Zero trust network access, or zero trust network architecture (ZTNA) is an approach to designing networks to be secure by following a “never trust, always verify” model.
As more and more companies move to remote working and use cloud-based applications, being able to design and implement networks using ZTNA principles is a useful skill for IT professionals.
If you’re interested in becoming a ZTNA professional, here are 10 tips to understand the concept and how it fits into modern security practices.
1. Zero Trust aims to fix an outdated network security model
In the traditional network security model, devices are often implicitly trusted based on their network location.
If a computer is connected to your local company network, for instance, it’s usually deemed safe and authorized to access all the resources on the network.
Zero Trust declares this implicit trust to be too weak. It instead focuses on evaluating trust on a per-transaction basis. No matter where the user, device, or application is located, it will be checked for authorization.
2. Zero Trust supersedes perimeter-based security
As remote and mobile work has become more common, companies have increasingly employed tools like virtual private networks (VPNs), and firewall demilitarized zones (DMZs) to let remote workers access company networks.
However, opening these sensitive networks to remote use with such rudimentary tools is an obvious security risk. VPNs can only perform relatively basic authentication and authorization, and data breaches can often be sourced to weaknesses in this perimeter-based security.
ZTNA offers fine-grained control over who gets access to which resources. Set up correctly, this can be a big step up in security from the use of VPNs.
3. Zero Trust is an evolving concept
The recent explosion in remote work has seen the concept of Zero Trust refined and shaped at great speed.
Ask leading Zero Trust solution providers like Perimeter 81 about the meaning of Zero Trust, Zero Trust Architecture (ZTA), and ZTNA, and you will get a unique response each time.
But this is always the case with emerging technology. As best practices solidify, we’ll see a convergence of opinions on what a solution must do to be considered truly Zero Trust.
4. ZTNA entails continuous monitoring
ZTNA throws out the “authenticate once, trust forever” model. Instead, each time a user, application, or device makes a request, it needs to authenticate.
ZTNA solutions monitor for abnormal behavior and flag potential cyberattacks. With intelligent analytics, ZTNA can deny access to a network or application when suspicious activity is detected.
5. ZTNA uses micro-segmentation
With ZTNA, networks are split into small zones. Each of these zones can have its own security policy, allowing for more flexible and fine-grained security.
Good ZTNA solutions can work at the application level. This means that instead of granting and denying access to networks, the system can grant and deny the use of specific applications. Again, this results in finer control of who can access your important assets, thus tightening security.
6. Application-level ZTNA is preferable
If a security solution only has visibility of the TCP/IP packets being sent back and forth over networks, decisions about which transactions to allow and which to deny can never be particularly intelligent.
When a ZTNA solution has application-level security controls, it sees not only the application a user is attempting to access but also what they’re trying to do with it.
This can make for much smarter responses from the system, such as blocking users who are attempting to use an application in a way they’re not authorized to.
7. The role of the trust broker
A central component of a ZTNA solution is the trust broker. This service can be cloud-hosted or reside in a physical appliance in the data center.
The trust broker is a gateway between users and applications, checking that the user is eligible to access the application and the context of the request is valid.
In some ZTNA solutions, the trust broker handles all communication between users and applications. In others, the trust broker is only used as a periodic authorization check, with most data being transferred directly between users and applications.
8. ZTNA can improve performance and scalability
Moving away from perimeter-based security means applications can be located anywhere, not just on the company network behind a firewall.
Moving applications to a private cloud or public cloud can mean a massive boost in performance and scalability. This enables companies to leverage the tremendous resources available from cloud computing providers. In addition, cloud storage can mean big savings on data storage.
9. ZTNA can simplify network design
ZTNA can make network design simpler as many networking challenges melt away.
For instance, with a well-implemented Zero Trust solution, there’s no longer a need for all network traffic to go through bottlenecks, like VPNs. Company resources can be easily moved to other premises or onto the cloud, as there’s no longer a requirement to keep a single strict network perimeter.
10. ZTNA can mean better user experiences
ZTNA doesn’t just make sense for the company, it’s also great for the users. Instead of needing to authenticate with several different company systems, users get a single login granting them access to everything they need to do their job.
Optimized data traffic improves the responsiveness of applications, and employees can access all authorized company assets from wherever they are in the world, without compromising on security.
Summary
Zero Trust and ZTNA are important security concepts that are helping to make distributed networks more secure for businesses.
We’ve listed some of the best ZTNA providers on the market today. For more information on ZTNA, check out our guide to SASE, and also the difference between ZTNA and on-premise firewalls.
