Zero trust network access (ZTNA) solutions enable remote users to securely access network resources such as files, servers, and applications. They create identity- and context-based boundaries around network assets or asset groups, hiding the network IP address so that those assets are hidden from public view, and restricting access to them on a zero trust basis.
Before granting a user access, the ZTNA provider authenticates their identity, their device’s identity and health, and the context of their login attempt. Once authenticated, users are given access only to the resource they need in line with the principle of least privilege; to access something else, they must be re-authenticated. This continuous verification helps segment the network, preventing attacks from spreading laterally throughout the network.
To achieve this, ZTNA solutions offer application micro-segmentation, granular role-based access policy configuration, and in-depth reporting into user access and application use. They should also verify that the endpoint security on a user’s device is working properly, and that the operating system is patched. Finally, the best ZTNA solutions offer in-built two-factor or multi-factor authentication (2FA/MFA) or integrations with leading MFA providers, for further security against identity-based attacks and account takeover.
In this article, we’ll explore the top zero trust network access (ZTNA) solutions. We’ll look at features such as app micro-segmentation, user and device authentication, access policy configuration, reporting and analytics, and added security controls. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for.
What Is Zero Trust Network Access (ZTNA)?
Zero trust network access solutions enable remote users to securely access resources on their corporate network. They do this by creating an identity- and context-based boundary around individual network assets—such as files, servers, or applications—or groups of assets. If a user wants to access an asset, the ZTNA solution must first verify their identity and the context of their access attempt in line with pre-defined policies. If the user passes these checks, they’re granted permission to access only the requested asset or asset group. If they want to access another asset, the ZTNA solution must re-verify them.
The micro-segmentation employed by ZTNA solutions also gives admins continuous, real-time visibility into which users are accessing which assets and when. This enables them to quickly identify and anomalous activity, as well as identify applications that are rarely used or redundant, to help save subscription costs.
ZTNA Vs. VPN: What’s The Difference?
Traditionally, organizations have relied on virtual private networks (VPNs) to establish a secure connection between their remote users and the corporate network. Enterprise VPNs create a private network across a public internet connection, essentially creating an encrypted tunnel between the user and the network. They anonymize the user by hiding their IP address and prevent any third parties from spying on users by encrypting data. They also usually require the user to authenticate themselves via multi-factor authentication (MFA) before establishing the connection.
However, once authenticated, the user has free access to the entire corporate network. This means that, if an attacker gains access to a remote user’s credentials and logs into their VPN, or even just intercepts a user’s VPN connection, they too can access the entire company network.
ZTNA solutions differ from this by only giving users access to the resources they need, when they need them—and nothing more. This enables ZTNA solutions to prevent attacks from spreading laterally through the network should an attacker manage to gain initial access. This greatly limits the amount of damage an attacker can do if they compromise a user’s account.
TL;DR: if a VPN builds a wall around the castle of your network to keep out the bad guys, a ZTNA solution places a guard on every door within the castle.
What Features Should You Look For In A ZTNA Solution?
There are five key features that you should look for when shopping for a ZTNA solution:
- Application micro-segmentation: users should only be able to access one asset at a time.
- Role-based access: admins should be able to define access permissions for each user based on their role within the company.
- Real-time reporting on user access activities and application usage: admins should be able to easily monitor user access and identify anomalous activity. In addition to this, users should be able to identify rarely used applications, with the help of visual reporting dashboards.
- In-built, or ability to integrate, MFA or 2FA security: all users should be made to verify their identity in two or more ways before being granted access to any network assets.
- Device and operating system health checks: the ZTNA solution should only establish a remote connection with devices that are adequately patched and running an endpoint security solution.