What is a Zero Trust Network?
A zero trust network continuously authenticates and validates users and connected endpoints. The goal of zero trust security models is to ensure networks remain protected, while providing access to remote endpoints and users, including bring your own device (BYOD) endpoints and external-third party integrators.
A zero trust network lets all types of users leverage corporate resources, as long as these users and endpoints are continuously validated. According to Gartner, 60% of enterprises will replace their virtual private networks (VPNs) with ZTNA solutions.
To ensure safe access, a zero trust network uses zero trust network access (ZTNA) solutions. ZTNA solutions provide access controls that validate and authenticate users on a continuous basis.
What is ZTNA?
Zero trust network access (ZTNA) is a network security pattern that helps organizations implement zero trust concepts in their network ecosystem.
ZTNA is not a single technology. It encompasses a range of technologies for verifying a requesting user or device, and providing access according to predefined policies. ZTNA solutions create an environment that protects local cloud-based resources. Applications are assumed to be unknown and undiscoverable, and access is granted by a trusted broker.
The ZTNA trusted broker uses the following processes to authorize entities on the network:
- Login—when a user logs in, the broker verifies their identity.
- Device connection—shen a device connects to the network, the broker ensures the device is known, trusted, and has the relevant security updates.
- Least privilege—the broker restricts access according to the principle of least privilege (POLP). It grants access to users depending on their role, and only lets them access the resources necessary for their function, at the minimal level of privilege.
Related content: read our guide to zero trust security
Benefits of ZTNA
ZTNA solutions can provide the following benefits to organizations, as they adopt a zero trust security model.
Secure Cloud Access
Many organizations are running services in the public cloud, and research shows a majority of cloud users run on multiple cloud platforms. To reduce the attack surface, organizations need to limit access to these cloud-based resources.
ZTNA allows organizations to restrict access to cloud environments and applications based on their business needs. Each user and application can be assigned a role within the ZTNA solution. Each role is then granted the appropriate rights and privileges with respect to cloud-based infrastructure.
Secure Remote Access
In the wake of COVID-19, most organizations have moved largely or entirely to remote workforces. Many companies use virtual private networks (VPNs) to enable remote access. However, VPNs have significant limitations such as lack of scalability and integrated security.
A major problem with VPN is that by default, authenticated users gain full access to the entire network, regardless their role or the desired resource that is being accessed. This creates an inherent security vulnerability. ZTNA solutions recognize that users are connecting remotely or via their personal devices (BYOD), and gives them appropriate, limited access to the corporate network.
Protecting Against Account Compromise
Privileged account compromise is a common threat vector in modern networks. Attackers steal, infer, or otherwise compromise user account credentials, and then use them to authenticate on the organization’s systems. This grants the attacker the same level of access as a legitimate user.
Implementing ZTNA can address this threat, and minimize the damage that an attacker can inflict using a compromised account. The attacker’s ability to move laterally across the network is limited by the privileges assigned to the compromised user account.
Considerations for Choosing a Zero Trust Network Access Solution
Here are a few key considerations when selecting technologies that will make up your ZTNA solution:
- Agent vs. agentless—whether the solution requires an endpoint to be deployed on devices. Agents can significantly limit the solution’s value for devices that are not owned by the organization.
- Support for workloads—whether the solution supports web applications, legacy applications, containerized infrastructure, etc.
- Cloud based vs. on premises—whether the solution is delivered as a cloud service or deployed on premises. Cloud-based solutions are easier to deploy and provide better protection against DDoS due to their elastic scalability. However, on-premise solutions may provide more flexibility in some scenarios.
- Authentication—which protocols and standards the solution supports. It is important to make sure that the solution can integrate with the organization’s identity provider, such as Active Directory.
- Points of presence POPs)—for cloud based solutions, it is important to evaluate the solution’s global reach and whether it has PoPs in all the locations the organization operates or does business in.
- Unified Endpoint Management (UEM) integration—it is common for ZTNA solutions to work together with UEM platforms. It is important to evaluate whether the solution integrates with the UEM platform already used by the organization.
Zero Trust for Virtualized Desktops: Secure Remote Access with Hysolate Workspace
Hysolate achieves this new ZTA architecture by splitting a user’s device into two segregated zones, each running in its own OS, leveraging the latest hypervisor and virtualization-based security technologies.
One OS is the user’s unmanaged OS (where they can work freely) and another is an instantly-provisioned trusted corporate OS running in a VM – this VM is easily spun up without any infrastructure cost. The ZTA broker would only allow that corporate VM running on Hysolate to have access to sensitive enterprise applications. It’s impossible for the end-user to access these applications from any other untrusted environment/device. With Hysolate IT can isolate this corporate VM from the user’s personal OS, including fine-grained cloud-managed controls over clipboard, USB, network, applications, etc. With this architecture in place, the Zero Trust puzzle can now be complete and enterprises can really move to a secure-by-design architecture.
Learn more about Hysolate’s Zero Trust Isolated Workspace solution here.