What is a Zero Trust Network Access (ZTNA) Architecture?
Zero trust network access (ZTNA), previously known as a software-defined perimeter, has gained popularity in recent years as organizations seek ways to connect users to their applications and data when it’s increasingly likely that neither users nor applications will be sitting on the network. To become digitally enabled, organizations must make their systems, services, APIs, data, and processes accessible anywhere, anytime, from any device over the internet. To do so securely, they are leveraging ZTNA to provide the precise, contextual access necessary, while shielding services from attackers. ZTNA offers significant benefits in user experience, agility, adaptability, and simplified policy management, and cloud-based ZTNA offers the added benefits of scalability and ease of adoption.
Gartner developed ZTNA to provide a model for eliminating the excessive trust extended to employees and partners as they connect to applications and data using traditional technologies, such as VPNs. The ZTNA model is based on the idea that nothing can be trusted until it proves itself to be trustworthy and, once trust is established, it must be continually reassessed as the context—user’s location, device, application, etc.—changes.
The two architecture approaches to zero trust network access
There are two distinct architectures when delivering ZTNA. Endpoint-initiated ZTNA means that the endpoint or end user is initiating access to an application. This approach is the closest model to the original software-defined perimeter (SDP) specification. In this instance, an agent (a lightweight software application) is installed on end-user devices. The agent communicates with a controller, which authenticates the user and provisions connectivity to a specific application that the user is authorized to access. Endpoint-initiated ZTNA is difficult, if not impossible, to implement on an unmanaged device, because of the requirement to install some form of agent or local software.
With service-initiated ZTNA, a ZTNA broker initiates the connection between user and application. In this instance, a lightweight ZTNA connector sits in front of business applications, located in a customer’s data center or cloud, and establishes an outbound connection from the requested application to the ZTNA service broker. Once the user is authenticated by the provider for application access, the traffic will pass through the ZTNA service provider, which isolates applications from direct access via a proxy. The advantage of service-initiated ZTNA is that no agent is required on the end user’s device, making it an attractive approach for unmanaged (BYOD) devices and for partner and customer access. Some service-initiated ZTNA services can use browser-based access for web applications.
The two delivery models for zero trust network access
Beyond the architectural differences between endpoint-initiated vs. service-initiated ZTNA, customers have a choice of adopting ZTNA as a stand-alone product vs. ZTNA as a service. While Gartner recommends a service-based model, what follows is a brief explanation of each to help you make the best choice for your ZTNA strategy:
ZTNA as a stand-alone product
Stand-alone ZTNA offerings require customers to deploy and manage all elements of the product. In addition, several IaaS cloud providers offer ZTNA capabilities for their customers. The ZTNA sits at the edge of your environment, whether that’s in the data center or cloud, and brokers a secure connection between user and application.
Pros and Cons:
- Customers have 100% ownership responsibility and must deploy, manage, and maintain the ZTNA infrastructure
- Stand-alone offering fits well for enterprises that are cloud-adverse
- Some vendors support both stand-alone and cloud-service ZTNA offerings
ZTNA as a cloud service
The other option is ZTNA as a service. With ZTNA as a cloud-hosted service, customers leverage a vendor’s cloud infrastructure for policy enforcement. The customer simply purchases user licenses and deploys lightweight connectors that front-end applications in all environments; the vendor delivers the connectivity, capacity, and infrastructure needs. Access is established through brokered, inside-out connections between user and application, effectively decoupling application access from network access while never exposing IPs to the internet.
Pros and Cons:
- Easier deployment since there is no infrastructure requirement from the customer
- Cloud-service ZTNA simplifies management for IT. Management is centralized in a single admin portal and enforced globally via the ZTNA cloud-service.
- Cloud-delivered ZTNA ensures optimal traffic pathways are selected globally for fastest access to all remote and local users
Some cloud-delivered services allow for a software package to be deployed on-premises. The software runs on the customer-provided infrastructure but is still delivered as part of the ZTNA service and is managed by the ZTNA vendor. Learn more about on-premises ZTNA.
Apparent in client interaction, the as-a-service flavor is rapidly outpacing the stand-alone flavor. Gartner estimates that more than 90% of clients are implementing the as-a-service flavor.Gartner Market Guide for ZTNA, 8 June 2020
Gartner recommendations when selecting a ZTNA product or service
In Gartner’s recent Market Guide for Zero Trust Network Access, Steve Riley, Neil MacDonald, and Lawrence Orans outline several factors organizations should consider when choosing a ZTNA solution:
- Does the vendor require that an endpoint agent be installed? What operating systems are supported? What mobile devices? How well does the agent behave in the presence of other agents?
- Does the offering support only web applications, or can legacy (data center) applications gain the same security advantages?
- Some ZTNA products are delivered partly or wholly as cloud-based services. Does this meet the organization’s security and residency requirements? NOTE: Gartner recommends that enterprises favor vendors that offer ZTNA as a service, as services are easier to deploy, more available, and provide better security against DDoS attacks.
- To what extent is partial or full cloaking, or allowing or prohibiting inbound connections, a part of the isolated application’s security requirements?
- What authentication standards does the trust broker support? Is integration with an on-premises directory or cloud-based identity services available? Does the trust broker integrate with the organization’s existing identity provider?
- How geographically diverse are the vendor’s entry and exit points (referred to as edge locations and/or points of presence) worldwide?
- After the user and device pass authentication, does the trust broker remain resident in the data path?
- Does the offering integrate with unified endpoint management (UEM) providers, or can the local agent determine device health and security posture as factors in the access decision? What UEM vendors has the ZTNA vendor partnered with?
Learn more about ZTNA
Interested in learning more about ZTNA? Check out these additional resources or take ZTNA for a free test drive: