ZTNA Use Cases: Real-World Examples for Modern Enterprises

The rise of hybrid and remote work has created unprecedented opportunities for forward-thinking organizations and their employees. At the same time, it has also created unprecedented opportunities for threat actors. The ability to access sensitive files from almost any machine, while convenient, can be a profound security risk. That’s why it’s worth considering a few real-world ZTNA use cases.

Zero trust network access (ZTNA) is a cybersecurity solution to protect private applications. ZTNA solutions are based on the principle of zero trust, which assumes any login attempt could be from a compromised account. With ZTNA in place, users must prove their identities both strenuously and frequently. Even after users log in, ZTNA limits the amount of data they can access.

While the increased scrutiny of ZTNA may take some getting used to, it’s a major deterrent for threat actors. This technology can also be a more sophisticated replacement for virtual private networks (VPNs). With the right ZTNA solution in place, you can give your employees the flexibility they need while locking down your organization’s most sensitive data.

‍

What is ZTNA?

What is zero trust network access? It’s essentially just what the name implies. When users want to gain access to private apps, providing legitimate login credentials is only the first step.   Instead, ZTNA uses a variety of telemetry to validate users, including multi-factor authentication (MFA), location information, device health, and more.  Users don’t remain logged in between sessions, and they may have to occasionally reenter their credentials while they’re working. Even then, users will only have access to the specific apps and data they need to do their jobs, rather than unfettered access to the corporate network. These safeguards represent minor obstacles for legitimate users, but insurmountable roadblocks for all but the most dedicated threat actors.

It’s also worth comparing ZTNA to VPNs, as both technologies offer ways for remote users to access an organization’s sensitive files. While VPNs are much more secure than simply leaving your files in a public cloud server, they do have a few drawbacks compared to ZTNA:

• Assumption of trust: Once a user logs into a VPN, they get full access to their files, folders, and apps, along with all their usual permissions.
• Vulnerability to exploitation: A VPN user can share files and folders from their personal devices, often without restriction. Malware can spread across a whole network this way.
• Decreased performance: VPNs may route network traffic through inefficient bottlenecks. This creates slowdowns for legitimate users.

Compared to VPNs, ZTNA protection is generally more secure, more convenient, and more nuanced.

‍

ZTNA use cases

Secure access to private apps

In 2015, the cloud contained 25% of the world’s data. By 2025, that number may double. At the same time, more than half of remote-capable companies in the U.S. now offer hybrid work environments. With more sensitive data in the cloud and more remote workers who need it, organizations must protect their assets while ensuring access for legitimate employees.

One of the primary ZTNA use cases is as a middle ground between unrestricted access and locking down everything. Unlike VPNs, ZTNA can let employees access certain private apps and data while restricting others. A ZTNA with user and entity behavioral analytics (UEBA) capabilities can also take into account where a login attempt comes from, which device it’s on, and what time of day it occurs and use that information to shut down any suspicious users. These context-aware strategies help to authorize remote workers and stymie threat actors.

VPN replacement

VPNs have played an important role in cybersecurity over the past few decades, but they’re no longer the most sophisticated tools available. Organizations with hybrid and remote work structures may want to phase out VPNs in favor of ZTNA solutions.

While VPNs are excellent at granting access to remote files, security is often a secondary concern. Once a user logs in, they have the same access they’d have with an on-premises device. VPNs also require frequent software updates, manual configuration, and lots of network bandwidth to function properly. On the other hand, ZTNA offers context-specific access, “least privilege” principles, and better performance for end users.

Remote workforce security

Before cloud computing became mainstream, carrying out a cyber attack was much more difficult. A potential threat actor would have to compromise an account (without any high-profile data breaches to work from), gain physical access to an office, find a particular user’s computer, and extract files without setting off a system’s security suite. Now, usernames and passwords are available on the dark web, and a threat actor can attempt to log in from just about anywhere in the world. Differentiating a legitimate login from a potential cyber attack is not always straightforward.

ZTNA can protect both your organization’s assets and your remote workers’ privacy. When a threat actor compromises an account, that user’s information is often the first thing at risk. Names, addresses, phone numbers, emergency contacts, bank records, and social security numbers may all be vulnerable. Since ZTNA allows limited app access by default, a threat actor in the wrong location, with the wrong IP address, at the wrong time of day may not be able to find much valuable personal information.

‍

Best practices for ZTNA integration

What is a zero trust network in organizational terms?  As you choose the ZTNA solution that’s right for your organization, there are a few best practices that apply across the board.

First, determine where your cloud data and app privacy currently stands. Make a complete list of all the private apps running in your organization’s network. Analyze what kind of data users can extract from each one and which devices they typically use. If you use data loss prevention (DLP) technology, test its limits and see exactly how much sensitive data any given user can access, copy, and share.

From there, you can move on to implementing ZTNA. When you do so, you should determine:

• each employee’s default permissions;
• access restrictions in company-issued vs. personal devices;
• how often the system should challenge logged-in users;
• ZTNA interactions with your existing firewall policies;
• relative importance of login location, IP address, time of day, etc.;
• and countermeasures in case of data loss.

One common difficulty during implementation is that the continuous conditional access provided by ZTNA works differently than remote access via VPN. Rather than simply logging into a system once and remaining logged in for weeks or months at a time, they may now have to provide credentials multiple times per day — complete with MFA protocols and reduced permissions. Administrators should remind employees that ZTNA safeguards both their professional reputations and their personal information. The IT and security teams should also solicit frequent feedback from employees to ensure that the security challenges don’t lock out or restrict legitimate users.

‍

Adopt ZTNA to protect your data

Finding ZTNA use cases for your organization can be a complex process, particularly if you’ve been relying on VPNs for years. Transitioning requires cybersecurity expertise, specialized software, and a robust understanding of each employee’s responsibilities. A strong ZTNA strategy is well worth the effort, though, as you can build a stronger security posture and help your remote employees work more efficiently.

Lookout Secure Private Access is a ZTNA solution that doesn’t just secure access to private apps, it protects the data within them. To learn whether your organizational data is at risk — and how to better protect it — read our e-book, The Data Protection Playbook: How to Enforce Zero Trust to Your Private Apps.