SASE Series #1 Zero Trust Network Access (ZTNA)

SASE Series #1 Zero Trust Network Access (ZTNA)

The development of technology has made remote working possible in recent years. However, it was only during the COVID-19 pandemic that the trend of remote working and hybrid working increased dramatically and has now become one of the lifestyles of modern society.

The implementation of this trend is not without challenges. In fact, the development of this trend has also increased awareness of the importance of cyber experience for users outside the office. Companies also need to ensure that their employees can access the company network safely. For this reason, more and more companies are turning to ZTNA solutions.

Gartner, in a study, stated that there is currently an increasing number of companies switching from Virtual Private Network (VPN) to ZTNA. By 2023, Gartner estimates that ZTNA solutions will grow by 31%. Then by 2025, 70% of new remote access deployments will use ZTNA solutions instead of VPNs.

Definition of Zero Trust Network Access (ZTNA)

Zero Trust is a security framework that eliminates built-in trust and requires strong and regular device and user authentication and authorization. ZTNA assumes that no user or network is considered trusted, no matter whether his position in the company is high or not, or where the network comes from.

Then, even though trust was granted during the previous access, the user still has to go through the access verification process during the new access. So, the previous level of trust has no effect on the level of trust during new access. This assumption makes sense because the user account or network from which the user is accessing is hacked during the new access. Another assumption could be that the security policy has changed so that a new access verification process is required.

What does ZTNA do?

ZTNA specifically does the following:

  • Controls network traffic based on predefined policies.
  • Treats these policies as dynamic (changeable) in real time
  • Blocks traffic by default
  • Allows network traffic only if the policy explicitly permits it
  • Verifies the identity of all parties to a network flow before allowing data flow
  • Verifies that end points (user devices e.g. cell phones, laptops, desktops) are still secure
  • Does not give implicit trust to any entity on the network at any time
  • Takes into account anything from time to geographic location of users or endpoints.

ZTNA as a concept

ZTNA is essentially a concept, so network and cybersecurity vendors will likely have their own implementations.

By implementing ZTNA, networks can prevent access from unauthorized users who want to communicate with or even detect protected systems.

ZTNA as part of a SASE solution

The ZTNA concept can be implemented as a separate solution. However, the ZTNA concept can be implemented as part of a SASE solution. ZTNA is included in the five standard components of SASE, along with Software Defined Wide Area Network (SD-WAN), Cloud Access Security Broker (CSAB), and Secure Web Gateway. One of the advantages of implementing this system is simpler network security management for optimal network performance.

ZTNA can indeed stand alone. However, as part of a SASE solution, ZTNA components can access previously unseen information, such as actions and data traffic.

For example, a ZTNA solution may not be able to see data traffic if a user is at home or traveling and accesses the internet directly – without a WAN – without a SASE. The SASE can also see data traffic data that the ZTNA solution may not monitor.

ZTNA as a component of SASE can better detect anomalies, block traffic from external networks suspected of being compromised, and block users who use the web to access things.

Benefits of ZTNA

  • Simplifies application control and network access by unifying them under a single product or service
  • Unified access control for on-site and off-site users and systems if ZTNA works for both
  • Controls more granular access and context-aware policies
  • Reduces the risk of lateral movement and, therefore, lateral attacks within the infrastructure, both by outsiders and malicious insiders.