Zero Trust Network Access (ZTNA) is a term that is bandied about a lot lately, but what does it actually mean? In short, ZTNA means that users are only granted access to the resources they need to do their job and nothing more. This can be done through a variety of methods, such as granting access on a need-to-know basis or using dynamic authorization controls.
By implementing ZTNA, organizations can reduce the risk of unauthorized access and protect sensitive data. Want to learn more? Keep reading!
Definition of Zero Trust Network Access (ZTNA)
ZTNA is a new way to think of a network. The name Zero Trust Network Access (ZTNA) describes the way that IT can protect the IT infrastructure and resources. This is while still enabling secure access to all users including external users, partners, customers, and employees.
The term Zero Trust was coined by Forrester in 2015 and refers to a security model. It allows for an organization’s resources to be only exposed to users with a legitimate need for access. This is done by “looking under the hood” as it were, reviewing and checking every connection request before any information is transmitted.
Zero Trust Network Access (ZTNA) is one of several different alternatives to traditional network access control (NAC). It traditionally slows down and alerts on client devices. That is when they try to connect to the network, either in a wired or wireless environment.
Other methods include application access control. That is where traditional network NAC has been augmented by adding application-layer inspection capabilities and endpoint security. ZTNA can be considered the next step beyond endpoint security, as ZTNA is concerned with the users’ “connections” rather than their physical endpoint itself.
Traditional Network Access Control Vs. ZTNA
Traditional network access control (NAC) is becoming less effective. That is as more and more users access the network from mobile and remote devices, as well as via cloud-based applications. This is because traditional NAC implementations rely on a user’s physical endpoint device to be the deciding factor.
This is in whether they are authorized to access the network. It soon became clear that adding physical inspection points with the intent of inspecting client devices for any malicious content was an extremely costly and time-consuming proposition. That is while this method of protection initially provided a high level of security.
Organizations started using additional technology to inspect client devices. This includes antivirus software, personal firewalls, and other endpoint security tools. This introduced additional costs and IT resource consumption as administrators had to deploy and manage these new tools on client devices.
Layers of Defense
IT organizations could start inspecting traffic at layer 7 (the application layer) instead of layer 3 (the network layer). This allowed IT organizations to not only inspect traffic for malicious activity. But also to look for policy violations — for example, if a user was trying to access a non-work application from their workstation.
Application access control was originally designed for wired networks but soon became popular with wireless networks as well. Packet inspection points were added onto wireless controllers to inspect traffic from wireless clients. The next logical step was integration between these two layers of defense — combining application access control with network NAC for an even higher level of protection against malicious activity.
The next logical step after applying both layers of defense on wired or wireless networks was applying them to virtualized networks. This is where traditional network NAC techniques could be used. That is in conjunction with application layer inspection capabilities in virtual environments.