You might have heard about the increasingly popular ZTNA, or Zero Trust Network Access, as a replacement for VPN. But what is ZTNA, how does it work and what are its benefits? Let’s get into it.

What is Zero Trust?

But first, let’s talk about the first half of “ZTNA” — Zero Trust. NIST defines Zero Trust as

a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

In other words, never trust — always verify. Assume your network has already been breached so every access request needs to be scrutinized and verified to confirm the right person is accessing your resources. Zero Trust Architecture (ZTA) takes this principle further and builds a cybersecurity plan around it, adopting strict access policies and workflows. ZTA is built with these concepts in mind:

• “Resources” are all data sources and services, including but not limited to SaaS platforms, storage devices, corporate owned devices and BYOD devices with access to company resources.
• All communication must be secured regardless of network location, including outside the organization’s perimeter.
• Access to resources is granted on a per-session basis.
• Access to resources is determined by dynamic policy that checks attributes like the user account, application or service, device characteristics and/or behavioral attributes.
• The organization monitors and measures the integrity and security posture of all owned and associated assets, evaluating this when evaluating a resource request and denying access to devices that do not meet requirements.
• Access is only granted once authentication and authorization to a resource is strictly verified, every time access is requested.
• Contextual information about the current state of assets, network traffic and access requests is collected to improve the organization’s security posture.

Organizations use Zero Trust best practices because implicit trust just isn’t cutting it anymore. VPNs have been used for decades, but one successful login to a VPN gives the user access to your network as a whole, allowing for bad actors to move laterally until they get what they want. The upsurge of remote work eliminated the network perimeter as users are connecting to company resources from who-knows-where on who-knows-what-network. This means companies need a stricter access policy — enter ZTNA.

How does Zero Trust Network Access work?

ZTNA relies on two main concepts: microsegmentation and a software-defined perimeter.

Microsegmentation

Microsegmentation refers to the division of a network into isolated segment. Traffic in and out of each segment is monitored an controlled to reduce lateral movement in the network. Microsegmentation can be achieved by implementing identity-based policies that don’t rely on network parameters or environment; instead it uses cryptographic identities and requires mutual authentication and authorization each time access is requested. This method only allows valid network traffic from verified devices and user accounts to access company resources.

Software-defined perimeter

A software-defined perimeter uses these main principles:

• Least privilege: Once a user successfully authenticates and is granted access to a resource, they only have a network connection to that resource.
• Continuous access reevaluation: A user’s access level is continuously reevaluated during a session and is changed if the identity of the user comes into question.
• Attack surface reduction: Lateral movement is prevented with techniques like microsegmentation and the collection of contextual information ensures that any devices missing patches, that are compromised or that lack hardened configurations are unable to connect and cause damage to corporate infrastructure.

Using ZTNA

So what do microsegmentation and a software-defined perimeter do in practice? To put it in simpler terms:

1. A user attempts to access company resources.
2. The user’s credentials, device health and other criteria set by policies are verified.
3. If identity and compliance is confirmed, a microtunnel is created between the device and the resource (not to the network as a whole).
4. Identity and device status are continuously monitored, and the connection is revoked if either comes into question.

Key takeaways

• Zero Trust assumes that no one with access to the network can be trusted, and thus data should be protected from lateral movement while access is only granted with least privilege.
• ZTNA is built on the principles of Zero Trust.
• ZTNA uses microsegmentation and a software-defined perimeter to isolate network resources from hosts inside the network and out of it.