Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is an information technology security solution that enables organisations to give safe remote access to their applications, data, and services based on clearly defined access control criteria. ZTNA is distinct from virtual private networks (VPNs) in that it provides exclusive access to certain services or apps, whereas VPNs provide access to the whole network. As more users access resources from their homes or other locations, ZTNA solutions can assist in closing gaps in existing secure remote access technologies and approaches.

How does ZTNA function?

When ZTNA is used, particular apps or resources are only accessible once the user has authenticated with the ZTNA service. Once authorised, the ZTNA provides the user access to the targeted application via a secure, encrypted tunnel that adds additional security protection by hiding apps and services from visible IP addresses.

In this way, ZTNAs behave similarly to software-defined perimeters (SDPs), depending on the same ‘dark cloud’ concept to prohibit users from having sight into applications and services they do not authorise to access. This also protects against lateral assaults, as attackers could not check for additional services even if they acquired access.

Fig.1. ZTNA protecting data everywhere

ZTNA’s Top Two Use Cases

• ZTNA’s primary purpose is to provide a granular access mechanism based on user identification. Whereas IP-based VPN access provides broad network access once allowed, ZTNA access provides restricted, granular access to specific applications and resources. ZTNA can give further protection by implementing location- or device-specific access control policies. Some VPNs allow employee-owned devices the same access credentials as administrators.
• ZTNA does not audit user traffic after authentication. There may be a problem if a hostile employee exploits their access for evil purposes or a user’s credentials are lost or stolen. By integrating ZTNA into a Secure Access Service Edge (SASE) solution, a company may get the security, scalability, and network capabilities required for secure remote access and post-connection monitoring to avoid data loss and criminal activity or compromised user credentials.

Fig.2. Flow diagram of ZTNA for remote users

ZTNA’s Advantages

ZTNA enables the connection of people, programs, and data that do not exist on the organisation’s network, a scenario that is becoming more prevalent in today’s multi-cloud setups, as micro-services-based applications can live on several clouds as well as on-premises. A modern organisation’s digital assets must be accessible anywhere, at any time, and from any device via a distributed user base.

ZTNA satisfies this requirement by providing granular, context-aware access to mission-critical applications without exposing other services to potential attackers.

What is the difference between a virtual private network (VPN) and a Zero Trust Network Access (ZTNA)?

There are several distinctions between VPNs and ZTNA. VPNs primarily provide network-wide access, whereas ZTNAs allow access to specified resources and usually require reauthentication. Many organisations manage access through virtual private networks (VPNs) rather than ZTNA. Once enrolled into a VPN, users receive access to the whole network and its resources. Rather than that, ZTNA allows access to the specific application requested and, by default, restricts access to all other apps and data.

There are also technological distinctions between ZTNA and VPNs. Several of these distinctions include the following:

• Many VPNs operate at the OSI model’s layer 3 (network layer). In most cases, ZTNA functions at the application layer. (Some VPNs, such as ZTNA, operate at the application layer and encrypt using the TLS protocol rather than IPsec.)
• IPsec VPNs need the installation of software on all user devices. This is occasionally true with ZTNA, but not usually.
• Hardware: VPNs frequently need the usage of on-premise VPN servers, which user devices connect to via their organisation’s perimeter firewall. While ZTNA may be deployed in this manner, it is most frequently offered through the cloud, enabling users to join from any location without compromising network speed.
• ZTNA establishes one-to-one encrypted connections between a user’s device and a particular application or server. VPNs provide users with secure access to a whole LAN at once. When a user’s IP address connects to a network, it may communicate with all its IP addresses.

Several disadvantages of VPNs in comparison to ZTNAs include the following:

• Resource use – As the number of distant users increases, the strain on the VPN may increase suddenly, necessitating the addition of more resources to satisfy rising demand during peak usage periods. This might also put a burden on the IT organisation’s workforce.
• Flexibility and Agility — VPNs lack the granularity provided by ZTNA. Additionally, installing and configuring VPN software on all end-user devices that require access to company resources can be problematic. On the other hand, adding or deleting security policies and user permission is significantly easier based on the business’s urgent needs. In ZTNAs, ABAC (attribute-based access control) and RBAC (role-based access control) facilitate this process.
• Granularity — Once within the VPN boundary, a user has complete access to the system. ZTNAs adopt the opposite approach, denying access to any asset – application, data, or service – unless that user is expressly permitted to use that asset. In comparison to VPNs, ZTNAs provide continuous identity verification through authentication. Before granting access to certain apps, systems, or other assets, each user and device is validated and authorised. VPNs and ZTNAs can be used in conjunction with one another, for example, to bolster security on a particularly critical network segment by adding a layer of protection if the VPN is hacked.

How does ZTNA function?

• Application vs. network access: ZTNA distinguishes between application and network access. A user cannot instantly access an application by connecting to a network.
• IP addresses are hidden: ZTNA does not expose IP addresses to the network. The remainder of the network is invisible to connected devices except for the application or service to which they are linked.
• Device Security: ZTNA may consider devices’ risk and security posture when making access choices. It accomplishes this by executing software on the device or analysing network traffic to and from it.
• No MPLS: ZTNA connects to the Internet through TLS encrypted connections rather than MPLS-based WAN connections. Corporate networks are constructed on private MPLS connections. ZTNA is established on the public Internet, with network traffic encrypted using TLS. Instead of connecting a user to a broader network, ZTNA establishes tiny tunnels between the user and the application.
• Identity providers (IdPs) and single sign-on (SSO) platforms: The majority of ZTNA solutions interact with independent identity providers (IdPs), single sign-on (SSO) platforms, or both. SSO enables users to authenticate their identity across all apps; the identity provider (IdP) manages user identity and related user rights.

Fig.3. Zero Trust Security Model

Additionally, there are two modes of delivery for zero-trust network access: stand-alone ZTNA and ZTNA as a service. The following are the significant distinctions:

• As a stand-alone ZTNA, the organisation must deploy and operate all components of the ZTNA, which resides at the environment’s edge (cloud or data centre), brokering secure connections. While this works well with cloud-averse enterprises, deployment, administration, and maintenance become additional obligations.
• Organisations may leverage the cloud provider’s infrastructure for everything from deployment to policy enforcement when using ZTNA as a cloud-hosted service. In this approach, the company obtains user licenses, puts connectors in front of protected applications, and leaves the connection, capacity, and infrastructure to the cloud provider/ZTNA vendor. This simplifies administration and deployment, and cloud-delivered ZTNA can ensure that the ideal traffic channel with the lowest latency is picked for all users.