What is Zero Trust Network Access?

Trust
(Image credit: Image Credit: Xtock / Shutterstock )

Zero Trust Network Access (ZTNA (opens in new tab)) is an IT security solution encompassing multiple technologies that seek to circumvent challenges associated with the overreliance on the security model based on the concept of perimeter. As such, this model found its place as one of the key features of the Secure Access Service Edge (SASE (opens in new tab)) framework which converges networking and security technologies as part of a single cloud-delivered platform.

But, how does the Zero Trust Network Access actually work, and how does it relate to other seemingly similar concepts? Read on to discover more about it in this short guide.

Perimeter 81 is a Forrester New Wave™ ZTNA Leader (opens in new tab)

Perimeter 81 is a Forrester New Wave™ ZTNA Leader (opens in new tab) 

Ditch your legacy VPN hardware and automate your network security with ZTNA.  Secure remote access from anywhere with just a few clicks. Onboard your entire organization in minutes, not days. Learn why Perimeter 81 is one of TechRadar's choices for the best ZTNA security providers. Download the report. (opens in new tab)

What is Zero Access?

At the heart of ZTNA is the concept of zero access. It is, in essence, a negation of the popular perimeter-based security model. With this one, there is the default assumption that users and devices found in the perimeter or behind it are to be trusted. The reason for it is the mere existence of a perimeter which, supposedly, filters out the undesirables and leaves all those who manage to pass it to do as they please afterward.

This is why any device or a user can get access to whatever assets are found behind the perimeter as long as they pass its initial check. This approach does not cut it today, simply because any hole in a perimeter can lead to catastrophic outcomes, not to mention the internal threats posed by the malicious actors or devices that are “trusted” simply for the fact that they exist on the other side of the perimeter fence.

The zero access model aims to do away with these default assumptions about someone’s or something’s trustworthiness based on their relative position in the security perimeter. With it, being deemed as a trustworthy actor a second ago means nothing in the following second – you are not to be trusted by default at any time, so enforcing zero-trust policy everywhere and all the time is the order of the day.

Principles of ZTNA model

So, the ZTNA model is simply a practical application of the above “trust no one” principle. On a more granular level, this simple motto is spread out across several key principles.

  • Each data source and computing service is treated as a valuable resource.
  • All communication is protected regardless of a network location.
  • Access to individual resources is granted based on each individual session.  
  • A policy that governs access to resources is highly dynamic. It encompasses applications and services, requesting assets, the observable state of client identity (opens in new tab), and other parameters.
  • An organization is tasked with overseeing and controlling the security posture and the integrity of all assets.
  • Authentication and authorization for each resource are dynamically implemented and strictly practiced prior to granting access to any actor that requests it.
  • ·         An organization is constantly receiving information on the current state of resources, networking and communication systems, and assets with the goal of taking its security preparedness and responsiveness to an optimal level.  

ZTNA and SASE

As a core of the SASE model, ZTNA also converges networking and security, but on a smaller scale. As a cloud-delivered model, ZTNA is easy to implement by an organization of any scale.  Once it is up and running in the cloud, this service will provide a user with a secure omnichannel (a tunnel) which receives all network traffic for all devices in use.

Filtered in this manner, the traffic will be steeled against the tampering of any type in addition to its flow being constantly overseen. In the process, ZTNA will gather huge amounts of data on the usage of existing resources which gives valuable insights that can easily find their place in future audits and reports.

What happens in case the ZTNA framework detects a security anomaly? Access to all devices related to it is immediately denied. To minimize the number of these instances, all users and client devices will have to be authenticated and verified whenever they ask for access to individual resources, in line with the zero-access approach.

This approach is further reinforced by enforcing yet another principle – that of the least privilege, meaning that you are given a minimum level of access in order to perform a particular task and no more than that.

ZTNA Vs. VPN

ZTNA and Virtual Private Networks may appear similar considering that some of their functions do overlap. Yet, these are implemented and managed in a different manner.

For starters, ZTNA does not leave VPNs without work. You may still need to link separate sites with shared assets and apps via a VPN (opens in new tab). What ZTNA brings to the table is its native support for mobiles devices, its focus on vigilance over what happens on the network, prevention of popular attack types, auto segmentation, etc.

Finally, both ZTNA and VPN implement the concept of a secure tunnel, but ZTNA uses newer and more advanced protocols for this purpose.

Conclusion

Zero Trust Network Access (ZTNA) is a framework for the implementation of the zero-trust approach. It is a fundamental component of the Secure Access Service Edge (SASE) framework.

With it, the secure assets of an organization or an enterprise can be accessed only if the ZTNA system establishes the trustworthiness of an actor that seeks any level of access. Unlike what is found with the perimeter-based security models, this does not involve networking a user or device with a server that needs to authenticate the party in question. With ZTNA, no interaction of that type is enabled prior to establishing the trust level associated with a particular actor.

That being said, ZTNA is still an evolving model, but its disruptive potential in terms of eliminating obsolete security practices cannot be overstated. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.