What is Zero Trust Network Access (ZTNA)?
Zero Trust Network Access (ZTNA) is a concept where secure remote access is granted to an organization’s data, applications, network devices, industrial control systems (ICS), and services based on a ‘don’t trust, verify’ framework (Zero Trust framework). This means that no person, device, or machine has always-on access or authorization to a target, but the validity and the legitimacy of access are verified every time it’s granted.
ZTNA has one particular difference to virtual private networks (VPNs): in a Zero Trust Network Access model, access is granted only to specific targets, whereas VPNs grant access to an entire network or at least a significant portion of it. Work from home, outsourcing, and distributed services make secure remote access increasingly common, and ZTNA solutions were developed to meet the demands of this shift.
How Does ZTNA Work?
When ZTNA is properly applied, every user needs to authenticate to the ZTNA service or authority before access to a specific resource is granted. The user is always verified and identified every time they attempt to access a target. If the target requires elevated access privileges, access is limited to the minimal level required to get the job done in order to mitigate risks and align with the principle of least privilege.
Once the connection is established, the ZTNA solution grants access to the specific application and encrypts the connection to offer an extra layer of security even if the connection is from inside the network.
There are two main reasons for this. First, in the Zero Trust model, there are no trusted zones, devices, or users, so every connection should be protected as if it was made over a public cloud. Secondly, restricting privileges and encrypting connections prevents other users from getting visibility into other applications or servers that they are not entitled to access. Too broad access privileges increase the risk of lateral movement inside the network, meaning that the user can hop from one server or application to another or get an overview of the network setup if the access privileges allow so.
Benefits of ZTNA
Enterprises employ a mix of in-house experts, subcontractors, consultants, and temporary workforce, and they all need different types of access for different durations of time, from various geographical locations. A dynamic ZTNA solution helps with the joiners-movers-leavers process by linking the right identity with the right target for the right time duration with the right level of privilege for the task at hand.
Multi-cloud & hybrid environments
Applications, critical data, and servers are also scattered around the globe. Companies host and manage cloud servers in-house, maintain legacy ones as on-premise installations, buy cloud computing services from multiple vendors for temporary and permanent needs. Zero Trust Network Access ensures that regardless of the maturity of the technology in use or where the applications are hosted, access is granted from a single centralized system, in a uniform fashion, and with a solid audit trail of activities.
Eliminating permanent, always-on authorization
Shared credentials (like SSH keys or passwords) are always armed and can cause a lot of harm in the wrong hands. The traditional way to solve the problem is to store them in a vault, but this approach doesn’t change the fact that there is an element of permanent trust in play. An advanced ZTNA solution authenticates and authorizes the user just-in-time for the connection and ensures that the authorization expires automatically afterward. This ephemeral certificate-based approach eliminates permanent encryption keys and passwords from the environment, doesn’t expose secrets to the users, and leaves nothing behind to be managed.
Zero Trust Network Access should not only offer granular access controls and restrictions but also verify the legitimacy of the device, user, and access privileges based on a number of variables (location, context, IP address, etc.) during the session. If there is an unwanted change in any of the conditions (for example, the device is infected with a virus), a ZTNA solution should be able to disconnect the user from a critical target to mitigate risks.
Gartner states in their “Market Guide for Zero Trust Network Access” that endpoint-initiated ZTNA is similar to how the Cloud Security Alliance defines software-defined perimeters (SDPs). Unlike traditional perimeter with a ‘castle-and-moat’ approach, a ZTNA is one type of SDP that wraps users, devices, and applications around micro-perimeters and is virtualized.
The process of information transfer in an endpoint-initiated ZTNA is as follows:
- The user device agent sends the user’s security context to a ZTNA controller. The security context contains, for example, geographic location, time, or date. The context typically informs the ZTNA controller about the legitimacy of the authentication request. For example, when a user tries to access an application from a PC and a mobile device from a different location, it likely means that one of those devices is compromised or otherwise violating policies.
- The ZTNA controller investigates the identity of the user and device to determine if they are valid and if the user is requesting access to an application that they are entitled to access. If everything is valid, both the user and the device are authenticated.
- The controller grants connectivity to a gateway, such as a next-generation firewall (NGFW), enforcing multiple security policies and blocking applications from being accessed directly from the internet.
- With access granted, the session is opened to the gateway and to the application through an end-to-end encrypted connection. In ZTNA architectures, the gateway is considered to be at the center of the network.
According to Gartner’s “Market Guide for Zero Trust Network Access”, a service-initiated ZTNA is similar to the Google BeyondCorp technology. A service-initiated architecture is hosted in the cloud and works without agents.
In Gartner’s description, a connector replaces a controller. The connector operates on the same network as the application and maintains a connection to the application’s cloud.
The cloud service authenticates users who request access to the application, after which an identity management solution validates the request using, for example, single sign-on (SSO). The user has access to an application proxy, which isolates applications from direct access and attacks.
Just-in-Time Zero Trust Access Management for ZTNA
SSH Communications Security (SSH) has been a pioneer in cybersecurity for decades, ever since the company introduced its namesake SSH protocol to the market for data encryption. Now, SSH is making Zero Trust Access Management solutions available with the following key benefits:
- Every access is granted just-in-time for the session without always-on authorization
- Users never see or handle secrets required for the connection.
- Access is granted using ephemeral certificates that expire automatically after the authorization, leaving no passwords or encryption keys to be vaulted, rotated, or managed.
- Every user is granted the least privilege required to get the job done for granular access control.
- Every session is identified, monitored, audited, and optionally recorded.
- There are no trusted zones or segments, but all access is verified every time it’s established.
To learn more about our Zero Trust Access Management Solution, contact us for a demo today — and give passwordless and keyless security a test drive.