Zero Trust Network Access (ZTNA) is an IT security solution that provides secure remote access to an organizations applications, data, and services based on clearly defined access control policies. ZTNA differs from virtual private networks (VPNs) in that they grant access only to specific services or applications, where VPNs grant access to an entire network. ZTNA is a set of technologies and functionalities that enable secure access. It is a component of the secure access service edge (SASE) security model, which, in addition to ZTNA, comprises next-gen firewall (NGFW), SD-WAN, and other services in a cloud-native platform.
ZTNA works by creating an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context, and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. There are two approaches to ZTNA implementation, endpoint initiated and service-initiated. In an endpoint-initiated zero trust network architecture, the user initiates access to an application from an endpoint connected device, similarly to an SDP. An agent installed on the device communicates with the ZTNA controller, which provides authentication and connects to the desired service. The advantage here is that no agent is required on end-user devices, making it more attractive.
Benefits of ZTNA include reducing an organizations attack surface, implementing location or device-specific access control policies to prevent unpatched or vulnerable devices from connecting to corporate services, and allowing organizations to implement policy beyond the laptops, desktops, and mobile devices. ZTNA also provides a pre-authentication trust assessment of the connecting user and device, including device posture, authentication status, and user location.
In summary, ZTNA is a security solution that provides secure remote...
