YOU ARE AT:FundamentalsWhat is Zero Trust Network Access?

What is Zero Trust Network Access?

ZTNA replaces VPN for cloud-native hybrid work

Virtual Private Networks (VPNs) provide enterprises with secure remote worker access, but they also present challenges in scale, flexibility and efficacy as more information is in the cloud and workers move away from the perimeter of the enterprise network. Zero Trust Network Access (ZTNA) — another Gartner-popularized acronym — has emerged as an alternative. ZTNA is foundational to cloud-native managed services like Secure Access Service Edge (SASE) solutions.

VPNs use either dedicated circuits or tunneling techniques over existing public or private networks to provide remote workers with a native network connection. They align with a perimeter-focused security strategy: What’s outside the network is not trusted. What’s inside the network is — including that VPN connection. 

This presents significant challenges for businesses invested in perimeter security solutions. What happens when there is no perimeter? Enterprise data has become porous: It’s in public and private clouds, on premises or in a data center. Businesses are increasingly turning to cloud-based services and platforms to reduce capital costs and improve operational agility.

The Principle of Least Privilege guides ZTNA frameworks is, put simply: Give the user access only to what they need to accomplish their task. 

“When ZTNA is in use, access to specific applications or resources are granted only after the user has been authenticated to the ZTNA service. Once authenticated, the ZTNA then grants the user access to the specific application using a secure, encrypted tunnel which offers an extra layer of security protection by shielding applications and services from IP addresses that would otherwise be visible,” said VMware.

VMware explained that ZTNAs prevent users from having visibility into other apps and services which they lack the appropriate permission to access.

“This also offers protection against lateral attacks, since even if an attacker gained access they would not be able to scan to locate other services,” said VMware.

ZTNA can be implemented as an endpoint solution, VMware explained. An agent app on the device communicates with a ZTNA controller, which authenticates the device and connects to the required service.

“Conversely, in a service-initiated ZTNA, the connection is initiated by a broker between application and user. This requires a lightweight ZTNA connector to sit in front of the business applications that are located either on-premises on at cloud providers,” said VMware.

As part of a SASE solution, ZTNA is aligned software-based security technology including Firewall as a Service (FWaaS), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB).

Orange Business services recently announced that it’s incorporating Fortinet’s SASE solution, including ZTNA into its telco cloud infrastructure. The company says this seamless approach will provide its customers with real-time service updates and a better user experience. Orange Business Services says the new solution is an end-to-end SASE offering that’s available globally. 

Fortinet, Cisco and VMware dominate the market segment SASE products like Fortinet’s occupy, according to a recent study. The Dell’Oro group reported SD-WAN sale were up 45% year-over-year.

ABOUT AUTHOR