Recently, zero trust has become a hot topic in the world of cybersecurity and isn’t going to go away. As cyber attacks become more advanced and the cost of data breaches for organizations grows rapidly, the concept of ‘never trust, always verify’ is being adopted by all organizations, from small businesses and charities to government and critical national infrastructure.
A zero trust strategy incorporates everything from users and applications to everything infrastructure related. To enact zero trust, organizations need to have Zero trust Network Access (ZTNA) in place.
In this article, we look at what ZTNA is and its benefits and assess the different types that are available to organizations.
What is Zero Trust Network Access?
In short, ZTNA is a technology that makes implementing zero trust architecture possible. Zero Trust requires there to be verification for every individual user and every device before they are able to access the resources in the internal network.
In this approach, the device and user are not able to see what resources, such as applications and servers, are on any other network apart from the one they are connected to. There are one-to-one connections between the user and the resource they need and these connections need to be re-verified frequently.
What are the Benefits of ZTNA?
One huge benefit of ZTNA is that you can get rid of old legacy remote access applications, with VPNs being a common example, the ZTNA is software based. ZTNA can support all the different internal applications you might have in either a data center or the cloud.
While a VPN can slow things down, a ZTNA can provide a much more seamless user experience as it gives direct access rather than needing to go through a data center. It is also easy to scale as your organization grows.
Admins can usually control the ZTNA through an admin portal, meaning that they are able to see all users’ activity and application use in real time and create access policies for individual users and user groups.
Finally, a true benefit of ZTNA is that it can be deployed very quickly in any location and therefore minimizing the amount of disruption to users and admins.
The Different Types of ZTNA Solutions
There are two main types of ZTNA that you are likely to come across, these are endpoint initiated ZTNA and service initiated ZTNA. Each has its advantages and disadvantages, and the right choice depends on the organization’s needs and IT operations.
Here is a brief overview of each:
Endpoint Initiated ZTNA
With endpoint initiated ZTNA, the agent is installed on the end user’s device, and this agent transmits security information directly to a controller. The user is then prompted with the authentication step, and a collection of permitted applications are returned.
Connectivity is still controlled by the controller even after authentication; this means that the user must continue to use the gateway and does not have direct internet access in order to prevent attacks and data breaches.
The endpoint initiated ZTNA requires either the installation of a local software agent or a device management infrastructure. Or an alternative can be a trusted third party provider that has a device posture assessment.
Service Initiated ZTNA
By contrast, the service initiated ZTNA type does not need the installation of an agent on the user’s device. This is good for organizations with unmanaged devices that allow their staff to utilize personal devices for accessing work, such as personal mobile phones.
With this approach, networks with which applications are deployed establish outbound connections with a connector to a cloud based zero trust network access solution. The user must authenticate themselves with the ZTNA provider in order to gain access to permitted applications.
The ZTNA uses an enterprise identity management product to identify the individual user. Once validated, traffic can then pass through the cloud and isolate applications for direct access.
Using this approach, the organization’s firewall does not have to allow inbound traffic as the traffic instead passes through the provider. Nevertheless, the provider’s network needs to be evaluated as it is now a critical element that could risk the organization’s security.
When deciding which type of ZTNA solution to element, an organization should consider whether the installation of an endpoint agent is a viable process and whether it supports the OS and devices they need it to.
They should also consider the vendor’s pricing model, it could be priced per device or by bandwidth. The nature of the organization and its size may affect whether a certain model is suitable.
Zero trust is the future of network cyber security and is already becoming the expected standard across many industries, including the government. Having a ZTNA solution in place is the first step in rolling out an effective zero trust strategy and ensuring the long term security of an organization’s networks.