VPN Wired

Your Online Security Advisor

Nord_W

What is ZTNA?

What is ZTNA

For those who haven’t heard of the debate related to the death of VPNs and the rise of alternate technology, we suggest first reading that article. Some have mentioned that VPNs are on their way out. Many have adopted ZTNA (zero-trust network access) as a replacement for VPNs. Yes, the same one we will explain in today’s article. But before we learn what it is, let us clarify that VPNs and ZTNA may not be that different, especially on a conceptual level.

Although, we admit that ZTNA does take things to a whole new dimension, which was unlikely for the VPNs. A VPN is limited in scope and has multiple challenges. In contrast, a ZTN is a game-changer. It is not only approachable on a primary level but also less vulnerable. Honestly, a good ZTN can change the corporate sector, but sadly it’s too soon.

Definition of ZTNA

ZTNA or zero-trust network access is an IT solution that provides secure and remote access to a network’s resources. Unlike VPNs that allow users to connect to a network as a whole, ZTN grants access to a more binary level of applications, data, services, and so on, all based on pre-defined and crystal-clear policies. However, such access is not rudimentary but pertains to strict authentication and stringent scrutiny.

Moreover, it can not only prevent external risks but also consider inner fallacies. Whereas a VPN can surrender the entire network to an entity with valid credentials, ZTN can prevent internal elements from acting out by isolating root access. As such, ZTNA can help eliminate gaps in the security model predominant with VPNs.

It is also known as the software-defined perimeter or SDP. It works on the adaptive trust model, where trust is never implicit, and access gets rewarded on a case-to-case basis. However, it does provide remote users seamless and secure connectivity. Surprisingly, ZTN is also a constituent of Secure Access Service Edge (SASE). Yet the ideology behind this technology is vague, resulting in an underachieving deployment into the corporate sphere. Bear in mind, though, that zero trust is the future with NGFW (Next-generation firewall), SD-WAN (Software-defined Wide Area Network), and other cloud-based computing products.

To sum up, ZTNA is a product or service that creates an identity and context-based logical admission to the boundary of an application. In that case, the application remains hidden away from potential risks. The access is on a need-to-know basis, with the least worthy based on a granular policy. However, one has to accept it is far more flexible and scalable than a traditional VPN.

How does ZTNA work?

With an active ZTN, access to a specific application is possible only after a strict authentication. Afterward, it grants the user access via a secure and encrypted tunnel. At times, ZTNs work like SDPs to absolve visibility from the user. A connection software in the same network (as the application) establishes an outbound connection to the ZTNA service hosted on the cloud. The service is the egress point for private traffic and is responsible for:

  • Verifying connecting users and authentication
  • Validating security posture of user devices
  • Provisioning access to specific applications through a secure and encrypted tunnel

Fundamentals

Any ZTN will follow a few principles no matter the implementation, such as:

  1. It will completely isolate the act of providing application access from network access.
    • The isolation reduces the risk to the network.
    • It renders most infections by compromised devices moot.
    • ZTNA grants access after an extensive and strict authentication process.
  2. ZTNA makes outbound-only connections.
    • Doing so can ensure both the network and application infrastructure remain invisible.
    • No IP gets exposed on the internet.
    • A ZTN, in theory, creates a darknet hidden away from users without access.
  3. The native app segmentation ensures one-to-one access.
    • Once the users get authorized, they are granted access on a need-to-know basis.
    • Any authorized user has admission to a specific application only, rather than the whole network.
    • The segmentation prevents overly permissive access.
    • It also reduces the risk of lateral movement of malware.
  4. ZTNA deviates from the traditional network security approach.
    • It de-emphasizes the network, where the internet becomes the new corporate network.
    • It uses end-to-end encrypted TLS (Transport Layer Security) micro-tunnels instead of the MPLS.

Benefits of ZTNA

Several perks of using ZTNA are as follows:

  • Network micro-segmentation – It allows organizations and corporates to create software-defined perimeters. Then, it divides the corporate network into multiple micro-segments accessible on a need-to-know basis. It prevents lateral movement of malware and other risks and reduces the surface area in the event of a security breach. The segments also allow for better management and prevent internal exploits.
  • Application invisible on the internet – ZTNs create a virtual darknet, if you may, hidden away from unauthorized users. They do so to prevent application discovery on the public network, a.k.a. the internet. Additionally, they secure the organization from internet-based data exposure, malware, DDoS attacks, and more. The invisibility is possible due to the encrypted tunnels and the stringent authentication process.
  • Access to application – ZTN can extend benefits to applications hosted in private data centers. By facilitating secure connectivity and offering the same security advantages as web applications, ZTNs can promote application-level access against the more traditional network-level access.
  • Enhanced user experience – A ZTNA enables secure, fast, and uninterrupted, direct-to-cloud access to remote applications. It provides a consistent experience to remote users; Accessing both:- SaaS and private applications.
  • Direct breakout of cloud and SaaS traffic – As ZTNA is primarily a cloud-native solution – it does not require backhauling of any traffic.
  • Auto-scalability – The need for ZTNA lies with remote workers. With the workforce remaining offsite and hybrid, they might not be in locations close to headquarters or the datacenters. Since it is also a cloud-native, it is available across all key locations and scales automatically based on the number of users.

Top use cases of zero-trust network access

The various types of uses of ZTNA are the following:

  • VPN and MPLS alternative – ZTNs have emerged as a top contender to the pre-existing and traditional MPLS and VPN practices. The service also employs micro-tunnels to provide secure and encrypted communication over the internet. Furthermore, it goes an extra step, where it forgoes the corporate network in favor of the internet. It utilizes end-to-end encrypted communication.
  • Secures multi-cloud access – Companies are becoming more reliant on cloud computing. With numerous benefits luring them away from traditional infrastructure, they often employ a multi-cloud strategy to have the best of both worlds. While a VPN can provide a VPC (virtual private cloud), it is a single network connection. ZTN can secure multi-cloud access.
  • Limits user – ZTNs offer strict, exhaustive authentication processes that effectively reduce access to irrelevant users. This functions to limit the user and curbs the overexposure of your network.
  • Reduces third-party risks – Since the ZTNs reduce the exposure, the subsequent risk will also be minute. The segmentation (of the network) under ZTNA also shrinks the probability of the lateral movement of malware.
  • Accelerated M&A integration – The required time to set up working management and administration gets further reduced.
  • Secures remote access to private applications – ZTN can remote access an onsite legacy application. It can also allow you to access an application across a multi-cloud environment.

What should you consider?

There are many things to consider when employing a ZTNA. “Does the vendor require an endpoint agent installation? Which operating systems and/or mobile devices are supported?” There are such questions amongst many others. However, one needs to hold to a few key points and the application of a ZTNA on a universal level may be possible. All you need to do is pay heed to:

  • The depth of implementation – One has to either do a complete overhaul of the corporate architecture or offer some point solutions. It depends on the readiness and adaptability of the organization.
  • ZTNA vendor specialization – ZTN vendors are all different. Although they provide the same service, they vary in the different areas of specialization. Keep that in mind.
  • Legacy application support – First, check with the vendor whether they support an on-premise legacy application. A cloud application is easy for most ZTNs but not legacy applications.
  • IdP integration – Some ZTNs are IdP (identity provider) rigid. They force the customers to migrate their whole database to a particular IdP of their choice. Some ZTNs are IdP agnostic as they don’t mind and can integrate with any.