Zero Trust Network Access (ZTNA) is an IT security solution that provides secure remote access to an organization’s apps, data, and services based on clearly defined access control policies. ZTNA differs from virtual private networks (VPNs) in that they grant access only to specific services or apps, where VPNs grant access to an entire network. As an increasing number of users access resources from anywhere, ZTNA solutions can help eliminate gaps in other secure remote access technologies and methods.
Zero Trust Network Access (ZTNA) enforces granular, adaptive, and context-aware policies for providing secure and seamless Zero Trust access to private apps hosted across clouds and corporate data centers, from any remote location and from any device. That context can be a combination of user identity, user or service location, time of the day, type of service, and security posture of the device.
ZTNA allows "least privilege" access to specific apps, and not the entire underlying network to any user with valid login keys, reducing the attack surface and preventing lateral movement of threats from compromised accounts or devices. ZTNA builds upon the concept of "Zero Trust", that asserts that organizations shouldn't trust any entity, whether inside or outside the security perimeters, and instead must verify every user or device before granting them access to sensitive resources, ensuring data safety and integrity.
ZTNA is one of the key components for Secure Access Service Edge (SASE), transforming the concept of a security perimeter from static, enterprise data centers to a more dynamic, policy-based, cloud-delivered edge, to support the access requirements of the remote workforce.
Why do you need ZTNA? Some common use cases
Secure remote access to private apps As organizations move their business-critical apps across multiple cloud environments for easy collaboration, they are challenged to monitor each device to secure app access and prevent data exfiltration. ZTNA’s enable adaptive, context-aware access to private apps from any location and device. Access is denied by default, unless explicitly allowed. The context for app access may include identity, device type, user location and device security posture.
Enhance or replace VPN connections VPNs are slower and can hamper productivity. Securing remote user access through software and hardware-intensive VPNs can increase the capital expenditure and bandwidth costs. ZTNA provides fast, direct access to cloud apps, reducing networking complexity, cost and latency while optimizing the remote workforce.
Limit user access Perimeter-based security solutions permit full network access to any user with valid login credentials, potentially over-exposing sensitive data to compromised accounts and insider threats. Upon gaining access to the entire network, bad actors can gain access and move freely through the network, largely undetected. With ZTNA, user access is restricted to specific apps as well as on a need-to-know basis. All connections are verified before granting access to specific internal resources.
A connector software installed in the same network as the private app
establishes an outbound connection to the ZTNA service (or broker) hosted on the cloud through a secure, encrypted tunnel. The service is the egress point for private traffic into the network and is primarily responsible for:
Verifying connecting users and authenticating their identity through an identity provider.
Validating the security posture of the user devices.
Provisioning access to specific apps through the secure tunnel.
Because of outbound, or "inside out,” connections to the ZTNA service, organizations don't need to open any inbound firewall ports for app access, shielding them from direct exposure on the public internet, securing them from DDoS, malware, and other online attacks.
ZTNA can support both managed and unmanaged devices. Managed devices follow a client-based approach where a company owned client or agent is installed on the devices. The client is responsible for fetching the device information and sharing the details with the ZTNA service. Connection is established with apps on validation of user identity and device security posture.
Unmanaged devices follow a clientless or reverse-proxy based approach. The devices connect to the ZTNA service through browser-initiated sessions for authentication and app access. While this makes it an attractive prospect for third-party users, partners, and employees connecting through personal or BYO devices, clientless ZTNA deployments are limited to app protocols supported by the web browsers.
Network-level access vs app-level access: VPNs permit full network access to any user with valid login keys. ZTNA restricts user access to specific apps, limiting the data exposure and lateral movement of threats in case of any cyberattack.
Deep visibility into user activity: VPNs lack app-level controls and have no visibility into the user movement once inside the private network. ZTNAs log every user action and provide deeper visibility and monitoring into the user behavior and risks to enforce informed, data-centric controls for securing sensitive content within apps. The logs can be fed to SIEM tools for real-time and centralized visibility into user activity and threats. ZTNAs can further be integrated with an endpoint security solution to allow adaptive access based on continuous assessment of device security posture.
Endpoint posture assessment: VPN connections don't take into factor the risks posed by end-user devices. A compromised or malware infected device can easily connect to the server and gain access to internal resources. ZTNAs perform continuous assessment of connecting devices by validating their security posture and enable adaptive access to resources based on the device trust required at the time. The device connection is immediately terminated on detection of risks.
User experience: VPN’s are not designed to handle the increasingly distributed workforce scenario. Routing every user connection through centralized VPN hubs creates bandwidth and performance issues, while leading to a sub-par user experience. With ZTNA, users can establish direct-to-app connections, enabling fast and secure access to corporate resources hosted either in IaaS environments or private data centers, while facilitating agile and scalable cloud deployments.
Cost savings: ZTNA eliminates the need to procure expensive VPN hardware and manage the complex infrastructure setup at each data center. Additionally, the remote users don't need an additional, resource-intensive VPN client for establishing secure connections.
ZTNA allows organizations to createsoftware defined perimeters and divide the corporate network into multiplemicro-segments, preventing lateral movement of threats thus reducing the attacksurface in case of a breach.
Creates ability to make apps invisibleon the internet by preventing discovery on the public internet securingorganizations from internet-based data exposure, malware and DDoS attacks.
ZTNA facilitates secure connectivity tolegacy apps hosted in private data centers, offering the same level of securityadvantages as SaaS apps.
ZTNA enables secure, fast, uninterrupted direct-to-cloud access to private apps, providing a consistent experience to remote users accessing both SaaS and private apps.
Introducing Lookout ZTNA
Lookout ZTNA is the industry’s first data-aware Zero Trust Network Access solution that enables granular "Zero Trust" access to private apps, from any location and device, and offers integrated data loss prevention (DLP) capabilities for securing data collaboration over ZTNA. It addresses today’s complex, hybrid environments to facilitate adaptive, secure and flexible Zero Trust strategy. Lookout ZTNA performs continuous risk assessment of the connecting devices by deriving enhanced posture information through Lookout’s Continuous Conditional Access (CCA) technology and provides blazing fast, “least privileged” access to private apps.