Zero Trust Solutions: Which ZTNA is Right For You?

What are Zero Trust Solutions?

A zero trust security model assumes that all persons and devices trying to access a network are not to be trusted until they are verified as legitimate. Thereafter, it only grants the least privileged access to resources required for an applicant.

Gartner defines a category of solutions known as zero trust network access (ZTNA), which are responsible for administering selective access to users and devices on a protected network. There are two primary types of ZTNA solutions—agent-initiated, which are more flexible but require devices to be managed, or service-initiated, which are easier to deploy but only support web applications.

What are Zero Trust Network Access (ZTNA) Solutions?

Today’s digital business environment requires users to have access to applications from any location at any time. Users require mobile access to corporate systems, and outside partners require access as well, giving rise to virtual private networks (VPNs) and demilitarized zones (DMZs).

Originally, once allowed inside a network, a user gained implicit trust—often excessively so. So long as the user was outside the perimeter, they were not trusted. Unfortunately, many users and attackers abused this implicit trust. A zero trust approach denies access to everybody by default, and provides selective access based on the person and device requiring access, and the corporate service being accessed.

Related content: read our guide to zero trust security

How ZTNA grants selective access

Zero Trust Network Access (ZTNA) solutions can grant selective access based on criteria such as:

  • Human identity
  • Functional roles
  • Device profiling and health checks
  • Network used to connect
  • Date, time and allowed duration of use
  • Geographic location

ZTNA controls access to resources based on identity and context, reducing the attack surface. This creates individual security perimeters around each user, device, and application.

ZTNA creates a standardized user experience and applies security policies consistently, regardless of whether users connect from within the corporate network, from outside, using a corporate device or an unsecured personal device.

The trust broker

A central component of ZTNA solutions is a trust broker. Trust brokers can be provided as a third-party cloud service, or may be self-hosted, such as a physical appliance operating within the customer’s data center, or a virtual appliance managed by the organization in a public cloud.

A trust broker evaluates the applicant’s credentials and their device context. If the user is eligible to access the application, the broker communicates with a gateway function located logically near to the required application. Finally, the gateway creates a connection between the user and application.

In some ZTNA products, the gateway handles all communication once the user is connected. In other products, the broker remains present, to perform ongoing verification of the user and device.

Learn more in our detailed guides to:

Types of Zero Trust Network Solutions

Gartner describes two main categories of ZTNA solutions.

Endpoint-Initiated ZTNA

Endpoint-initiated ZTNA takes its name from the agent installed on end-user’s devices. This agent transmits security-based information to a controller. The controller then prompts the device user for authentication, and returns a list of permitted applications. Following authentication of the device and its user, the controller opens connectivity to the device using a gateway.

Even after the user is authenticated and the gateway allows access, connectivity is still provisioned by the controller, and the user may only access the service through the gateway. Services are shielded from direct Internet access, which can prevent threats like denial of service (DoS).

After the controller secures connectivity, some ZTNA remove themselves from the data path; others remain within it.

Endpoint ZTNA adheres best to the Cloud Security Alliance’s (CSA)  software-defined perimeter (SDP) standard. However, it requires either device management infrastructure, or installation of a local software agent. Alternatively, a third-party unified endpoint security (UES) product can provide the trust broker with the required device posture assessment. This can be a middle ground between deploying an agent and full-featured device management.

Service-Initiated ZTNA

Service-initiated ZTNA, on the other hand, does not require the installation of an agent on the user’s device. It is a much more attractive approach for organizations that enable unmanaged devices (Bring Your Own Device or BYOD). This type of solution follows Google’s BeyondCorp concept.

In this approach, networks in which applications are deployed have a connector that establishes outbound connections to a cloud-based ZTNA solution. To access a protected application, a user must authenticate with the ZTNA provider, who validates the user using an enterprise identity management product. Upon successful validation, traffic can pass through the provider’s cloud, while isolating applications from direct access.

An advantage of service-initiated ZTNA is that the enterprise firewalls does not need to allow inbound traffic—because all traffic passes through the provider. However, the provider’s network must be evaluated, since it becomes a critical element and a potential point of failure.

Another downside of service-initiated ZTNA is the need to base an application’s protocol on HTTP/HTTPS. This limits the system to web applications and protocols, including secure shell (SSH) or remote desktop protocol (RDP) over HTTP. However, several vendors are now offering support for added protocols.

How to Choose a Zero Trust Solution?

Key considerations for evaluating a zero trust solution include:

  • Is the installation of an endpoint agent required, and what operating systems and mobile devices does it support? How does the agent interact with other agents?
  • Must the customer install and manage the ZTNA broker, does the vendor offer it as a service, or—ideally— is there a hybrid architecture involving both?
  • Do you need a unified endpoint management (UEM) tool for security posture assessments of devices (operating system versions, password and encryption policies, patch levels, and so on)? What options exist for managing these on unmanaged devices?
  • If an anomaly appears within the ZTNA-secured environment, will it be identified using user/entity behavior analytics (UEBA)?
  • What colocation facilities or edge/physical infrastructure does the vendor provide? Are the vendor’s edge locations and/or points of presence (POPs) geographically diverse?
  • Does the solution similarly secure legacy applications or only covers web applications?
  • Is the vendor’s private disclosure policy credible and responsible? Does the vendor constantly test for product vulnerabilities and remove them?
  • Is the licensing model priced per user or bandwidth? How does the vendor charge for overage if you exceed the number of users or allowed bandwidth in your package?

Zero Trust for User Desktops with Hysolate

Hysolate creates Zero Trust for user desktops and workstations by splitting a user’s device into two fully isolated zones, each running in its own OS, leveraging the latest hypervisor and virtualization-based security technologies. One OS is the user’s untrusted Operating System, and another is an instantly-provisioned, totally isolated corporate Operating System running in a VM – this VM is spun up without any infrastructure cost/image building work, etc. The corporate VM runs a locked-down operating system and can contain an inaccessible client certificate that vouches for the integrity of the VM.

The ZTA broker would only allow that corporate VM running on Hysolate to have access to sensitive enterprise applications, making it impossible for the end-user to access these applications from any other untrusted environment/device.

IT admins can isolate this corporate VM from the user’s personal OS, including admin managed controls over clipboard, USB, network, applications, etc, all managed from the cloud.

Request a demo to learn more about Hysolate for Secure Access to Corporate Data