloud-based identity services available? Does the trust broker integrate with the organization’s existing identity provider?
How geographically diverse are the vendor’s entry and exit points (referred to as edge locations and/or points of presence) worldwide?
After the user and device pass authentication, does the trust broker remain resident in the data path?
Does the offering integrate with unified endpoint management (UEM) providers, or can the local agent determine device health and security posture as factors in the access decision? What UEM vendors has the ZTNA vendor partnered with?
These are all important considerations for your enterprise as you look to pick the ZTNA vendor that complements your organizations present and forward-looking goals and vision. To learn more about ZTNA technology, check out the leading ZTNA service, ZPA. You can even take ZPA for a free test drive for 7 days!