Zero trust network access (ZTNA), also known as the software-defined perimeter (SDP), is a set of technologies and functionalities that enable secure access to internal applications for remote users. It operates on an adaptive trust model, where trust is never implicit, and access is granted on a need-to-know, least-privileged basis defined by granular policies. ZTNA gives remote users secure connectivity to private apps without placing them on the network or exposing the apps to the internet.
Zero trust security is a big buzzword these days. While many organizations have shifted their priorities to adopt zero trust, zero trust network access (ZTNA) is the strategy behind achieving an effective zero trust model.
The path to zero trust as an ideology is vague, so ZTNA provides a clear, defined framework for organizations to follow. It's also a component of the secure access service edge (SASE) security model, which, in addition to ZTNA, comprises next-gen firewall (NGFW), SD-WAN, and other services in a cloud native platform.
While the need to secure a remote workforce has become critical, network-centric solutions such as virtual private networks (VPNs) and firewalls create an attack surface that can be exploited. ZTNA takes a fundamentally different approach to providing secure remote access to internal applications based on four core principles:
ZTNA completely isolates the act of providing application access from network access. This isolation reduces risks to the network, such as infection by compromised devices, and only grants access to specific applications for authorized users who have been authenticated.
ZTNA makes outbound-only connections ensuring both network and application infrastructure are made invisible to unauthorized users. IPs are never exposed to the internet, creating a “darknet” that makes the network impossible to find.
ZTNA’s native app segmentation ensures that once users are authorized, application access is granted on a one-to-one basis. Authorized users have access only to specific applications rather than full access to the network. Segmentation prevents overly permissive access as well as the risk of lateral movement of malware and other threats.
ZTNA takes a user-to-application approach rather than a traditional network security approach. The network becomes deemphasized, and the internet becomes the new corporate network, leveraging end-to-end encrypted TLS micro-tunnels instead of MPLS.
ZTNA improves flexibility, agility and scalability, enabling digital ecosystems to work without exposing services directly to the internet, reducing risks of distributed denial of service attacks.
Gartner, Market Guide on Zero Trust Network Access, April 2019
From an architectural perspective, ZTNA works fundamentally differently from network-centric solutions. It runs on a software-defined perimeter, or SDP, which distributes access to internal applications based on a user’s identity. This eliminates the overhead of managing appliances. ZTNA also helps organizations simplify inbound stacks as they no longer require their VPN and VPN concentrators, DDoS protection, global load balancing, and firewall appliances.
There are two key ZTNA architecture models. This article highlights the service-initiated ZTNA architecture.
Among the most popular legacy security solutions in use today, VPNs are meant to simplify access management by allowing end users to securely access a network, and therefore corporate resources, by way of a designated tunnel, usually through single sign-on (SSO).
For many years, VPNs worked well for users who needed to work remotely for a day or two. As the world saw more and more long-term remote workers, though, lack of scalability alongside high costs and maintenance requirements made VPNs ineffective. What’s more, rapid adoption of the public cloud meant that it not only became more difficult to apply security policies to these remote workers, but also hurt the user experience.
The main problem with VPNs, however, is the attack surface they create. Any user or entity with the right SSO credentials can log on to a VPN and move laterally throughout the network, giving them access to all the resources and data the VPN was meant to protect.
ZTNA secures user access by granting it on the principle of least privilege. Rather than trusting on the basis of correct credentials, zero trust authenticates only under the correct context—that is, when the user, identity, device, and location all match up.
Furthermore, ZTNA provides granular access rather than network access. Users are connected directly and securely to the applications and data they need, which prevents the possibility of lateral movement by malicious users. Plus, because user connections are direct, experiences are vastly improved when leveraging a ZTNA framework.
Advantages of ZTNA
Now more than ever, organizations are discovering the benefits a ZTNA model can provide. Here are some of the most prominent reasons why companies are making the switch.
No need for legacy appliances: ZTNA allows organizations to rid themselves of legacy remote access appliances, such as VPNs, and leverage a 100% software-based access solution.
Seamless user experiences: With ZTNA, user traffic isn’t backhauled through the datacenter. Instead, users get fast, direct access to the desired application.
Effortless scale: A cloud ZTNA service makes scaling capacity easy. An organization just leverages additional licenses.
Fast deployment: Unlike other solutions that can take weeks to months to deploy, ZTNA can be deployed from anywhere and in a matter of days.
Security Benefits of ZTNA
ZTNA doesn’t just help businesses become more flexible—it greatly improves their overall security postures, too. It does so by delivering:
Invisible infrastructure: ZTNA allows users to access applications without connecting them to the corporate network. This eliminates risk to the network while keeping infrastructure completely invisible.
More control and visibility: Managing ZTNA solutions is easy with a centralized admin portal with granular controls. See all users and application activity in real time and create access policies for user groups or individual users.
App segmentation made simple: Since ZTNA isn’t tied to the network, organizations can segment access down to individual applications rather than having to perform complex network segmentation.
Top ZTNA use cases
ZTNA has many cloud security use cases. Most organizations choose to start with one of these four.
VPNs are inconvenient and slow for users, offer poor security, and are difficult to manage, so organizations want to reduce or eliminate their reliance on them. Gartner predicts: “By 2023, 60% of enterprises will phase out most of their remote access VPNs in favor of ZTNA.”
Secure Multicloud Access
Securing hybrid and multicloud access is the most popular place for organizations to start their ZTNA journey. With more companies adopting cloud applications and services, 37% of them are turning to ZTNA for security and access control for their multicloud strategies.
Reduce Third-Party Risk
Most third-party users receive overprivileged access, and they largely access applications using unmanaged devices, both of which introduce risks. ZTNA significantly reduces third-party risk by ensuring external users never gain access to the network and that only authorized users can access allowed applications.
Accelerate M&A Integration
With typical M&As, integration can span multiple years as organizations converge networks and deal with overlapping IPs. ZTNA reduces and simplifies the time and management needed to ensure a successful M&A and provides immediate value to the business.
Types of ZTNA
ZTNA is flexible in that it can scale to protect all the important facets of your business. Let’s look at these different ZTNA models up close.
ZTNA for user protection: This model ensures that when a user connects to an application, they’re sent on a direct path to that application without coming into contact with the internet and, potentially, harmful threats. This is done by ensuring the user meets established criteria for authentication.
ZTNA for workload protection: Security often gets overlooked when building applications or establishing communications frameworks. ZTNA prevents these workloads from being compromised by negating lateral threat movement and data loss, letting you protect apps from build to run and communicate securely.
ZTNA for device protection: Endpoints are under greater threat than ever, especially with the advent of bring your own device (BYOD). With a comprehensive ZTNA framework, you can ensure the data being transmitted to and from these devices is protected throughout the entire journey, and threats are unable to find a way in.
How to Implement ZTNA
Zero trust transformation takes time, but it’s a necessity for today’s hybrid organizations. Let’s take a look at three core elements of zero trust implementation.
Knowledge and conviction: Understanding the new, better ways you can use technology to reduce costs, cut complexity, and advance your objectives.
Disruptive technologies: Moving on from legacy solutions that don’t hold up after all the ways the internet, threats, and workforces have changed in the last three decades.
Cultural and mindset change: Driving success by bringing your teams along. When IT professionals understand the benefits of zero trust, they start driving it, too.
Does the vendor require an endpoint agent to be installed? What OSs are supported? What mobile devices? How well does the agent behave in the presence of other agents? Note: ZTNA technologies that do not support clientless use often can't support unmanaged device use cases (e.g., third-party access, BYOD).
Does the offering support only web applications, or can legacy (data center) applications gain the same security advantages?
Some ZTNA products are delivered partly or wholly as cloud-based services. Does this meet the organization’s security and residency requirements? Note: Gartner recommends that enterprises favor vendors that offer ZTNA as a service, as services are easier to deploy, more available, and provide better security against DDoS attacks.
To what extent is partial or full cloaking, or allowing or prohibiting inbound connections, a part of the isolated application’s security requirements?
What authentication standards does the trust broker support? Is integration with an on-premises directory or cloud-based identity services available? Does the trust broker integrate with the organization’s existing identity provider?
How geographically diverse are the vendor’s entry and exit points (referred to as edge locations and/or points of presence) worldwide?
After the user and user device pass authentication, does the trust broker remain resident in the data path?
Does the offering integrate with unified endpoint management (UEM) providers, or can the local agent determine device health and security posture as factors in the access decision? What UEM vendors has the ZTNA vendor partnered with?
These are all important considerations for your enterprise as you look for the ZTNA vendor that complements your present and forward-looking goals and vision. To learn more about ZTNA, check out our leading ZTNA service, Zscaler Private Access.
Zscaler Zero Trust Network Access
We’re proud to offer Zscaler Private Access™, the world’s most deployed ZTNA platform, built on the unique Zscaler zero trust architecture. ZPA applies the principles of least privilege to give users secure, direct connections to private applications while eliminating unauthorized access and lateral movement. As a cloud native service, ZPA can be deployed in hours to replace legacy VPNs and remote access tools with a holistic zero trust platform.
Zscaler Private Access delivers:
Peerless security, beyond legacy VPNs and firewalls: Users connect directly to apps, not the network, minimizing the attack surface and eliminating lateral movement.
The end of private app compromise: First-of-its-kind app protection, with inline prevention, deception, and threat isolation, minimizes the risk of compromised users.
Superior productivity for today's hybrid workforce: Lightning-fast access to private apps extends seamlessly across remote users, HQ, branch offices, and third-party partners.
Unified ZTNA for users, workloads, and devices: Employees and partners can securely connect to private apps, services, and OT/IoT devices with the most comprehensive ZTNA platform.