How does Zero Trust Network Access Work?
Security professionals and executives alike recognize that Zero Trust Network Access (ZTNA) is the future of network security. The challenge comes when trying to answer questions like:
- Why do we need to replace our VPN with ZTNA?
- What would using ZTNA look like?
- What could go wrong if we switch?
We will help you answer these questions and more. After reviewing the business, operations, and security advantages of ZTNA, we will explain two common ways users engage with a ZTNA system. We’ll finish with a discussion of the challenges and risks that ZTNA migration projects typically face.
How Zero Trust Network Access is replacing VPNs
Legacy security technologies are based on a secure perimeter paradigm that implicitly trusts the resources, devices, and people connected to a protected network. Appropriate to network architectures of the 1980s, the secure perimeter has become a liability in today’s decentralized, cloud-based, work-from-home world. Consider some of VPN’s weaknesses:
- Performance impact - VPN gateways concentrate traffic, reduce bandwidth, and increase latency
- Management complexity - Multiple access control systems complicate security administration
- Visible attack vector - VPN gateways are discoverable and exploitable by hackers.
- Over-permissive access - VPNs grant full access to the protected network’s resources, services, and protocols
Designed for today’s decentralized networks and workforces, ZTNA is based on three core principles:
- Assume breach - Any network, device, credential, or user could be compromised at any time. Never assume trust for any of them
- Verify explicitly - Authenticate user identity, confirm device posture, and evaluate the context of every request
- Least privilege - Only authorize access to specific resources the user needs for their work
ZTNA is network-agnostic, creating direct connections between users wherever they are located and a company’s resources whether on-premises or in the cloud. Some of the benefits of ZTNA include:
- Unified access control - ZTNA lets companies manage access for remote and on-premises workforces within a single system
- Securing development environments - ZTNA improves the security of a company’s most sensitive resources while improving developers’ access
- Universal multi-factor authentication - Twingate’s ZTNA solution lets you extend MFA to every resource — even to services such as SSH
- Improved security - ZTNA lets you apply granular, role-based access controls based on the principle of least privilege
Agentless and service-based Zero Trust Network Access
Users interact with a ZTNA system in one of two ways. The first is an agentless, service-based approach. The user opens a browser or browser-based app to access the company’s ZTNA portal. This browser session collects data on the device’s security posture and the context of the network connection. Integrated with an Identity Provider (IdP), the browser verifies the user’s identity with a login password, single sign-on, or multi-factor authentication.
With the user’s identity authenticated, the browser session redirects to whatever web-based resources the user is authorized to access.
Agent-based Zero Trust Network Access
The second approach requires an agent running on the user’s device. This agent collects the identity, security posture, and context evaluation before sending the information to the ZTNA system. Once the user is authenticated, ZTNA solutions such as Twingate use proxies to create direct, encrypted tunnels between an authorized resource and the user’s device.
Agentless versus agent-based ZTNA
Which approach you choose will depend on several factors unique to your organization. These three scenarios highlight some of the trade-offs:
Installing an agent on a managed device is straightforward. Logistic and privacy concerns, however, make agents difficult to install on employees’ personal devices or a third-party’s devices. An agentless approach would be better in this scenario.
Agentless ZTNA only works with applications that users can access through their browser. Users will need to install a ZTNA agent to access legacy applications that do not support web interfaces.
Agent-based ZTNA can simplify the migration to a new security architecture. The ZTNA agent will seem very familiar to anyone already used to VPN clients. In addition, users won’t have to learn a new browser-based system. Agents let them access resources as they always have.
Challenges for adopting Zero Trust Network Access
A recent Microsoft survey found that 96% of enterprise security professionals consider Zero Trust to be mission-critical. At the same time, 94% were concerned about the transition from architectures based on secure perimeters to ones based on Zero Trust. Such a fundamental change is not easy. Here are a few of the challenges you may face in your company’s Zero Trust journey:
Building the case for ZTNA
The top challenge security professionals face when implementing ZTNA is having the budget and resources to get the job done right. Ultimately, this comes down to sustained C-level support. Stakeholder buy-in is almost as important. Everyone needs to be convinced that moving to ZTNA will improve the business and make their lives easier.
Learning to manage identities
Maintaining a database of usernames and passwords for your VPN system is not the same as identity management. One of the first steps in successful ZTNA deployments is an audit of identity and access policies. Although role-based, least-privileged access is the ultimate objective, you need time to get there. Rolling out Zero Trust to privileged users can be a good place to start since it improves their access while making network systems more secure.
ZTNA and business workflows
ZTNA takes network segmentation to its logical conclusion. But resource-by-resource access control does not need to happen all at once. Stakeholders will push back when a ZTNA project disrupts established workflows. Early phases should target resources that require few changes to networks, applications, and security systems. As mentioned above, an agent-based approach may be easier for users to accept.
Risks associated with adopting Zero Trust Network Access
Although ZTNA makes modern IT architectures more secure, it does not eliminate every risk. You will need to anticipate and mitigate these risks as you plan your ZTNA implementation project.
Single point of failure
ZTNA hides all resources from any network, public or private. The only way users can access a resource is through a connection brokered by the ZTNA service. If anything goes wrong with the service, your employees can’t do their jobs. Choose a ZTNA provider that has a large, geographically dispersed point-of-presence (PoP) network. If one PoP goes down, your ZTNA system will still work.
One of the benefits of ZTNA is the consolidation of access control into a single system. These efficiency gains go away if your ZTNA system cannot protect your entire infrastructure. Make sure your ZTNA provider uses protocols that work with your legacy on-premises applications. Enhanced features such as extending MFA to SSH can close other implementation gaps.
ZTNA security risks
Zero Trust mitigates successful security breaches by forcing hackers to spend more time on reconnaissance and by constraining their lateral movement. But that does not mean ZTNA security is flawless. Breaches of ZTNA servers, stolen user devices, and compromised privileged credentials can still lead to damaging attacks. With the right ZTNA implementation, however, security administrators have more time to focus on the remaining risks.
See how Zero Trust Network Access can work for your organization
Transitioning from the secure perimeter paradigm to one based on Zero Trust does not happen overnight. It is a new way of thinking about secure access and requires new security processes. At the same time, ZTNA cannot disrupt business operations if you want to keep executive and stakeholder support. Careful planning must account for the potential challenges and risks. Take a phased approach that starts with a proof-of-concept project before gradually rolling it out to the rest of the organization. This is where having the right ZTNA vendor makes a difference.
We designed the Twingate secure access solution to make migrating to Zero Trust seamless. You do not have to change your network infrastructure since Twingate works across firewalls, subnets, and cloud services. Twingate is compatible with your existing security stack, including your current VPN system, as well as with your DevOps team’s CI/CD pipeline. Twingate customers have deployed our Zero Trust solution within minutes.
Using your new ZTNA system is just as easy. Administrator consoles let your staff update access permissions quickly. Easy-to-use apps run quietly in the background. Even the most demanding users love it because Twingate just works.
See how easy Zero Trust can be by trying our free Starter plan for individuals. Or contact us to learn how Twingate ZTNA solutions can work for your team.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Announcing WebAuthn for Twingate Universal MFA
Twingate is excited to announce support for WebAuthn MFA, enabling customers to use biometrics and security keys for MFA.