ZTNA: What is Zero Trust Network Access?
Zero Trust Network Access (ZTNA) is the future of network security and access control. Our old strategies for defending networks at the perimeter are failing. The very concept of the fixed network perimeter is fading away. Resources, users, devices — and threats — could be anywhere, on any network. ZTNA transforms network access control to address this modern reality.
We want to help you understand ZTNA, its benefits, and its use cases. We also want to bust one of the myths that have kept organizations from adopting Zero Trust practices: that ZTNA is too difficult, too confusing, or too time-consuming to do right (or at all).
Zero Trust Network Access is a framework of principles and concepts that assumes every user, device, or network may already be compromised. ZTNA eliminates the network-centric perspective of fixating on securing a fixed network perimeter which surrounds a group of corporate resources. In its place, ZTNA adopts a modern, network-agnostic perspective that defends each resource at the network edge - each device, or even each application on a device, essentially has its own individual perimeter. The ZTNA framework can be distilled into several guiding principles:
Assume breach - Resource defenses should assume that any incoming connection is a threat regardless of its source. A device’s location on a network does not grant it any special status.
Verify explicitly - Authenticate and authorize all access requests based on user identity, device posture, source network, and other contextual factors.
Least privilege - Temporarily grant users the lowest level of access that lets them do their jobs. Revoke permissions when sessions end or any trust factor changes.
Monitor everything - Collect information about network activity and the state of resources and infrastructure in order to detect issues and improve overall security posture.
As such, ZTNA can be achieved using a variety of different approaches and implementations.
Over the past year, ZTNA has been everywhere you look in the networking and cybersecurity world. But ZTNA’s popularity is the latest stage in a development cycle spanning three decades:
1994 - Researcher Stephen Marsh coins “zero trust” in his Ph.D. dissertation.
2010 - Forrester analyst John Kindervag popularizes Zero Trust.
2014 - Google introduces its “BeyondCorp” deployment of ZTNA.
2020 - NIST publishes a ZTNA primer for federal agencies and industry.
2021 - The Biden Administration instructs all U.S. federal agencies to adopt ZTNA.
Far from an over-hyped buzzword that everyone forgets, Zero Trust Network Access will become the way organizations structure their security and access control systems.
Two forces are driving ZTNA’s momentum and adoption. The strain of industry trends is breaking traditional technologies and pushing government and industry to ZTNA. At the same time, ZTNA’s benefits are pulling networking and security professionals towards a future that promises better security, manageability, and user experience.
Fading perimeters - Securing a network perimeter made sense when all resources resided on-premises. Today, critical resources are co-located, cloud-hosted, or sourced from third parties. The network “perimeter” extends beyond company walls and intersects the networks of other companies, as well as the general internet.
Changing workforces - The world’s sudden shift to working-from-home will never fully reverse. Most users will be part of the hybrid workforce accessing resources remotely. At the same time, blended workforces add freelancers and other on-demand workers to the access control mix.
Device and network diversity - Users access resources from a more diverse set of devices and networks. Administrators have less control as bring-your-own-device policies expand to serve hybrid workforces. As the perimeter fades, more access requests come from beyond managed networks.
Cybercrime - The trust implicit in technologies such as VPN or RDP makes an organization’s own defenses a security risk. All it takes is one unpatched security hole or phishing attack to compromise an entire network.
Minimized attack surface - ZTNA hides all resources from view from the public internet. Contextual authentication makes it easier to identify suspicious access requests.
Controlled blast radius - When (not if) breaches succeed, they are contained within the compromised resource. ZTNA creates a micro-segmented network architecture that requires authentication and authorization to access each node. Cybercriminals must spend more time and effort to cross ZTNA’s resource-centric defenses, increasing security teams’ ability to identify and mitigate the threat.
More granular control - Using the principle of least privilege lets administrators develop more granular access policies that can also incorporate user roles, the networks they use, their device’s security posture, and many other factors.
Unified management - The network-centric distinctions of on-premises versus cloud, proprietary versus third-party, as well as remote versus on-site requires a fragmented mix of inconsistent security systems. Since ZTNA is network agnostic, security teams can use a single system to apply consistent access control policies across all resources.
Lower infrastructure costs - Preserving a secure perimeter requires expensive, ongoing investments in infrastructure and overhead. With a ZTNA system in place, organizations alleviate this burden and can reassign staff to more productive work.
Improved network performance - Allowing remote access through secure perimeters forces traffic through network choke points such as VPN gateways. ZTNA securely connects users to resources using a more direct, performant route, which can dramatically improve connection speeds.
Improved user experience - Improving network performance and unifying fragmented access control processes within a single ZTNA system makes the user experience better. And by making network security simpler and easier, ZTNA improves compliance across the entire company.
Implementing a Zero Trust Network Access architecture does not need to be an all-or-nothing proposition. Since it does not depend on the network infrastructure, phased deployments of ZTNA are easy to implement. The migration project can prioritize the use cases that offer the most impact on security and productivity.
Securing private resources - A hybrid workforce that skews towards remote working impacts networks cannot be limited by obsolete access control technologies. ZTNA simplifies security policy enforcement while improving the user experience.
Securing cloud resources - ZTNA routes user traffic to cloud resources through direct, encrypted tunnels over the internet rather than through company networks. In multi-cloud scenarios, administrators can connect cloud providers directly without routing traffic through their networks.
Limit third-party risk - Contractors, visitors, and other third parties need access to a company’s network. Yet there is no way to know how effectively they keep their devices secure. ZTNA ensures that third parties cannot access resources unless specifically permitted.
Replace obsolete access systems - The security weaknesses inherent to VPN gateways make them prime targets for cybercriminals. Replacing VPN access control with ZTNA eliminates this risk while simplifying network management.
Whenever a user requests access to a resource, they trigger a five-step process within the ZTNA system.
- Access attempt - No resources are directly accessible by a user’s device unless access is requested via the ZTNA system (typically through an agent installed on that device).
- Identity authentication - The request triggers an identity verification process that is handled by an Identity Provider, preferably using multi-factor authentication.
- Contextual authorization - The ZTNA system evaluates the context of the verified user’s request to create a risk profile. Role-based policies, device posture, geo-location, network type, and other variables determine whether — and to what degree — users receive access to the resource.
- User access - ZTNA creates a secure, encrypted tunnel between the user’s device and the resource. Policies determine when these tunnels pass through managed networks or the public internet.
- Ephemeral permissions - Permissions are never permanent and will expire after a set time, after a window of inactivity, or when the session ends. Once access expires, the client app loses access to the resource and must initiate a new request.
There are many ways to implement ZTNA, but Twingate offers the simplest path. Our software solution requires no changes to your network infrastructure. In as little as 15 minutes, your entire organization can benefit from Zero Trust Network Access.
- Security risks controlled by reduced attack surface and micro-segmentation.
- Eliminating legacy security systems reduces costs while improving security.
- Twingate’s software-defined perimeters are easier to scale.
- Simpler user experience increases security compliance.
- Single console for managing role-based access policies.
- Unified access control for all on-premises and cloud resources.
- Integration with existing security and identity providers.
- User and device-indexed logging for in-depth security and performance monitoring.
- Split tunneling routes non-essential traffic through the internet, not your network.
- Consumer-like app installation experience with no device configuration needed.
- More performant connections to resources improve productivity.
- Frictionless remote access makes working from home easier and more productive.
Traditional approaches to network security and remote access have reached a breaking point. Security administrators cannot protect essential resources using inherently vulnerable technologies. Network administrators cannot manage modern workplaces with technologies based on obsolete business practices.
Twingate’s Zero Trust Network Access solution lets you adopt a modern approach to security and access control. Using ZTNA, you will better protect your organization’s valuable resources while replacing brittle, expensive infrastructure with a simple, easily-managed software solution.
Fifteen minutes is all it takes to deploy Twingate’s modern ZTNA solution. To find out how, contact Twingate today.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.