With the rapid rise of remote and hybrid work, it’s becoming harder for security teams to maintain control over users and devices. Implementing ZTNA is one way to do this.
Zero trust solutions operate on a default deny policy, only trusted users and devices after verifying their identity and posture. They also provide granular access to applications, reducing the attack surface and protecting critical workloads from malware and DDoS attacks.
Table of Contents
Zero Trust Access Control
A Zero Trust security model protects users and applications with a secure layer that separates the public internet from the corporate network. The architecture authenticates users and allows them to access specific cloud and internal applications based on their organizational roles. This approach significantly reduces third-party risk, typically when attackers compromise a user’s account credentials or gain visibility into the company’s network through a malicious device.
ZTNA solutions act as a software-defined perimeter that enables users to connect to cloud and SaaS applications without seeing the underlying infrastructure. The software runs on the endpoint and authenticates the device using identity and security-based information and also considers context derived from factors such as the user’s role, time of day, geolocations, and data sensitivity level.
Unlike VPNs, ZTNA solutions assess the security posture of the connecting device by validating the device’s software and hardware, identifying potential vulnerabilities and risky apps and services, and ensuring that connections are terminated when risks are detected. This means that your security program is aligned with business outcomes and is not based on the assumption of a “trusted” network.
It’s important to work with a ZTNA vendor that offers both an agent-based model (endpoint-initiated) and a service-initiated model, depending on your deployment requirements. The service-initiated model does not require an agent and is ideal for organizations that allow BYOD and third-party users.
Zero trust access control allows administrators to connect users to applications over a secure connection that bypasses the public internet, mitigating risks from malicious actors trying to steal a user’s credentials or gain access through a vulnerability in a third-party device or application. Authentication is accomplished by analyzing multiple factors to determine a user’s or device’s risk, such as device security status (patches, OS versions, etc.), geographic location, time of day, and the user’s requested data.
A cloud-based ZTNA solution enables granular controls and permissions to be applied per user. This helps ensure that contractors, vendors, or supply chain partners only have access to the information they need and that this access is valid for as long as business processes require.
A service-initiated ZTNA solution uses a gateway function in the cloud to perform authentication and validation and a connector in the user’s network to establish an outbound connection to the application being accessed. The gateway function in the cloud then encrypts and tunnels the application traffic to and from the user’s device, providing isolation from direct access and attack via the public internet. This method also requires no agents to be installed on the user’s device, making it a good choice for connecting non-managed devices.
ZTNA solutions replace firewalls and other network security tools, offering a unified approach to protecting applications from unauthorized access. By implementing user-to-application security with native application segmentation, these solutions create a new corporate perimeter using secure, encrypted TLS micro-tunnels that eliminate the need for MPLS or other private network connections. This approach improves scalability and agility while improving data protection by reducing the risk of distributed denial of service attacks.
The core of a ZTNA solution is an identity- and context-based trust broker, Gartner notes. The broker evaluates the applicant’s credentials and device context to determine whether it is eligible to access a specific application and then connects the user to the required application via the gateway function. The broker can reside on protected nodes in data centers as an appliance or VM or as a gateway function in the cloud. It can also run as software on endpoints, evaluating the security posture of unmanaged devices in the process.
IT teams need to understand how the various options for ZTNA work in their environments and select a solution that aligns with the company’s current and future goals and challenges.
Zero trust is more than just a network access control model; it’s an architecture that protects applications, data, and devices. It’s also about combining these controls with analytics and threat protection.
The best security analytics solutions use machine learning and next-gen endpoint protection to identify, isolate, and stop threats like ransomware from spreading or stealing data. They can also monitor and analyze network traffic to detect unusual patterns that indicate a breach or an attack is underway.
For example, some ZTNA solutions use advanced encryption to automatically decrypt traffic for cloud-based or SaaS applications so attackers can’t intercept encrypted data packets and steal sensitive information. They also enable granular micro-segmentation, making it more difficult for attackers to move from one segment to another and potentially exfiltrate data.
Another important function of ZTNA is to provide a centralized view of all the security events occurring across an organization’s entire network infrastructure, including all managed and unmanaged data in the cloud or on endpoint devices. This unified visibility is critical to maintaining compliance and detecting incidents quickly when they occur.
Finally, a key advantage of some ZTNA solutions is their ability to reduce an organization’s attack surface by bypassing the traditional VPN and connecting users directly to the applications they need to access. This reduces the possibility of lateral movement by unauthorized users and improves user experiences.
I’m a writer, artist, and designer working in the gaming and tech industries. I have held staff and freelance positions at large publications including Digital Trends, Lifehacker, Popular Science Magazine, Electronic Gaming Monthly, IGN, The Xplore Tech, and others, primarily covering gaming criticism, A/V and mobile tech reviews, and data security advocacy.