Zero Trust Network Access or ZTNA is an approach to access that does not put the user’s computer directly on the network. Unlike traditional VPN where the entire workstation becomes part of the network, ZTNA only allows the user to access the applications and services required to perform their job.
We can think of ZTNA like a large multi-tenant building where everyone who enters must pass the receptionist, announce themselves and say where they intend to go. The receptionist then checks their license (identification), checks the list of approved entrants, either employees or visitors, gives them a badge that only works for access to where they are authorized and only for a certain time frame.
When implemented correctly, ZTNA can do this no matter if the user is sitting at their desk or is remote and connecting from home, the airport, or anywhere. All traffic must go to the receptionist (a cloud solution), be identified, and approved for access only to the things it is allowed access to.
Benefits of ZTNA:
- Improved access granularity
- Better user experience
- More centralized policy management that leverages both network and application access control as well as user access control with Multi-Factor Authentication
- Visibility into what applications are being used (including previously undiscovered programs) and the ability to provide access to specific applications by role or by user
- Reduced risk of distributed denial of service (DDoS) attacks by not exposing the applications to the public internet
Challenges to adoption:
- Technical debt –in order to create profiles that allow access to just what is required, the architect must know all the things each user group needs in order to perform their job (applications, data, etc.). Many organizations have never mapped this out, so step 1 is a big learning and mapping process.
- Both users and devices must be authorized, not just users.
- Legacy applications that rely on peer to peer connections could hamper adoption of ZTNA.
- ERP or CRM type apps that are all things to everyone. Many of these do not have internal controls with the ability to segregate functions and features.
ZTNA is the future. You can start slowly with remote workers or remote location and as you replace legacy applications and networks evolve,continue with the long term goal of total ZTNA.
