Zero Trust Network Access (ZTNA), also known as the software-defined perimeter (SDP), is a network security solution that uses defined, granular access control policies to provide secure remote access to an organization’s applications, services, and data. Unlike virtual private networks (VPNs) that grant access to all network resources, ZTNA authorizes access only to specific applications or services on a user profile basis.
ZTNA solutions follow an explicit trust model, where trust is never assumed and access is authorized on a least-privilege, policy-defined, need-to-know basis. ZTNA enables secure access to private applications without placing users on the network or exposing the apps to the public internet.
As the number of remote and work-at-home users increases, ZTNA solutions can help eliminate security risks found in other remote access methods such as VPNs. Leading research and consulting firm Gartner estimates at least 70% of new remote access deployments will be served by ZTNA solutions instead of VPN services by 2025—up from less than 10% at the end of 2021.
In this article, we will review the principles of ZTNA and different types of zero trust network access models. We will also cover the business benefits of ZTNA solutions delivered by experienced managed service providers such as GTT.
How Zero Trust Network Access Works
ZTNA is a compilation of authentication technologies and functionalities that provide secure access to critical business applications for remote users. It also plays a key role in the secure access service edge (SASE) cybersecurity model, which is composed of next-gen firewall (NGFW), SD-WAN, secure web gateway (SWG), and other services in a cloud-based platform.
When ZTNA is implemented:
- User access to specific applications or cloud environments is granted only after the user has been authenticated to the ZTNA service.
- The ZTNA solution then allows the authorized user access, via an encrypted tunnel, to the specific application.
- This zero trust architecture offers a secure connection by keeping applications invisible from unauthorized IP addresses.
In this way, ZTNAs rely on the same ‘black cloud’ idea as SDPs by preventing application visibility from users who do not have valid access permissions. Additionally, if an attacker were to gain access to the corporate network, ZTNA, and its access policies protect against lateral movement and the ability to scan for other services.
Essentially, there are two approaches to a zero trust security model:
Endpoint initiated
- An end user attempts to access an application from an endpoint device on which a software agent has been installed
- The agent communicates with the ZTNA controller
- The controller provides authentication and connects to the desired service
Service initiated
- A connection is initiated by a broker between the user and the requested application (a lightweight ZTNA connector must reside in front of the on-premise or cloud-based business application)
- The outbound connection from the application authenticates the user
- Traffic then flows through the ZTNA provider and isolates applications via a proxy from direct access
- Note: This model does not require an agent on end-user devices, making it more attractive for unmanaged devices or bring-your-own-device (BYOD) access scenarios.
Likewise, there are two delivery models for implementing zero trust network access:
Stand-alone ZTNA
- Tasks the organization with deployment and management of all ZTNA elements
- Brokers secure connections at the edge of the data center or cloud environment
- Deployment, management, and maintenance may become cumbersome for organizations that are cloud-averse
ZTNA-as-a-service (ZTNAaaS)
- Takes advantage of the cloud provider’s infrastructure; the cloud service provider or ZTNA vendor delivers the connectivity, capacity, and infrastructure for the solution
- Leverages the provider for all functionality, from deployment to policy enforcement
- Requires the organization to purchase user licenses and install ZTNA connectors
Of the two delivery models, ZTNA-as-a-service simplifies management and deployment. It also ensures the lowest latency for users as a result of optimized traffic delivery. The benefits of this cloud-based delivery model are recognized by impacted organizations, as Gartner estimates over 90 percent are implementing ZTNAaaS.
The Benefits of Bringing ZTNA to Your Business
Information security leaders have struggled with many long-standing challenges, one of which is the difficulty of balancing security and user experience.
Most recently, the unprecedented demands that the COVID-19 pandemic has placed on IT and cybersecurity teams have tested their flexibility, creativity, and resolve. Providing access to business-critical applications with robust protection from malware and hackers has never been easy: the pandemic escalated the need for robust, user-friendly security solutions with flexible scalability.
Enter ZTNA.
The business benefits of a zero trust architecture are numerous, especially when a secure corporate network must support a remote workforce using cloud-hosted applications. Among the many benefits are:
- Ultimate control over access points
- Uninterrupted user experience
- Flexible Security Features
- Server protection
Trusted managed service providers such as GTT can deliver these ZTNA benefits to your business.
Internal Authority Over Access Points
Due to the ever-present cybersecurity threats facing businesses, ZTNA has emerged as a leading security solution for distributed workforces needing application access. Traditionally, VPNs have been somewhat effective in this regard, but do not provide the granular access policies needed to match user identity with specific application permissions.
With users logging in from different locations, multiple devices, and using various cloud services, it's never been so vital to manage the ways your network is accessed. That means:
- Taking control of who’s allowed on your network
- Deciding what they have access to
- Controlling how they’re allowed to use it
With GTT’s zero-trust approach to authentication, you can prevent unauthorized intrusion and keep corporate data out of harm’s way.
Uninterrupted User Experience
Remote work is now a common business model for corporations. As with branch office environments, critical applications must be reliable and responsive to maximize end-user productivity.
ZTNA provides a reliable, high-performance user experience (UX) by permitting access to the network for authorized end users regardless of their location. With ZTNA, user traffic isn’t backhauled through the data center. Instead, users experience speedy, uninterrupted access to the critical applications they need.
Flexible Security Features
Not only does ZTNA provide businesses with a scalable security service, but the features of a zero trust solution can also be adapted to fit the needs of the enterprise’s application portfolio.
Flexible security features that are common in ZTNA, and SASE, solutions include:
- Threat prevention
- Credential theft prevention
- Web filtering
- Data loss prevention
- DNS security
- Next-generation firewall policies
- Sandboxing
- Adaptive Multi-Factor Authentication (MFA)
- Micro-segmentation
Experienced managed service providers such as GTT can help you configure your ZTNA solution and SASE framework to provide your business with the protection it needs.
Server Protection
Distributed denial of service (DDoS) attacks can paralyze an enterprise by flooding applications and network elements with unwanted or junk traffic, ultimately tying up system resources and crashing servers. Bad actors often utilize port scanning or other discovery methods to identify potential targets for attack.
To protect enterprise servers, ZTNA:
- Inhibits application discovery on the internet via the creation of a virtual darknet; servers are secure from DDoS attacks as well as other malware and internet-based threats to the business
- Allows segmentation of the corporate network into software-defined perimeters, which prevents lateral movement of threats and reduces the attack surface if a breach should occur
- Allows users access to critical applications while still protecting business servers
Confidently Protect Your Network with GTT
The business benefits of a zero trust architecture are numerous, especially when a secure corporate network must support a remote workforce using cloud-hosted applications. ZTNA enables secure access to private applications without exposing the apps to the public internet or placing users on the network.
ZTNA also plays a key role in the secure access service edge (SASE) cybersecurity model, which is composed of next-gen firewall (NGFW), SD-WAN, secure web gateway (SWG), and other services in a cloud-based platform. As an experienced provider of these services, GTT can deliver the solutions you need to grow and secure your business. Contact us today to learn more.
Interested in learning more about GTT’s Zero Trust Network Access (ZTNA)?
Connect with our experts and ask us for a demo of Zero Trust Network Access (ZTNA) to gain a firm foothold in the security landscape.