What is Zero Trust Network Access (ZTNA)?

Gartner defines ZTNA as “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker.” In short, ZTNA trusts nothing and considers no network segment inherently safe: ZTNA’s default security posture is “deny all”, an approach that hides asset visibility and significantly reduces the attack surface of your network.

A ZTNA security approach has become imperative due to the increasing popularity of cloud migration, Direct Internet Access (DIA), Work-from-anywhere (WFA), and the use of unmanaged BYOD/IoT devices: trends that have dissolved legacy networks’ hard perimeter. Modern client-to-cloud and WFA networks have a software-defined perimeter: the worker’s home has become a branch office, and the internet is part of the corporate network. “Intranet” no longer has a definitive meaning.


How Does ZTNA Work?

ZTNA is a client-to-application—not network-centric—approach to authenticate security based on:

  • the identity and context of the user, and
  • the device and application (or any other asset) being accessed

The ZTNA security broker verifies each access attempt regardless of location. It applies corporate policy and grants granular, least-privilege access to an asset (an application, URL, data or other destination). A ZTNA architecture:

  • Regards the network as providing only transport, and makes no architectural difference between on-prem and off-prem users, devices or applications/assets.
  • Applies consistent corporate policies to all asset access attempts regardless of the entity (user, device, and application/asset) requesting the access, or the location of the entity or the requested asset.
  • Provides full security for all WFA users, on any device, for any on-prem or cloud application.
  • Segments the network end-to-end to ensure granular access for legitimate users only to applications allowed within their privilege credentials.

ZTNA architecture comprises several components:

  • SDP broker/proxy: Makes outbound-only connections to ensure both the network and the applications are invisible to unauthorized users; the broker may be an appliance or a cloud service.
  • Cloud Gateway: Cloud-deployed, globally distributed gateways securely connect to the enterprise network and cloud/SaaS destinations.
  • Client: SASE client software for end-user devices. A clientless deployment is also available.
  • Authentication services: Interacts with the enterprise’s existing user and device credential management and authentication service.
  • Self-management Portal: Provides administrative visibility and control of users and applications.
  • Transport: Wired, wireless, or cellular internet or intranet connections.

Benefits of Zero Trust Network Access

ZTNA establishes a secure, elastic, software-defined perimeter around your users, devices and assets. This architecture affords many benefits to your IT operations and users:

  • Eliminates the need for appliances and solutions such as VPN aggregation, Captive Portals, DDoS prevention, global load balancing, and firewall stacks.
  • Consistent security policy enforcement for on-prem and cloud; seamless experience for all users and devices; granular access control of on-prem or cloud access; simplified regulatory compliance.
  • Effortless scale, high-performance cloud access from anywhere; least latency QoE; cloud-delivered gateways/brokers readily scale up/down; adjusts for ever-changing user and cloud workload locations; inherent HA.
  • Location-independent, with optimized data path for least-latency application access.
  • Authenticated users and devices including BYOD and IoT; hassle-free inline user authentication. Client and clientless deployment models.
  • Advanced connectivity to secure all transport to corporate-grade, including internet, intranet, wired, wireless, cellular; end-to-end encrypted tunnels for all client-to-application connections.
  • Reduces attack surface, allowing users only least-privilege access; prevents asset discovery and lateral movement; brokers security for every transaction; invisible applications and network topology; prevents unpatched device/server attack targets; granular application segmentation.
  • Quick turnaround to accommodate organizational changes or acquisitions.

Choosing and Deploying ZTNA in Your Organization

ZTNA components are software-based and cloud-delivered, easily fitting into your existing environment. They are maintained and kept up to date by the provider. You can leverage a vendor or provider’s global distribution of gateways and quickly integrate these into your architecture.

ZTNA is an integral element of a leading-edge SASE solution and is best implemented as part of your SASE strategy. No significant change is needed to your network design, topology, or infrastructure—the network becomes transport and authentication/access becomes a software layer on top.

Deploying ZTNA interacts with your existing user/device credential management and security policy management systems which may already be integrated with your SD-WAN architecture.

ZTNA is an Integral Component of a Leading SASE Solution

The Versa SASE solution includes fully integrated SD-WAN, SWG, CASB, ZTNA, branch NGFWaaS and Cloud Gateway capabilities that deliver the following additional benefits:

  • Single-pass data path for optimal efficiency and least latency.
  • Single-pass software architecture eliminating repetition of functions and best QoE.
  • Single-pane-of-glass to manage all functions: SD-WAN, SWG, ZTNA, RBI, CASB, NGFWaaS, and Cloud Gateways.
  • Single policy language to ensure comprehensive security and compliance for all users.
  • A single Forward Proxy to manage and work with (one company to share certificates with), eliminating proxy chaining. The Versa Forward Proxy serves all functions including SD-WAN, ZTNA, SWG, CASB, and more.
  • A global POP network of Versa Cloud Gateways.
  • Rich access options: A SASE client (with authentication, policy/compliance enforcement, multiple active connections), standard tunnel options (GRE, IKEv2 IPSEC), and integrated SD-WAN options.

Free eBook

SASE For Dummies

Learn the business and technical background of SASE including best practices, real-life customer deployments, and the benefits that come with a SASE enabled organization.


Learn More

Find more research, analysis, and information on SASE (Secure Access Service Edge), networking, security, SD-WAN, and cloud from industry thought leaders, analysts, and experts.

 

 

Zero Trust Security

Zero Trust is a new approach to security that requires organizations to fundamentally shift the way they approach identity and access.

 

 

 

Zero Trust Security vs. SASE: An Architecture Deep Dive

Deep dive into the two approaches to protecting globally distributed users, devices, and applications have emerged on the market: Zero Trust Security and Secure Access Service Edge (SASE).

 

 

 

Versa for Work-From-Home

Versa has made it simple for organizations to offer Secure SD-WAN for Work-From-Home users on home appliances or working from anywhere.