Zero Trust Network Access (ZTNA) is the technology that enables organizations to implement a Zero Trust security model.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Zero Trust Network Access (ZTNA) is the technology that makes it possible to implement a Zero Trust security model. "Zero Trust" is an IT security model that assumes threats are present both inside and outside a network. Consequently, Zero Trust requires strict verification for every user and every device before authorizing them to access internal resources.
ZTNA is similar to the software-defined perimeter (SDP) approach to controlling access. In ZTNA, like in SDP, connected devices are not aware of any resources (applications, servers, etc.) on the network other than what they are connected to.
Imagine a scenario in which every resident gets a phone book with the phone numbers of every other resident of their city, and anyone can dial any number to contact any other person. Now imagine a scenario in which everyone has an unlisted phone number and one resident has to know another resident's phone number in order to call them. This second scenario offers a few advantages: no unwanted calls, no accidental calls to the wrong person, and no risk of unscrupulous persons using the city's phone book to fool or scam the residents.
ZTNA is like the second scenario. But instead of phone numbers, ZTNA uses "unlisted" IP addresses, applications, and services. It sets up one-to-one connections between users and the resources they need, like when two people who need to contact each other exchange phone numbers. But unlike two people exchanging numbers, ZTNA connections need to be re-verified and recreated periodically.
Virtual private networks (VPNs) are what many organizations use to control access instead of ZTNA. Once users are logged in to a VPN, they gain access to the entire network and all the resources on that network (this is often called the castle-and-moat model). ZTNA instead only grants access to the specific application requested and denies access to applications and data by default.
There are differences between ZTNA and VPNs on a technical level as well. Some of these differences include:
Finally, VPNs are imprecise, largely treating users and devices the same, regardless of where they are and what they need to access. With "bring your own device" (BYOD) approaches becoming increasingly common, it is dangerous to allow this access, as any malware-compromised endpoint can then infect an entire network. For these reasons, VPNs are a frequent attack target.
ZTNA is configured slightly differently by each organization or vendor. However, there are several underlying principles that remain consistent across ZTNA architectures:
Agent-based ZTNA requires the installation of a software application called an "agent" on all endpoint devices.
Service-based or cloud-based ZTNA is a cloud service rather than an endpoint application. It does not require the use or installation of an agent.
Organizations looking to implement a Zero Trust philosophy should consider what kind of ZTNA solution best fits their needs. For example, if an organization is concerned about a growing mix of managed and unmanaged devices, agent-based ZTNA may be an effective option. Alternatively, if an organization is primarily focused on locking down certain web-based apps, then the service-based model can be rolled out swiftly.
Another consideration is that service-based ZTNA may integrate easily with cloud applications but not as easily with on-premise infrastructure. If all network traffic has to go from on-premise endpoint devices to the cloud, then back to on-premise infrastructure, performance and reliability could be impacted drastically.
Vendor specialization: Because identity and access management (IAM), network services, and network security traditionally have all been separate, most ZTNA vendors typically specialize in one of these areas. Organizations should either look for a vendor with an area of specialization that fits their needs, or one that combines all three areas into one cohesive network security solution.
Level of implementation: Some organizations may have already invested in adjacent technology to support a Zero Trust strategy (e.g. IdP or endpoint protection providers), while some may need to build their entire ZTNA architecture from scratch. ZTNA vendors may offer point solutions to help organizations round out their ZTNA deployments, create entire ZTNA architectures, or both.
Support for legacy applications: Many organizations still have on-premise legacy applications that are critical for their business. Because it runs on the Internet, ZTNA supports cloud applications easily but may need additional configuration to support legacy applications.
IdP integration: Many organizations have an IdP already in place. Some ZTNA vendors work only with certain IdPs, forcing their customers to migrate their identity database to use their service. Others are IdP-agnostic — they can integrate with any IdP.
Zero Trust Application Access (ZTAA), also called Zero Trust application security, applies the same principles as ZTNA to application access rather than network access. ZTAA solutions verify user access to applications by integrating with IdP and SSO providers, encrypting connections, considering each access request for an application individually, and blocking or allowing on a request-by-request basis. ZTAA can be offered agentless via the browser, or using an endpoint agent.
To learn more, see Zero Trust Security.
Cloudflare offers a ZTNA solution built on the Cloudflare global edge network for fast performance. See the ZTNA solution page.
For further background information on the philosophy of Zero Trust, see our article on Zero Trust security.