What is Zero Trust Network Access (ZTNA)?

ZTNA is a client-to-application—not network-centric—approach to authenticate security based on:

• the identity and context of the user, and
• the device and application (or any other asset) being accessed

The ZTNA security broker verifies each access attempt regardless of location. It applies corporate policy and grants granular, least-privilege access to an asset (an application, URL, data or other destination). A ZTNA architecture:

• Regards the network as providing only transport, and makes no architectural difference between on-prem and off-prem users, devices or applications/assets.
• Applies consistent corporate policies to all asset access attempts regardless of the entity (user, device, and application/asset) requesting the access, or the location of the entity or the requested asset.
• Provides full security for all WFA users, on any device, for any on-prem or cloud application.
• Segments the network end-to-end to ensure granular access for legitimate users only to applications allowed within their privilege credentials.

ZTNA architecture comprises several components:

• SDP broker/proxy: Makes outbound-only connections to ensure both the network and the applications are invisible to unauthorized users; the broker may be an appliance or a cloud service.
• Cloud Gateway: Cloud-deployed, globally distributed gateways securely connect to the enterprise network and cloud/SaaS destinations.
• Client: SASE client software for end-user devices. A clientless deployment is also available.
• Authentication services: Interacts with the enterprise’s existing user and device credential management and authentication service.
• Self-management Portal: Provides administrative visibility and control of users and applications.
• Transport: Wired, wireless, or cellular internet or intranet connections.

Choosing and Deploying ZTNA in Your Organization

ZTNA components are software-based and cloud-delivered, easily fitting into your existing environment. They are maintained and kept up to date by the provider. You can leverage a vendor or provider’s global distribution of gateways and quickly integrate these into your architecture.

ZTNA is an integral element of a leading-edge SASE solution and is best implemented as part of your SASE strategy. No significant change is needed to your network design, topology, or infrastructure—the network becomes transport and authentication/access becomes a software layer on top.

Deploying ZTNA interacts with your existing user/device credential management and security policy management systems which may already be integrated with your SD-WAN architecture.

ZTNA is an Integral Component of a Leading SASE Solution

The Versa SASE solution includes fully integrated SD-WAN, SWG, CASB, ZTNA, branch NGFWaaS and Cloud Gateway capabilities that deliver the following additional benefits:

• Single-pass data path for optimal efficiency and least latency.
• Single-pass software architecture eliminating repetition of functions and best QoE.
• Single-pane-of-glass to manage all functions: SD-WAN, SWG, ZTNA, RBI, CASB, NGFWaaS, and Cloud Gateways.
• Single policy language to ensure comprehensive security and compliance for all users.
• A single Forward Proxy to manage and work with (one company to share certificates with), eliminating proxy chaining. The Versa Forward Proxy serves all functions including SD-WAN, ZTNA, SWG, CASB, and more.
• A global POP network of Versa Cloud Gateways.
• Rich access options: A SASE client (with authentication, policy/compliance enforcement, multiple active connections), standard tunnel options (GRE, IKEv2 IPSEC), and integrated SD-WAN options.