Zero trust network access (ZTNA) explained

This blog was written by a third-party author

In today’s ever-changing cybersecurity landscape, zero trust is here to stay.

Before the concept of zero trust was well known, organizations followed the belief that anything within the network is trusted, and anything outside of it is untrusted. Zero trust is built on the idea that all traffic, whether incoming or outgoing, should be inspected, regardless of the source.

Traditional remote connectivity solutions, like VPN, fall short of meeting this requirement because they connect users to an entire network segment, which in many cases provides access to a lot more than what is required to do their job.

With many organizations having to support a suddenly remote workforce, major performance concerns have arisen with VPN since it was never designed to support thousands of employees working remotely and connecting simultaneously.

Zero trust network access can help address both of these concerns.

Users and applications are already in the cloud, so it follows that secure access should be granted through the cloud. This cloud-based solution leverages software-defined perimeters (SDPs), created specifically for a cloud-based environment — putting organizations in a better position to embrace zero trust.

What is zero trust network access?

ZTNA solutions provide seamless and secure connectivity to applications without placing users on the network or exposing applications to the internet.

Relying on legacy solutions to access network applications is no longer required with ZTNA. With ZTNA, granting access based on an IP address is replaced by locally enforced and cloud-managed secure policies.

With this type of visibility, user-specific access to apps is granted solely to those users with authorization to view or use them. Instead of connections to internal networks, all access is contextual. By isolating access in this manner, risks to the network brought about by potentially infected devices is drastically reduced.

ZTNA’s user-to-application methodology transforms the inherently insecure internet into today’s corporate network. ZTNA is achieved through a software-defined perimeter (SDP), a term created by the Cloud Security Alliance. For the enterprise, an SDP favors software over traditional network security appliances to seamlessly connect remote users with applications running in their data centers and cloud environments.

It’s important to note that while replacing your VPNs may provide motivation for ZTNA adoption, ZTNA products should not be considered a VPN replacement.

What are the benefits of ZTNA?

The benefits of ZTNA deployment are diverse.

Like a traditional VPN, any ZTNA connection offers encryption to provide confidentiality. But unlike VPN, ZTNA boasts significant upgrades in agility, policy management, user experience, and adaptability.

ZTNA is a solution that contributes to digital transformation projects, driven by cloud-based applications and employees working remotely.

Other notable benefits not already mentioned above include:

• Improved UX (user experience)
• Improved content access granularity
• More centralized policy management that leverages both network and application access control as well as user access control with MFA
• Visibility into what applications are being used, including previously undiscovered programs and the ability to provide access to specific applications by role or by user
• Reduced risk of distributed denial of service (DDoS) attacks by not exposing the applications to the public internet

ZTNA use cases

ZTNA opens the doors to a multitude of use cases previously unattainable with traditional access methods.

With access dictated more by user, application, and service, the enterprise can adapt to the growing requirements for today’s new normal.

With ZTNA, organizations can:

• Welcome more third-party partners (such as suppliers, distribution channels, and contractors) to its applications and services. For example, application-specific access can be granted to IT contractors and remote or mobile employees.
• Create access personas based on user behavior. For example, a device belonging to an employee who never travels would be prevented from making a connection if the request originated from another country.
• Simplify BYOD (bring your own device) programs and authenticating users on personal endpoints, improving security by enabling direct application access.
• Create secure silos of Internet of Things (IoT) devices
• Deploy encryption from the endpoint to the ZTNA gateway for situations in which a local wireless hot spot or cloud provider cannot be trusted.
• Isolate high-value enterprise applications in the network or cloud to reduce insider threats and affect separation of duties for administrative access.
• Conceal systems on internet-facing hostile networks used for collaboration.

What questions should a business answer before adopting ZTNA?

For successful ZTNA adoption, an organization should be in a position to answer the following questions:

• When users connect, can they be properly verified?
• Is a multi-factor authentication (MFA) solution used?
• Can all devices and users accessing applications be trusted?
• Can BYOD be trusted?
• Is there visibility into all devices accessing applications on all platforms?
• Can granular, contextual policies based be enforced based on device, user and location?
• Can users expect a user-friendly and secure authentication experience to all applications regardless of connection location?

Finally, one of the easiest ways to achieve ZTNA is to seek out a vendor or managed security solutions provider (MSSP) provided solution. While you’ll still need to maintain best practices and do your due diligence, a trusted partner can be relied upon to take care of the technical functionality. 

AT&T Secure Remote Access is an example of a cloud-native managed service that provides organizations with a way to efficiently connect their employees to the applications they need. Whether working from home or anywhere else, company risk is mitigated.