Zero Trust Network Access

What is Zero Trust Networks Access (ZTNA)?

Published December 9, 2022 by Nicholas DiCola

ZTNA is an evolution of the VPN to allow for remote access in a more secure way without having to open any port of the remote access server to the outside world, which is usually used by hackers to get in using vulnerabilities.

Why is Zero Trust Network Access important?

In today’s cyber threat landscape, attacks continue to be on the rise against organizations large and small. Cybersecurity & Infrastructure Security Agency (CISA) stated “Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.” Attackers continue to gain access through phishing, vulnerabilities, brute force attacks and stolen credentials.

In order to increase resiliency and reduce risk from compromise, the adoption of a Zero Trust approach, which means no ports should be open before verification of the identity need to be achieved from both inside and outside, and the ZTNA helps to achieve that from the outside by having a secure remote access solution that doesn’t need any open port on the internet to allow for users to remotely connect to the organization and get access to internal applications and services.

Zero Trust Network Access vs VPN

Virtual Private Network (VPN) is a technology that was created to allow remote workers access to internal networks. Typically, the VPN client establishes a connection which is authenticated creating a tunnel for traffic to flow over. This tunnel allows the endpoint to access resources as if it were connected to the organization’s network. The following diagram depicts a typical VPN architecture.

VPN architecture

The problem with this architecture is mainly that VPN port must be open to the internet, and everyone can try to hack it with known vulnerabilities that weren’t patched yet or unknown vulnerabilities that can’t even be patched also as traditional VPNs were implemented there is no device and user awareness and the access that is granted is absolute to the entire network.

“ZTNA, on the other hand, integrates device compliance and health into access policies, giving organizations the option to exclude non-compliant, infected, or compromised systems from accessing corporate applications and data” according to SC Magazine. ZTNA policies can consider various contexts like device state, identity state, location, application used, etc. allowing for complex decisions whether to allowing certain access or not. The following depicts a typical ZTNA architecture.

ZTNA architecture

Here the ZTNA provider can leverage an existing Identity Provider (IdP) as a policy decision point and the ZTNA server acts as the policy enforcement point. Meaning based on the information provided from the IdP like device health the ZTNA provider might allow or deny the connection to resources.

Benefits of ZTNA

The benefits of ZTNA are a must for the enterprise and include the following:

  • Reduce attack surface as ZTNA doesn’t need to be exposed to the internet like traditional VPN
  • Centralized policy control for resource access
  • Granular access control with context awareness

There are some challenges that come with ZTNA to allow these benefits. It is important to create the right policies mapping who needs what access to which resources. It could be easy for an organization to oversimplify and grant too much access when it’s not needed. Ideally, the ZTNA provider could leverage some type of learning engine to map this for the organization. End user friction could also create pushback on the change to use ZTNA. If policies are not configured correctly the user may lose access to something that is needed or required to do their job.

ZTNA Use Cases

Organizations may have one or more of the following use cases for ZTNA:

  • VPN Replacement: Controlled remote access to provide zero trust access to organization resources when working remotely.
  • Vendor secure remote access
  • Each organization will need to consider current technologies or solutions in place vs requirements of policies and controls to determine where ZTNA could replace existing costs and create a better security posture. At some point, it will be required to move to a ZTNA technology as part of a larger Zero Trust strategy and the need to reduce the risk of compromise to an organization.

We heard this firsthand from John Shaffer the CIO of Greenhill, “Related to the trends that I mentioned earlier (loss of privacy, the rise of the fully digital/remote workplace), the attack surface for the enterprise is greater than it has ever been.” No matter which use case is being evaluated, the trusted network model is too much attack surface the attacker could leverage to spread in an organizational network. ZTNA is the solution to reduce that attack surface.