What is ZTNA?
Zero trust network access (ZTNA) is a secure remote access solution that implements zero trust security principles with per-application privileges. Remote workers requesting access to company assets are directed to specific resources on a case-by-case basis, taking into account role-based access control (RBAC) and contextual authorization data – such as IP addresses, locations, user groups or roles, and time constraints.
ZTNA is best deployed as part of a Secure access service edge (SASE) solution that provides the full network security stack as a service, with network optimization features such as software-defined WAN (SD-WAN). By adopting SASE, organizations can move from a perimeter-based security model to a zero trust architecture built for distributed enterprises.
The principles of zero trust network access
The most important aspect of the ZTNA philosophy is the concept of zero trust – never trust, always verify. The organization should not grant access to devices, applications, or networks without checking for malicious intent. Until access is granted, the content of these entities is hidden from hackers or any unauthorized individual.
The zero trust philosophy runs counter to traditional security approaches in which users, devices, and applications are trusted to be secure, simply because they are within the perimeter of the network.
The network perimeter approach, which relies on implicit trust, has serious drawbacks. It enables hackers to move freely across networks and boundaries, accessing sensitive systems and data on multiple devices. In addition, insider threats can abuse their trust and gain access to applications and data they shouldn’t.
Another philosophy underlying ZTNA is the principle of least privilege. This principle states that users should only allow access to applications, data, and resources to the extent necessary to do their job effectively.
Both ZTNA and the principle of least privilege rely on the identity of users, devices, and applications. If one of these three is identified as known to the ZTNA software, network access is allowed. In some cases, users, devices, and applications are grouped together if they have the same or similar roles or functions.
ZTNA vs. VPN
Traditionally, most organizations used a virtual private network (VPN) for remote access. When a user logs in to the VPN, they have access to the entire network and all resources on that network. Instead, ZTNA only allows access to specific requested applications by default, and denies access to all other applications and data.
The advantages of ZTNA compared to VPN are:
- Resource utilization—as the number of remote users increases, the load on the VPN can cause unexpectedly high latency. The VPN system must be scaled up to meet the growing demand and peak usage times. This also requires more IT resources.
- Flexibility and agility—VPNs don’t offer the granularity of ZTNA. It can also be difficult to install and configure VPN software on all end-user devices that need to connect to corporate resources. ZTNA’s attribute based access control (ABAC) and role based access control (RBAC) simplify this task.
- Segmentation—once inside the VPN perimeter, users have full system access. ZTNA takes the opposite approach of allowing no access at all unless an asset (application, data, or service) is specifically authorized for that user. Compared to VPN, ZTNA provides verification based on identity. Every user and every device is verified and authenticated before being granted access to a specific application, system, or other asset.
- VPNs treat users and devices the same way—no matter where they are or what they need to access. As bring-your-own-device (BYOD) approaches become more popular, allowing such access is risky, as malware-infected endpoints can infect entire networks. For this reason, VPNs are often attacked. ZTNA can overcome this problem by denying access to users if their devices are unknown or insecure.
Key considerations for choosing a ZTNA solution
Ensure support for all users
A ZTNA solution must secure access for all users, including employees using managed devices, mobile devices, BYOD devices, engineering teams, DevOps users, and third-party partners. Here are important features to look for:
- Client-based access—enables you to secure employees using managed devices.
- A clientless architecture—lets you secure access to databases, web applications, secure shell (SSH) servers, and remote desktops.
- PAM capabilities—supports teams that need access to multi-cloud environments and provides single sign-on (SSO) into private resources like servers, databases, and terminals.
Ensure support for all target resources
A ZTNA solution should support high-priority private resources and applications. Rather than supporting only web applications, a ZTNA should also cover access to SQL databases, SSH terminals, servers, and remote desktops. DevOps teams should get zero trust access to cloud production environments, Infrastructure as a Service (IaaS) resources, virtual private clouds (VPCs), and microservices.
Ensure zero trust security soundness
To facilitate least-privilege access to applications and resources, ZTNA solutions must separate the control and data planes. Look for the following capabilities:
- Granular in-app controls—such as read and write, and enabling policies at the query and command levels.
- Deep visibility—reporting on users, groups, and application usage with access to video session recordings.
- Integrated security features—such as cloud IPS, DLP, and sandboxing.
Deployment, performance, and service availability
Here are deployment, performance, and availability features to look for in a ZTNA solution:
- Integration—ZTNAs should provide out-of-the-box identity provider (IdP) integration using standards like SAML 2.0 and granular policy configuration.
- Maximum value with minimum maintenance—ideally, the ZTNA should not require you to hire additional staff. Cloud-based ZTNA solutions providing a unified console typically support all ZTNA use cases with user-friendly features.
- Service level agreements (SLAs)—look for a ZTNA solution that can deliver SLA-backed 99.999% uptime and high performance. Review these SLAs to identify a global network of points of presence (PoPs) with redundancy in each zone.
Zero trust security and networking access with Solo
Solo enables zero trust security and network access using a defense-in-depth approach, which can be applied to either API management at the edge, or within a microservices application environment using service mesh.
Solo Gloo Platform, inclusive of Gloo Gateway (API-Gateway) and Gloo Mesh (Istio Service Mesh) both use Envoy proxy for the data plane, which means that consistent zero rust policies can be created and deployed across internal and/or external security boundaries and control points. This simplifies zero trust security and compliance across APIs and Kubernetes environments.