The concept of Zero Trust Network Access (ZTNA) implies that every request to access a resource on the network is a potential threat, and the technology in place should authenticate the user & device for each & every request. This is true for both internal as well as external host devices.
Traditional network & resource security relied on the notion of authenticating the first request, and if the request passed, the source would be allowed continual access. Additionally, many organizations implicitly trusted their assets with little or no authentication or assessment of security posture. This type of security misses threats that originate from internal users/devices. An example would be a user with a laptop being in the office on Monday, working from home on Tuesday, and returning to the office on Wednesday. Should the device still be trusted just because the company owns the laptop? The answer is “of course not”; the laptop could be infected via the home network, or the OS and/or anti-malware definitions may have just become out of date. The ZTNA model requires strict user and host identity verification for attempts to access the network or application. This type of authentication applies whether or not the device and/or user is already within the internal network, which greatly increases access security.
Before you think about your organization’s ZTNA design, having a few technologies in place would be helpful. Before implementing, you must ensure these mechanism(s) will integrate with your intended ZTNA design.
The primary concept of ZTNA is that a user and/or device is treated the same, whether inside the network or external. The same authentication and assessment items are checked regardless of location. For users on the internal network, devices such as a firewall or other proxy device control access by using authentication services such as Active Directory, a radius server, or other authentication services. For external users, a secure tunnel is typically built to a proxy device when the endpoint boots up, creating a secure channel to pass authentication challenges & responses. Only authenticated users/devices will have access to the applications behind the proxy. Advanced designs can also control whether the outbound traffic from an endpoint goes through the proxy for access to protected resources or another path to cloud SaaS applications.
The short answer is yes. If the endpoint builds an encrypted tunnel to the proxy device and the device can terminate the client VPN, then the ZTNA design can replace your traditional VPN. This is just one of the significant benefits of a ZTNA design.
Some typical steps on an approach to a ZTNA design appear below.
You could stay tuned for more Layer8 ZTNA articles that will provide additional information on the steps above, or you can contact Layer8 – it’s that easy. Call us today for a free consultation to see if your organization is ready for ZTNA.