Many organizations are looking to ZTNA to replace their private Multiprotocol Label Switching (MPLS) WAN connections and provide a secure way for employees to connect to corporate applications over the public Internet. This makes the business more agile and flexible, reducing risk from threats like lateral movement across networks.
When you use ZTNA to secure multi-cloud and hybrid environments, you achieve isolation by separating application and network access. This means that connecting to a network does not automatically grant you access to applications, eliminating the risk of malware-compromised users moving laterally across your organization’s networks. ZTNA verifies and validates connecting devices’ identity and security posture before providing access to applications on a need-to-know basis. Unlike perimeter-based solutions that treat all users and devices the same, this approach removes overly permissive access that could enable malicious actors to gain lateral movement inside the organization, making detecting them difficult. This approach also eliminates the need to open inbound firewall ports for application connectivity, cloaking enterprise resources from end-user devices and the Internet. This significantly reduces the organization’s digital attack surface and prevents exposure to DDoS, malware, and other online threats. The question is, what is ZTNA? ZTNA is an agent-based or agentless solution and can be deployed on-premise or in the cloud. In agent-based versions, an agent is installed on the end-user device to communicate with a service in the cloud that brokers the connection. In service-based ZTNA, all traffic goes through the broker in the cloud to ensure only authorized connections are made. Both approaches can support both managed and unmanaged devices.
Permissions are authorizations granted to users that enable access to specific resources on a network, such as data files, applications, and devices. The permissions designate the type of access, for example, whether a user can read data without modifying it (read-only) or is allowed to write to that data. Permissions are also known as privileges. Regarding ZTNA, permissions are critical in determining a device’s or user’s trustworthiness. Unlike traditional VPNs that offer device-centric security, zero trust networking takes a more contextual approach to access control, assessing the reliability of every new flow based on policies set at policy enforcement points (PEPs). These PEPs can be software clients running on protected nodes — including endpoints, physical servers, virtual machines, and containers — or they can be appliances and gateway servers, or they can even be cloud-delivered services. Organizations can deploy and manage their ZTNA or choose to use a service-initiated model that requires a lightweight ZTNA connector in front of business applications on-premise or cloud providers. The connector authenticates the user or other application, and then traffic is routed through the ZTNA service provider for security and performance reasons. It’s a good choice for organizations that want to avoid deploying or managing a stand-alone ZTNA solution, and it’s beneficial for unmanaged or BYOD devices, such as consultants or partners.
Zero trust network access is a security solution that replaces VPNs for remote, in-person, and hybrid work. Instead of granting access to the entire LAN, it defaults to deny and connects users directly to apps on a need-to-know basis. This approach reduces the attack surface and improves user experiences as applications are delivered over direct connections to the data center. Remote connections also limit damage in the event of a breach. The principles of least privilege, micro-segmentation, and multi-factor authentication all come into play to prevent unauthorized access. Post-connection monitoring — including behavior analysis — can detect abnormal activity and halt attacks from inside or outside the organization. ZTNA tools don’t rely on appliances and can be delivered as software-only solutions or as part of an SD-WAN (software-defined wide-area networking) or secure access service edge (SASE) architecture. They function similarly to software-defined perimeters and rely on the “dark cloud” principle, allowing the ZTNA tool to protect applications from visibility by shielding them from the IP addresses of other services or devices. Many IT, networking, and security suppliers offer ZTNA as a stand-alone solution or insert it into the existing network infrastructure. However, it is essential to understand how this technology fits into an organization’s overall strategy to address the challenges of remote and hybrid work. This includes how it fits into an ongoing project to replace legacy VPN with SD-WAN or SASE.
The goal of any ZTNA solution is to prevent unauthorized users from exploiting implicit trust, and that’s why automation plays such a vital role. The policy enforcement point (PEP), which can be software on the protected endpoint, in an appliance or server at the network’s edge, or as a cloud-based gateway service, communicates with the policy administrator to implement access policies and determine whether certain connections are allowed or denied. Using this information, the PEP grants connectivity to applications over an end-to-end encrypted TLS micro-tunnel created at the edge of the network rather than via the Internet itself. This eliminates the need for a traditional network perimeter and makes it possible to connect users and devices even when applications don’t reside on-premises – as often is the case in multi-cloud environments. ZTNA also enables granular application access, with permissions granted on a one-to-one basis and based on various contextual signals, including device posture, time of day, and geographic location. This reduces the risk of lateral movement by unauthorized users and mitigates threats like stolen credentials, which account for half of all data breaches. In addition, the PA can use continuous authorization and monitoring to continuously verify and analyze all traffic throughout a connected session and stop suspicious behavior before it’s too late.