Zero trust network access (ZTNA) is a solution that enables secure access to network resources for remote users. Remote or hybrid-remote work is becoming increasingly popular when compared to the conventional model of commuting to the office each day; in the USA, for example, 58% of people have the opportunity to work from home at least one day a week, and 87% of those take that opportunity. As such, it’s critical that employees can access the corporate network from anywhere—be it their home, a coffee shop, or an airport—and it’s just as important for that access to be secure.
Traditionally, businesses have relied on legacy perimeter security solutions—such as antivirus software, firewalls, and VPNs—to protect the data and applications within their network against cyberthreats. These services act like a wall around your data kingdom; they prevent threats such as malware from entering and only open the drawbridge to legitimate users. This means that users are verified once before being granted access, then, once allowed past that perimeter, can access all corporate resources within it freely.
Unfortunately, threat actors are increasingly finding ways to infiltrate traditional perimeters. And remote work—when not implemented securely—only makes this easier for them, enabling them to infiltrate unsecured devices and Wi-Fi networks, then enter the perimeter and move laterally throughout the network by impersonating the user whose remote work environment they breached.
So, it’s clear that a perimeter based on trust is no longer strong enough to secure corporate networks against today’s cyberthreats—particularly when that perimeter is blurred by a distributed office or workplace, the use of personal devices for work, and an increased dependence on cloud applications.
Luckily, there’s an alternative way to enable secure remote access to your corporate network. And that alternative is zero trust network access.
What Is ZTNA And How Does It Work?
“Zero trust” is a phrase that we’re hearing increasingly often in the security space, and it can be difficult to extract actionable meaning from what’s becoming a bit of a security buzzword. And one of the main reasons for that is that zero trust isn’t a product; it’s a concept founded on one basic principle: nothing and nobody—whether internal or external—should be inherently trusted with access to your data.
The principle of zero trust differs from the legacy perimeter approach to security, because it requires that organizations don’t automatically trust anything within their perimeter. To action that principle, organizations need to continuously verify that all users and devices are who they say they are, segment access to corporate data, and monitor the network for malicious activity. There are a few different solutions that can help businesses build a zero trust architecture to comply with this principle, one of which is zero trust network access.
Zero trust network access, more commonly referred to as “ZTNA”, is a security solution that secures corporate assets by creating individual identity- and context-based boundaries around them, or groups of them. With ZTNA in place, the network IP address is hidden. This means that network assets, such as applications, are hidden from public discovery. Additionally, access to network assets is restricted by the ZTNA provider; trust is conditional. Before a user is granted access, the ZTNA provider verifies that user’s identity and the context of their access attempt in line with admin-configured policies. If they pass these checks, the user is granted only enough authority to access the requested asset or asset group, based on admin-configured roles—rather than to the entire network, as with traditional network perimeters. If the user wants to access another asset or asset group, the ZTNA provider re-verifies them.
Thanks to this continuous verification, ZTNA not only helps prevent attackers from gaining access to the network in the first place, but also prevents the spread of cyberthreats laterally through the network if an attacker does manage to gain access, greatly limiting the amount of damage they’re able to do before they’re detected.
With a ZTNA solution implemented, organizations can enable their users to seamlessly and securely access all of the data and applications they need for work, without having to grant them access to the entire network or expose those assets to potentially unsecure internet connections.
ZTNA Vs. VPN: What’s The Difference?
Virtual private networks, or “VPNs”, are a tried and tested way of securing remote access to corporate networks. The first VPN protocol was developed back in 1996, and businesses have been using them since to prevent bad actors from infiltrating their users’ remote connections. Enterprise VPN solutions grant remote users complete access to a corporate network by creating a private network across a public internet connection, essentially creating a tunnel between the user and the corporate network. They give users anonymity by hiding their IP addresses, and they protect their online activity by encrypting it.
However, the evolution of the corporate network and the blurring of the network perimeter have accelerated in recent years. So, although VPNs provide protection at the network perimeter, they don’t provide protection after a user has entered that perimeter.
ZTNA, on the other hand, works on the principle of least privilege: it gives users access to the resources they need, when they need it, and nothing more. Where legacy VPNs create a castle wall around your data kingdom, ZTNA assigns each data asset its own individual guard. This helps businesses to achieve the continuous verification and network segmentation required by the zero trust approach.
Once a user is authenticated by the ZTNA solution, the solution grants them access to a single asset or asset group via a secure, encrypted tunnel. Unlike a VPN, this tunnel goes between the user and a single asset, not the entire network. This not only prevents the spread of lateral attacks, but also shields IP addresses from public view—and the view of any bad actors spying on your users’ activity.
This micro-segmentation also allows for continuous, real-time visibility into which applications users are accessing—enabling organizations to comply with the “continuous monitoring” requirement of the zero trust framework. Traditional VPNs only enable visibility in so far as telling admins which users are accessing the network and when; they don’t receive any insights at the application level.
On top of this, VPNs were built for accessing on-premises environments via corporate-issued and corporate-managed devices. They aren’t as scalable as ZTNA solutions, and they don’t offer the device authentication features that ZTNA does—which is critical in preventing unauthorized access via vulnerability exploits.
Although VPNs still have their place, many organizations—particularly those migrating to the cloud, with a large number of remote or hybrid workers, and that allow the use of BYOD or personal devices—are replacing their VPNs with ZTNA solutions.
What Are The Benefits Of ZTNA?
There are a lot of reasons why you might want to consider implementing a zero trust network access solution, or switching from your traditional VPN to ZTNA. Here are some of the top benefits of ZTNA:
- Prevent the lateral spread of attacks throughout your network. One of the key features of ZTNA is application micro-segmentation: the solution only grants user access to specific applications or groups of applications, rather than the entire network. If a user wants to access further apps, they must be re-authenticated. This means that, should an attacker manage to bypass both the user and device verification checks, they’ll only be able to access a small area of your network, and only the area that the user they’re impersonating can usually access; because ZTNA grants access based on the principle of least privilege, an attacker couldn’t use a regular user account to access critical company resources.
- Gain greater visibility into application usage. App micro-segmentation offers a second benefit: it enables admins to see which users are accessing which apps and when. This allows them to more quickly identify any suspicious activity, as well as monitor application status and save costs through capacity planning and licensing management.
- Prevent identity-related breaches. All ZTNA solutions should enable admins to configure role-based access permissions that outline which users can access which assets. The best ZTNA solutions go a step further, offering in-built two-factor or multi-factor authentication (2FA/MFA), which requires users to prove their identity via two or more ways before being granted access. Some solutions also offer integrations with the most popular MFA providers, such as Duo, Prove, and HID Global.
- Prevent endpoint attacks such as malware and ransomware. ZTNA solutions don’t just authenticate users; they also authenticate the endpoint a user is connecting from. This ensures that the device’s endpoint security and antivirus software are functioning properly, and that the operating system is up-to-date and patched. Over 80% of successful breaches are unknown or zero-day attacks which involve new malware or the exploitation of a vulnerability. Device authentication can help prevent these attacks from taking hold.
- Protect against insider threats. Because ZTNA authenticates all users and devices, not just the ones outside of the corporate network, it helps prevent the risk of insider threat by alerting you to any suspicious user behavior.
- Enable remote and hybrid work. ZTNA solutions enable remote workers to securely and seamlessly access the apps and data they need to do their job from anywhere, at any time. This enables you to confidently offer remote working options to attract and retain employees—and when 83% of people say they prefer a hybrid work model, this is key to unlocking the talent pool.
- Improve compliance. By authenticating users and devices and enforcing the principle of least privilege, ZTNA helps businesses ensure (and prove) compliance with data protection standards that require company data to be protected against unauthorized access.
Who Needs ZTNA?
The short answer? Everyone. But you’re probably not here for the short answer.
While it’s true that most businesses should consider implementing ZTNA, there are two specific use cases where it should be a critical part of your security architecture.
The first of those is businesses with a distributed workplace. Modern networks and workplaces are incredibly distributed: they have both personal and corporate devices, they have on-premises and cloud applications, and they have remote and on-site employees. ZTNA offers protection for each of those attack surfaces, while also enabling productivity through remote and hybrid work.
The second use case is businesses with a complex supply chain or that work with lots of third parties. Third parties are often granted much higher permissions than they need to do their jobs, and they also tend to work via personal or unmanaged devices. This makes them the perfect target for an attacker trying to access company data. But with ZTNA, you can ensure that they are only granted the access they need, as well as verify the identities of any third parties that you are granting access to—and their devices.
In today’s workplace, it’s inevitable that your users will need to access corporate resources off-site. In the age of digitalization, the world is a small place; even if your business normally operates fully on-prem, you may have an employee that needs to work on-the-go, while traveling, or from a conference. And when that happens, you need to be able to provision that access and ensure its security.
The best way to do that is with a ZTNA solution.
Coined by Gartner in 2019, ZTNA is still a relatively new concept in the cybersecurity space. However, there’s still a wide range of solutions on the market, as vendors who previously offered VPN solutions are upgrading their offerings to support a more flexible workplace. With all these factors considered, it can be difficult to know where to start when it comes to choosing the right product for your business.
But it doesn’t have to be.
We’ve put together a guide to the top ZTNA solutions on the market, including their key features and who they’re best suited for, to help you find the right one for your users. You can read that guide here.