What is zero trust network access (ZTNA)?
Zero trust network access (ZTNA) is a group of technologies and functionalities to provide secure access to applications and data. This remote access technology provides user access to corporate apps, whether they are on-premises, hosted in the cloud, or delivered as SaaS.
Unlike traditional VPNs, ZTNA provides access only at the application layer to reduce risk and prevent lateral movement on the corporate network. Access is provided on a need-only basis based on identity and context, and user sessions are continuously monitored to reduce the risk of unauthorized access.
Explore additional ZTNA topics:
Unlike network-centric solutions such as virtual private networks (VPNs), which create an exploitable attack surface, ZTNA technology provides secure access to specific applications—instead of a company’s entire network. These security solutions work based on four core principles:
- Principle of least privilege: Each user has the minimum level of permissions needed to carry out tasks, preventing unauthorized users from accessing sensitive data.
- Micro-segmentation: This security approach divides the network into zones, defining different security policies for the different segments. This approach enables security controls to be defined at the application level.
- Multi-factor authentication: This is a widely used security method that requires users to verify their identity with two different methods. A common example is providing a password and a code that is sent to a mobile phone.
- Monitoring: Continuous monitoring is another key part of ZTNA. Zero trust network access uses advanced analytics to monitor user behavior in your network and applications. When it detects abnormal behavior, it denies access.
ZTNA services apply these principles through several methods:
- Isolation of applications from the public internet: One of the characteristics of ZTNA is that it isolates application access from network access and only grants access to specific apps for verified users. By doing this, it reduces the risks of unauthorized access to the network.
- Hiding application infrastructure from unauthorized users: ZTNA ensures both network and application infrastructure are hidden from unauthorized users. For instance, it doesn’t expose IPs to the public internet, which makes the network practically impossible for attackers to find.
- Access that’s brokered at the app layer: Unlike other solutions, ZTNA access happens at the application layer. This means once a user is authorized, access to the application is granted on a needs-only basis.
- Continuous monitoring and adaptive enforcement: Access control doesn’t stop when the user gains access. A good ZTNA solution will provide adaptive authentication, so authorization of the user is checked throughout the session.
Zero trust network access provides several security benefits for organizations. Some reasons to consider implementing a ZTNA solution include the following:
- It improves data protection. Traditional network security models offer little protection against data loss and data breaches. The zero trust model assumes an attack is always around the corner, inside and outside the network. By isolating the network from the public internet and segmenting it according to level of criticality, all data is protected with the relevant security controls.
- It’s designed for the remote and hybrid workforce. Commonly used firewalls and VPNs are not adapted to keep up with the increasing number of employees working remotely and on BYOD devices. When you implement a zero trust architecture, remote users can connect securely regardless of location or device. Moreover, the continuous authentication process ensures their permissions are assessed during the session, providing constant and adaptive protection.
- It enhances the user experience: ZTNA solutions use advanced capabilities to eliminate the need to remember multiple passwords and account logins—without impacting security. It also prevents common risks such as password recycling and sharing.
- It increases network visibility. A zero trust network access solution enables the organization to monitor all resources and network activity from a centralized dashboard. You have complete visibility into who is using your applications and resources, and from where. If an anomaly is detected, additional verification will be required or an alert will be raised.
How the approach to cybersecurity and zero trust network access has evolved
See how ZTNA has become mainstream to meet the needs of a hybrid organization.
Traditionally, many companies have used VPNs and firewalls to protect their resources from unauthorized remote access. However, these solutions cannot meet the modern requirements of hybrid and remote workforces.
A VPN has several limitations:
- They are perimeter-focused. While this reinforces the network perimeter, it also means an authorized user can have full access to the network and resources, allowing lateral attacks.
- Controls are at the network level. The access controls of a VPN are set at the network level without providing visibility at the application layer.
- There’s poor support for BYOD devices. When you allow access to a network with a BYOD device and use a VPN, you are giving access to the network by unmanaged endpoints. This situation increases the risk of malware and data breaches.
ZTNA includes several advantages over traditional VPN including:
- Security at the app layer: Unlike traditional VPN, which provides full access to the corporate network, ZTNA sets the perimeter at the application layer.
- One-by-one authorization: ZTNA assesses and authorizes each access request.
- Hidden IT infrastructure: Because ZTNA only shows the user the resources they need, an attacker cannot move laterally.
Replacing traditional VPN
Traditional VPN solutions are not well suited for cloud deployments. They require securing the remote access of every user through software and hardware-intensive VPN devices. Zero trust network access instead reduces network complexity, latency, and cost by delivering direct-to-cloud access to applications and resources.
Limiting user access
Traditional cybersecurity solutions use a broad perimeter-based approach. These methods make it possible for an attacker gaining access to the network to move laterally to sensitive data. Zero trust network access controls access based on the least privilege principle, verifying each connection request before authorizing access to the intended resource.
Authentication and authorization
The main use for ZTNA is to deliver granular access based on a user’s identity and context. ZTNA enables you to set specific remote access control policies based on user device or location.
As more applications move to the cloud, the need to secure access across different environments has increased. Zero trust network access secures access to applications and resources, whether they’re stored on-premises or in public, private and multi-cloud environments There are many solutions available, but they are not all the same. Here are six factors you should consider when choosing a ZTNA service provider:
- Scalability: The solution should adapt easily to the growing needs of a remote workforce.
- Advanced threat protection (ATP): The ease with which malware and ransomware spreads with downloads and shares makes advanced threat protection a standard for ZTNA solutions. Look for a solution that offers behavior-based techniques and can stop zero-day threats.
- BYOD deployment options: Bring your own device policies are now common in remote and hybrid workspaces. A ZTNA solution should provide agentless options to help support BYOD security.
- Data loss protection: A zero trust network access solution should integrate data loss protection capabilities (including encryption, exact data matching, and more) to protect sensitive data from exposure or misuse.
- Visibility and reporting at granular level: Detailed visibility and reporting are increasing in importance as organizations adopt the zero trust approach. Look for a solution that gives you granular visibility and reporting to help with compliance.
With Citrix, you can deliver secure access to managed, unmanaged, and BYOD devices alike—without compromising the end user experience. Citrix Secure Private Access provides adaptive access to all corporate applications, whether they’re deployed in the cloud or an on-premises datacenter. This cloud-based ZTNA solution provides access only at the application level, allowing you to strengthen your security posture and prevent common VPN issues such as network-level attacks.