Zero trust network access (ZTNA) solutions, previously known as software-defined perimeter (SDP), implement and enforce an organization’s zero trust policy. This policy is a fundamental component of a zero trust security architecture designed to enforce strict access control. The goal is to decrease an organization’s exposure to cyber threats.
The zero trust security model assumes all access requests are suspicious, regardless of whether the request is external or internal. A zero trust security policy ensures that any user attempting to connect to the organization’s applications is permitted access only if they require it to perform their job.
In this article:
ZTNA uses an entirely different approach than traditional network security solutions, emphasizing secure remote access to corporate applications. This approach uses a granular user-to-application access control system rather than relying on a network security perimeter.
ZTNA segregates access between the network and the connected applications and the network. Users who connect to the network might not have access to its applications. This isolated model helps reduce network risks and blocks threats from infected devices and compromised user accounts.
ZTNA doesn’t expose the IP address to the network. It makes exclusively outbound connections to ensure the application and network infrastructure are invisible to an unauthorized user. This dark cloud concept prevents malicious attackers from finding the network.
While traditional network access control systems allow devices and users to access the entire network after authentication, ZTNA uses additional measures like endpoint security to inform access decisions. It grants access based on the timing and frequency of access requests, the user’s location, timing, and resources requested. Thus, even verified users cannot access the network if they attempt suspicious actions or their devices are insecure.
A traditional corporate network uses private Multiprotocol Label Switching (MPLS)-based WAN connections. On the other hand, ZTNA uses TLS-encrypted public Internet connections, keeping the network traffic secure. The Internet is the corporate network, ensuring employees can access network resources and applications from distributed, remote locations.
A virtual private network (VPN) is a popular alternative to ZTNA for controlling access to corporate resources. When users log in to a VPN, they can access the entire network and all its resources—a model known as a castle-and-moat security approach. On the other hand, ZTNA only allows users to access specific applications based on granular access rules, denying access to all data and applications by default.
VPNs have several drawbacks compared to ZTNA:
For many organizations, it is not a matter of either/or—the combination of ZTNA with VPNs can help secure sensitive parts of the network. ZTNA provides an additional layer of security in case of a compromised VPN. Learn more in our detailed guide to zero trust security .
The basic premise of zero trust network access is that internal and external entities can cause cybersecurity attacks. A zero trust network architecture assumes that everything is a potential threat, including users, machines, systems, and software. In contrast, traditional corporate networks trust everything within the perimeter.
ZTNA works by verifying each user’s identity and access permissions, enforcing constant monitoring and re-verification of all devices and users to allow continued access.
For instance, a user might log in to a bank account with a laptop or smartphone, check the balance, and continue to other applications or tabs without signing out. After a specified period of inactivity, the app produces a timeout warning and ends the session automatically if the user doesn’t respond in time. The user must log in again to access the account.
Continuous monitoring limits users’ exposure and protects the network from external and internal attacks. The zero trust security model is essential given the popularity of cloud-hosted systems and applications. It helps prevent, contain, and mitigate the impact of a cyberattack, regardless of its source, and restricts lateral movement.
A zero trust network access solution must ensure the following:
The ZTNA solution must provide secure access for every entity, including managed devices, BYOD or mobile devices, and third parties. It should provide seamless connectivity for DevOps and engineering teams.
Client-based access controls help secure access via managed devices, while clientless controls can secure access to databases, web apps, databases, secure shell (SSH) servers, and remote devices. The solution should cover the privileged access management (PAM) requirements for users accessing multi-cloud environments. Another advantage is single sign-on (SSO), which provides easier access to authorized users.
The solution must support all private resources and applications and resources, not just web apps. It should let users access SSH servers, remote devices, servers, and SQL databases. Other resources available to engineering and DevOps teams must include infrastructure-as-a-service (IaaS) products, cloud environments, virtual private clouds, and microservices.
The ZTNA solution should enable identity provider (IdP) integration via standards like SAML 2.0. It should enable granular, intuitive policy configurations.
A high-performing solution requires little maintenance or additional personnel to manage. For example, a cloud-based solution with a centralized may be a user-friendly option providing deep visibility. The solution must deliver high performance and uptime (99.999%) with Service Level Agreements (SLAs) and multiple points of presence (PoPs) to increase redundancy.
The ZTNA solution should have separate data and control planes to enforce a least-privilege access model. Applications should have fine-grained, built-in controls—for example, read, write, and admin privileges. The system should enforce policies at the query and command levels.
Another important aspect of zero trust is visibility—the solution must enable reports on users, groups, and application activity (for example, via video recordings). Other useful security capabilities in ZTNA solutions include cloud IPS, sandboxing, and data loss protection (DLP).
Cynet 360 AutoXDR™ is the world’s first Autonomous Breach Protection platform that natively integrates the endpoint, network and user attack prevention & detection of XDR with the automated investigation and remediation capabilities of SOAR, backed by a 24/7 world-class MDR service. End to end, fully automated breach protection is now within reach of any organization, regardless of security team size and skill level.
Cynet 360 AutoXDR™ can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.