Virtual Private Networks (VPNs) have been used for years to provide remote connectivity, but they have limitations in terms of scalability and security. A technology that is replacing VPNs is Zero Trust Network Access (ZTNA). In this blog post, we’ll dive deep into ZTNA and explore the models, principles, and architectures that make it a more secure and scalable way to provide remote connectivity.
ZTNA is a category of technologies that offer secure remote access to applications and services on a per-application basis, automatically setting up and tearing down tunnels as necessary. However, to understand ZTNA, it’s essential to know the model and frameworks it’s based on. ZTNA is a component of the Zero Trust Security model, which provides a philosophy on how to approach network security. This foundation is crucial to understanding the components and methodology required to accomplish ZTNA. In this post, we’ll explore the Zero Trust Security Model and then dive deep into ZTNA, its pillars, components, and practical examples of how it’s being used in the real world.
The Zero Trust Security Model
The Zero Trust Security Model adheres to the philosophy that no one inside or outside the network is to be trusted unless their identification has been thoroughly checked. The assumption is that anyone can be compromised, so it doesn’t matter if you are on the same network or across the globe – everyone must be verified. In other words, access to applications or resources is not accepted based on location. Location is irrelevant, which means users inside or outside the network are not to be trusted by default. In contrast, traditional IT network security trusts anyone and anything inside the network. A Zero Trust architecture trusts no one and nothing.
Instead, all users (regardless of location) are to be verified and given only the minimum amount of access they need. This means that a user requesting access to Application “A” will be verified and authorized only for that specific application. Access to other applications will not be granted on the notion that they have been verified once before – instead, each application and service is verified as necessary.
Verification is accomplished in different ways depending on the implementation. At a minimum, it includes the following three pillars:
- Identity: involves user Identification, Authentication, and Authorization. In other words, who are you? Are you who you claim to be? And are you authorized for that resource? The identification of the user should also include 2nd or multi-factor authentication.
- Context: is about how the user is trying to access the resource. This pillar is based on the least privilege security model, where users should only be granted the least possible amount of access for their needs. What’s more, applications are actually hidden from the user without the proper access. Only users who are authorized for particular resources may attempt to connect.
- Security Posture: This 3rd pillar focuses on the device the user is connecting to. If you have verified that you are who you say you are and should be allowed to access the resource, is your machine secure? Security Posture may encompass several different checks on the user’s machine to make sure the device is not compromised. This could be as simple as verifying AV is running on the machine or could be extended to ensure several different conditions are met before providing access.
Zero Trust does not finish with verification. Once a user has been granted access, the Zero Trust model requires continuous monitoring and validation. Any changes to the identity, context, or security posture of the user should result in revalidation and revoking access if necessary.
Zero Trust security is a model and a mindset for approaching network security. However, it is not a technology. Zero Trust Network Access (ZTNA) is a technology that enables the principles of Zero Trust for secure access to applications and resources.
The core technology that enables the Zero Trust principles is the “trust broker,” which sits between the users and the applications. The trust broker provides logical access boundaries and adheres to the principles of Zero Trust. This means that the trust broker is responsible for verifying the identity, context, and security posture. Once verified, a connection is established per application between the user and the application, and the trust broker will continue to monitor for changes to the identity, context, and security posture for the lifecycle of the session.
In practical terms, the trust broker can be a network device or a cloud provider, depending on where the application resides. If your applications and services are accessed through SASE or Security Service Edge, the trust broker is the cloud provider. Examples of these cloud providers include zScaler, Palo Alto Prisma Access, Cato Networks, and Cloudflare. If your applications and services are hosted on-premise, such as a data center or HQ location, the trust broker could be a network equipment like a firewall. Examples of these network equipment providers include Fortinet, Palo Alto, and Check Point.
The important thing to note is that the trust broker is usually not a single device but a decentralized solution of various technologies that make up the control and data plane. The control plane handles the management, intelligence, and monitoring of the ZTNA policies, while the data plane handles the enforcement and usually the connections between user and application. The makeup of ZTNA will vary by vendor, so it’s not important how it’s designed, as much as it is to know that the technology handles the principles of Zero Trust one way or another.
In fact, from a technology perspective, there are many different ways to accomplish ZTNA, and it is rarely achieved the same way from vendor to vendor. In one of my previous videos, I described in detail how to accomplish Zero Trust using SDP (Software Defined Perimeter). While SDP is one way, it is certainly not the only way. For more details on how SDP works, take a look at that video, which was recommended by the CyberSecurity Cloud Alliance as a must-watch for SDP.
Zero Trust Network Access (ZTNA) is quickly replacing VPN’s as a more secure and scalable way to provide remote connectivity. It provides secure access to applications and services on a per application basis, instead of providing access to the entire network like traditional VPNs.
ZTNA is based on the Zero Trust Security Model, which adheres to the philosophy that no one inside or outside the network is to be trusted by default. Instead, all users must be verified and given only the minimum amount of access they need. Verification is accomplished through three pillars: identity, context, and security posture. Once access is granted, the Zero Trust model requires continuous monitoring and validation to ensure that the user’s identity, context, and security posture have not changed.
The trust broker is the core piece of technology that enables the Zero Trust principles for secure access to applications and resources. It sits between the users and the applications, and it’s responsible for verifying the identity, context, and security posture of the user.
ZTNA is becoming increasingly popular, and a growing number of providers offer solutions that implement the Zero Trust principles, including cloud providers and network equipment manufacturers.
By implementing ZTNA, organizations can increase security, simplify remote access management, and reduce costs. It’s a technology that is worth considering for any organization looking to modernize its remote access strategy.