Zero Trust Network Access Explained

What is zero trust?

Zero trust is a security model of network architecture that aims to reduce cyber risk and eliminate vulnerabilities. The phrase zero trust refers to the practice of treating every part of the business infrastructure as a potential threat.

Tenets of zero trust

In 2018, the National Institute of Standards and Technology (NIST) of the United States published a document called Zero Trust Architecture that (among other things) formulates the tenets of zero trust. They go as follows:

• All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
• All data sources and computing services are considered resources.
• The enterprise monitors and measures the integrity and security posture of all owned and associated resources.
• All communication is secured regardless of network location.
• Access to individual enterprise resources is granted on a per-session basis.
• Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
• The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

(source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf)

Zero trust architecture is in stark contrast to the traditional castle-and-moat architecture that protects resources behind a secure perimeter, but uses few security measures behind it. Once a potential attacker gets past the main defenses, they have more or less free rein of the infrastructure.

But the zero trust architecture mitigates this by eliminating implicit trust and making all users prove their legitimacy for access constantly, to every resource, and to a high degree of certainty.

Fig. 1 - Legacy approach vs. zero trust access control

All this may sound like the zero trust architecture trades off security for productivity. But when properly implemented, zero trust architectures provide a smooth user experience while providing the following benefits:

• Reduced cybersecurity risk—Zero trust architectures reduce the risk of threat ingress into the network.
• Decreased breach impact—Least-privilege access prevents lateral movement and limits the number of systems affected by a successful intrusion.
• Minimized human error—Strict authentication with multi-factor authentication (MFA) prevents access even if an employee's credentials are compromised as part of a phishing attack.
• Increased observability—Zero trust closes visibility gaps and makes it easier to spot suspicious behaviors in the network early.
• Improved compliance—The zero-trust approach also helps meet the requirements of data protection acts like HIPAA, GDPR, and NIS2.

How does ZTNA work?

Different ZTNA solutions vary in their technological implementation, but they follow the same general mechanisms.

• Identity-based authentication
• Least-privilege access
• Secure connections

Least-privilege access

Least-privilege access means that after successful and satisfactory authentication the user receives access, but this access is limited strictly to those resources the user needs for their work. For instance, developers will only have access to their development tools and repositories, but not CRM or invoicing. This model is known as application segmentation (microsegmentation).

Application segmentation

Application segmentation (microsegmentation), which stands for partitioning the IT environment into smaller segments by restricting access privileges within a multi-SaaS environment. The purpose is to prevent lateral movement if the network is penetrated by a cyber attacker. Lateral movement means the attacker is traversing the network and finding new resources to compromise. But when the infrastructure is segmented the threat remains contained within the pool of resources available to the compromised role.

Network segmentation

Another segmentation method is network segmentation (macrosegmentation), which segments infrastructures on the network level, either by physical devices and connections between them or by L2 partitioning to divide the network into logical segments. Physical macrosegmentation requires a lot of networking knowledge and skill, but modern zero-trust solutions are hardwareless and allow for much easier segmentation and data flow monitoring.

For more detail on application and network segmentation, see this article on Zero Trust Segmentation.

Zero trust access control

Identity-based authentication and least-privilege access (with granular segmentation) are the main building blocks of access control in zero trust.

There are many ways that access control can be implemented, the scope of which would exceed the scope of this article. But if you want to know more, check this Access Control Model Guide.

Often people think that zero trust access control is difficult to set up and maintain, but that ceases to be true. Modern ZTNA-as-a-service solutions, like GoodAccess, make this task much easier, to a point that you don't even need an IT expert on staff.

Zero-trust network access vs VPN

ZTNA and VPN share a use case: secure remote access. But besides that there are substantial differences between them.

Tab. 1—Comparison of ZTNA and VPN.
*This comparison focuses on traditional hardware VPNs

If you're interested in more in-depth comparison, check this article on ZTNA vs VPN.

A sort of middle ground is a business cloud VPN. Business cloud VPNs are SaaS solutions that offer secure remote access with zero hardware requirements. They eliminate the difficulty and cost of managing a legacy hardware-based VPN, but do not offer as robust security controls as ZTNA solutions.