Zero Trust Network Access: Understanding What’s Driving Adoption

So, How Does ZTNA Actually Work?

ZTNA is configured slightly differently by each organization or vendor. However, there are several underlying principles that remain consistent across ZTNA architectures:

• Application vs. network access: ZTNA treats application access separately from network access. Connecting to a network does not automatically grant a user the right to access an application.
• Hidden IP addresses: ZTNA does not expose IP addresses to the network. The rest of the network remains invisible to connected devices, except for the application or service they are connected to.
• Device security: ZTNA can incorporate the risk and security posture of devices as factors in access decisions. It does this by running software on the device itself (see “Agent-based ZTNA vs. service-based ZTNA” below) or by analyzing network traffic to and from the device.
• Additional factors: Unlike traditional access control, which only grants access based on user identity and role, ZTNA can evaluate risks associated with additional factors like user location, timing and frequency of requests, the apps and data being requested, and more. A user could sign in to a network or application, but if their device is not trusted, access is denied.
• No MPLS: ZTNA uses encrypted Internet connections over TLS instead of MPLS-based WAN connections. Traditional corporate networks are built on private MPLS connections. ZTNA is built on the public Internet instead, using TLS encryption to keep network traffic private. ZTNA sets up small encrypted tunnels between a user and an application, as opposed to connecting a user to a larger network.
• IdP and SSO: Most ZTNA solutions integrate with separate identity providers (IdPs), single sign-on (SSO) platforms, or both. SSO allows users to authenticate identity for all applications; the IdP stores user identity and determines associated user privileges.
• Agent vs. service: ZTNA can either use an endpoint agent or be based in the cloud. The difference is explained below.

How Does Access Control Factor into ZTNA?

In contrast to the IP-based access control traditionally used with VPNs, zero trust network access leverages identity-based authentication and access control. This differentiation enables organizations to utilize unique access control policies based on location or devices, which can be configured to prevent non-compliant devices from connecting to corporate services.

Another advantage of identity-based access control via ZTNA is that it can be extended to off-campus BYOD devices as well. Inherently, these devices are typically more vulnerable, so applying different levels of access in this use case can help to better protect the network than the traditional VPN. Some agent-based ZTNA solutions provide a pre-authentication trust assessment of the connecting user and device, including device posture, authentication status, and geo-location.

What’s the Connection Between ZTNA & SASE?

Like SDP however, ZTNA does not provide inline inspection of user traffic from the application after the user establishes a connection. This can lead to potential security issues when a user’s device or credentials become compromised, or in the case of a malicious insider who uses their access to a resource to disrupt the application or host.

Secure access service edge (SASE) solutions that incorporate ZTNA identity-based authentication and granular access control capabilities provide a more complete, holistic approach. SASE solutions provide the cloud scalability, security and network capabilities required for secure remote access management. But unlike standalone ZTNA solutions, SASE provides post-connect monitoring for signs of data loss or compromised credentials.