What is Zero Trust Network Access?

2min. read

Zero Trust Network Access (ZTNA) is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike VPNs, which grant complete access to a LAN, ZTNA solutions default to deny, providing only the access to services the user has been explicitly granted. It is important to understand the security gaps and benefits ZTNA solutions can provide organizations as more remote users join the network.

How ZTNA works

With ZTNA, access is established after the user has been authenticated to the ZTNA service. The ZTNA service then provisions access to the application on the user’s behalf through a secure, encrypted tunnel. This provides an added layer of protection for corporate applications and services by shielding otherwise publicly visible IP addresses. 

Like Software Defined Perimeters (SDP), ZTNA leverages the concept of a dark cloud, preventing users from seeing any applications and services that they don’t have permission to access. This introduces protection against lateral attacker movement, where a compromised endpoint or credentials would otherwise permit scanning and pivoting to other services. 

Access Control

Identity-based authentication and access control found in ZTNA services together provide an alternative to IP-based access control typically used with most VPN configurations. ZTNA also allows organizations to implement location or device-specific access control policies, to prevent unpatched or vulnerable devices from connecting to corporate services. This alleviates common VPN-related challenges where BYOD remote users are granted the same level of access as users at a corporate office, despite the fact that they often have fewer security controls in place. Some agent-based ZTNA solutions provide a pre-authentication trust assessment of the connecting user and device, including device posture, authentication status, and user location.  

Visibility & Control with SASE 

Like SDP however, ZTNA does not provide inline inspection of user traffic from the application after the user establishes a connection. This can lead to potential security issues when a user’s device or credentials become compromised, or in the case of a malicious insider who uses their access to a resource to disrupt the application or host. 

Secure access service edge (SASE) solutions that incorporate ZTNA identity-based authentication and granular access control capabilities provide a more complete, holistic approach. SASE solutions provide the cloud scalability, security and network capabilities required for secure remote access management. But unlike standalone ZTNA solutions, SASE provides post-connect monitoring for signs of data loss or compromised credentials.

Learn more about how a SASE solution, together with ZTNA can provide both protection and access control for your organization in this blog.