What is Zero Trust Network Access Architecture?
Zero trust network architecture is a security architecture that reduces a network’s attack surface by giving least-privilege access controls to users and devices, at the application level, in line with the zero trust security model. The network is broken down using micro segmentation, and identity controls, such as multi factor authentication (MFA), are used to confirm user identity before allowing access to individual resources and private applications.
Zero trust architecture is based on the security concept of software defined perimeters (SDP). Software based perimeters are defined around software entities such as data centers, applications, and other resources. This is instead of traditional, network perimeter-based security, where a perimeter surrounds the entire network, like a castle around a moat.
ZTNA is an essential ingredient in a secure access service edge (SASE) solution, which protects all network edges in line with ZTNA principles. In particular, ZTNA is part of the security service edge (SSE) component of a SASE solution, which includes a combination of different network security services, such as CASB, SWG, and ZTNA – delivered together on a cloud based platform.
According to the Gartner market guide, there are two main types of zero trust network access architecture. These are endpoint-initiated ZTNA, and service-initiated ZTNA.
With endpoint-initiated ZTNA, there is a lightweight endpoint agent installed on the user’s device. When the device or user requests access to a particular application, the agent communicates with a controller, the user’s identity is verified through authentication, and secure access to the application is granted. This is also known as client-based, or agent-based ZTNA.
ZTNA can also be self-hosted, which means that the solution is integrated on-premises and managed by an on-site security team.
This is when a ZTNA solution is provided as-a-service. The ZTNA vendor handles the ZTNA controller, as well as the gateway.
A broker initiates the connection between the end user and the requested application, and a connector in the cloud establishes the connection from application to the broker. This is also known as cloud-based ZTNA. Once user identity has been confirmed through an authentication process, access to the application is granted.
For access to web applications, browser-based access may be used.
When it comes to choosing whether to use an endpoint or service-initiated zero trust architecture, there are numerous factors to take into consideration, but the main factor is where the majority of your applications are stored.
If you have many internal resources, stored on-premises, and use only managed, company devices – agent-initiated zero trust access may be more suitable for your security needs.
However, if you need to provide application access to unmanaged devices, and use mainly web or cloud applications, a cloud-initiated service is the better solution, as it doesn’t require the installation of an agent, and provides quick, simple integration.
Some solutions take a hybrid approach, whereby they include a cloud service for access to applications in the cloud, a browser-based service for web applications, and a client-based service for on-premises internal resources.
Using a zero trust network architecture breaks down the corporate network into “microsegments”, protecting individual applications and resources.
Access decisions are made at the application level, rather than at the network level. Users are given least-privilege access – they can only gain access to the specific applications they require. Only authorized users are granted access to corporate resources and applications, whether stored in a data center, on the web, or in the cloud. Authorization is done using security context information, such as the user’s identity, device identity, and more.
In addition, IP addresses are hidden on the network, and only an outbound connection is used, so that when application access is granted to your users, the rest of the network and application infrastructure remains invisible to the connected device.
These features of ZTNA security reduce the attack surface, preventing lateral movement from a compromised device to the entire network.
A good zero trust network access solution includes the use of an identity provider for IAM capabilities, so you can easily manage user and application identities, granting access levels to individuals, roles, or groups as needed.
An identity provider will often also provide SSO capabilities, making it easy to provide application access for remote users.
With SSO, users are given direct access to applications, regardless of the user location, through a secure connection. For the user, it’s just a matter of completing a simple, secure authorization process, which is the same for all business applications, whether they are private applications, or web applications.
Single sign-on means that the user can use the same credentials to sign in to any application, while still maintaining security.
It used to be that a corporate network had its own private MPLS WAN connection. Recently, VPNs have become a more popular way to connect to a network and protect data. Once a user logs in to a VPN , they have access to the entire corporate network and all resources inside it – this uses the traditional perimeter security approach.
In contrast, while ZTNA architecture is built on the public internet, it uses TLS encrypted micro tunnels to keep all network traffic private. There is one encrypted connection per user device and a given application, for superior security.
Zero trust network access (ZTNA) architecture often includes the ability to assess and validate device security posture, to ensure all end user devices meet trust requirements before granting application access. This is especially important when providing remote user access for unmanaged devices used by remote workers.
If you’re looking for a zero trust access vendor that can help you achieve a robust zero trust network access architecture, you’ll want to look out for the following features.
The vendor should have expertise in zero trust network access, and experience implementing solutions for organizations like yours.
A good vendor will offer all of the tools that allow you to create your entire ZTNA architecture, in one comprehensive bundle.
If you need to provide secure access to legacy applications, such as those stored on-premises, make sure your vendor supports them.
A good zero trust network access vendor will offer products that integrate with popular identity providers, with IAM and SSO capabilities, so you can manage your users efficiently.