Zero Trust Network Access is a technology that enables remote access to applications based on the zero trust model. In contrast to a VPN, access to networks is not enabled, but dedicated connections are realized on the application level. A broker mediates between client and application. It ensures that application access is decoupled from the network level.
What is Zero Trust Network Access (ZTNA)?
The acronym ZTNA stands for Zero Trust Network Access. It stands for a concept and technology that provides secure, application-level controllable access to a company or organization’s applications. In contrast to a Virtual Private Network (VPN), no tunnels are set up between the client network and the central corporate network, but dedicated application connections are established.
The central element is the Software-Defined Perimeter (SDP), which acts as a kind of broker between client and application. It decouples access rights to the applications from the network level and operates on the basis of the zero-trust model. It basically distrusts all clients, devices and applications regardless of the network. All services and clients must be audited and authenticated before being granted any form of access.
ZTNA allows application-level micro-segmentation and treats each application connection as a separate environment. Authentication can be identity-dependent or device-based. The concept is well suited for cloud-based and hybrid environments where applications are deployed over a private or public cloud. Applications remain hidden from the Internet despite the use of public clouds.
Difference between ZTNA and VPN
ZTNA and VPN are both technologies that can be used to establish secure remote access to applications over networks such as the Internet. However, they differ fundamentally in their operating principles. With a VPN, an encrypted tunnel is established between the network in which the client is located and the network with the applications.
The client is connected to the application or company network via the encrypted tunnel. It can reach the destinations that can be reached there and that are enabled for it at the network level, such as application servers.
This concept is only suitable to a limited extent for cloud-based environments in which applications are provided directly as a service on the Internet. This is where Zero Trust Network Access comes into play, decoupling application access from the network layer.
Zero Trust Network Access How it works
The most important part of ZTNA is the Software-Defined Perimeter (SDP). It is a self-hosted or vendor-hosted service that acts as a broker between the application and the client. An outbound connection from the application to the user can be established via the SDP. Only a user previously authenticated via the broker or an authenticated device is granted access to a service registered with the broker.
If access is allowed, the broker establishes a secure connection path without the application being visible on the Internet. The Internet user does not see which applications are accessible via the Internet and which IP addresses can be used to access them. The access model is not based on the network level, because network access is isolated from application access.
There is the only access to a dedicated application and not to a network or server as with a VPN. The connections between client and application are encrypted and not visible to outsiders.
Applications for Zero Trust Network Access
Possible applications for Zero Trust Network Access are:
- Secure remote work independent of one’s own location (home office or mobile)
- Secure access to services in cloud-based and hybrid environments
- Secure access to multi-cloud environments
- Alternative to remote access via VPN
- Access control at application level