ZTNA Security: An Overview
Zero Trust Network Access (ZTNA) is an IT security framework for providing secure remote access to an organization’s network. ZTNA security relies on several technologies and clearly defined access control policies to provide fast and secure internet access to data, applications and IT resources.
ZTNA solutions apply the principles of Zero Trust security to remote connectivity. In a Zero Trust framework, all users, devices and applications are assumed to be a threat. They are only granted access to IT resources if they have been authenticated and are continuously validated. This approach provides far greater security than traditional solutions that give users broad access to applications and IT resources after successfully connecting to the network.
Many organizations have adopted ZTNA security solutions to support their hybrid workforces. Traditional solutions for remote access, like VPNs, can’t provide the scalability, control or visibility that IT teams need when managing hundreds or thousands of remote connections. ZTNA technologies are not only easier to implement and manage, but they also provide a much better experience for users.
How ZTNA Security Works
Zero Trust remote access is built on the principles of Zero Trust, a framework designed to improve and simplify security at a time when traditional network perimeters have all but disappeared. Zero Trust security is based on several central principles:
- Zero Trust. While traditional security solutions inherently trust anything already inside the network, Zero Trust environments do not automatically trust anything. Users, devices and applications inside or outside the network must all be constantly authenticated before receiving access to IT resources.
- Least-privilege access. A Zero Trust environment grants permissions on a least-privilege basis, providing access only to the applications and resources a user or device needs to perform a specific task. This prevents anyone and anything from having broad access to resources. Attackers cannot move laterally through an IT environment after successfully gaining access.
- Assumption of a breach. Security teams assume that threats are already in the system and constantly seek to identify them. This more aggressive security posture helps to find and remediate threats earlier.
- Microsegmentation. Security teams segment the network into smaller areas or zones, protecting each with granular access control policies. Microsegmentation may even wrap business-critical workloads, applications and other resources within individual perimeters of control to increase protection.
When applying these principles to network access, ZTNA security services use risk-adaptive policies to determine whether a user or device should be authenticated. Once authenticated, a ZTNA system grants the user access to a specific application or resource – and only that resource – using a secure, encrypted tunnel.
ZTNA environments also isolate application access from network access, preventing users who have gained access to the network from automatically having access to the applications on it. ZTNA security hides the network and application infrastructure, preventing unauthorized users from probing to discover assets on the network. Security teams constantly monitor the network and its devices, analyzing traffic to and from each machine to ensure it is legitimate.
ZTNA Security vs. VPNs
When delivering and managing secure remote access to a network, ZTNA security provides significant advantages over VPNs.
- VPNs are designed to protect the network perimeter. Once users have gained access to the network through a VPN, they have broad permission to access its resources. This allows attackers who have accessed the network with stolen credentials or through brute-force attacks to move laterally within the network to exfiltrate data, pocket money and launch additional attacks. In contrast, ZTNA security uses strict access controls to prevent unauthorized users on the network from accessing applications and resources.
- VPNs provide a poor user experience. VPNs require network traffic backhauled through a central hub, creating bandwidth and performance issues that adversely impact connectivity. Users may experience poor quality on video calls or latency that hinders productivity. ZTNA security establishes direct connections that ensure fast and secure access to resources in private data centers or the cloud.
- VPNs are difficult to manage and scale. VPNs provide no visibility into users’ activity on the network and no application-level controls. Some VPNs require installation on individual user devices, which may be next to impossible with highly distributed workforces. ZTNA solutions, on the other hand, can log every user action and provide deep visibility and monitoring into behavior and risks on the network.
Types of ZTNA security
To implement ZTNA security, IT teams must adopt several best practices and deploy a handful of technologies from ZTNA providers or network access control vendors.
The two primary categories of ZTNA security are agent-based ZTNA and agentless, or cloud-based, ZTNA. With agent-based ZTNA security, IT teams must install and manage software agents on all endpoint devices. The agent communicates with a ZTNA controller to authenticate users and devices and connect to the requested resources. This approach may be preferable for organizations that wish to discourage the use of unmanaged devices or want to provide secure access to non-web apps.
Agentless ZTNA uses browser-initiated sessions to connect devices for authentication. With this technology, connections are initiated by a broker between the user and the requested resources. Typically, this is done through a lightweight ZTNA connector located in the cloud. Once the user application is authenticated, traffic flows through the ZTNA service provider. Agentless solutions require nothing to be downloaded to end-user devices, making this option more manageable for BYOD scenarios.
ZTNA Security with Forcepoint
Forcepoint is the leading user and data security company. Forcepoint ZTNA simplifies secure remote access by allowing IT teams to implement Zero Trust policies easily. Forcepoint verifies remote workers quickly, providing access to only the Zero Trust network apps they need rather than all the apps in internal data centers and private clouds.
With Forcepoint, IT teams can offer agentless access to private web apps on any browser or device. Agentless ZTNA makes controlling access for BYOD and unmanaged devices easy without installing software agents. Forcepoint offers agent-based deployment that secures access to non-web servers from managed devices.
Identity and access management
Forcepoint ZTNA integrates easily with existing Identity and Access Management (IAM) systems and third-party SAML-compliant IdPs. Security teams can limit access to private apps like ERP or supply chain servers based on identity, location, device type and group membership. When login attempts look suspicious, Forcepoint can require users to prove their identities through multifactor authentication (MFA).
Data loss prevention
To enhance ZTNA security, Forcepoint includes advanced DLP capabilities, including keyword search, advanced regex with pattern proximity detection, exacted data match, file fingerprinting, MIME types and more.
Forcepoint ZTNA deploys cloud-based malware-scanning and advanced detection engines that leverage behavior-based techniques to stop zero-day threats.
Forcepoint ZTNA is part of the Forcepoint ONE platform, which offers over 300 points of presence worldwide. This global presence enables policies to be enforced closer to users and private applications, improving performance and delivering surprising speed. A distributed architecture on AWS automatically scales to maximize performance and deliver an uptime of 99.99% since 2015.
Deep visibility and granular reporting
Administrators can use a single dashboard to control access, monitor traffic and enforce policies. Forcepoint logs all activity and associated details, including device type, IP address, geographic location, access time, and more. Forcepoint can also help demonstrate regulatory compliance by proving that regulated data patterns are safe.
Combined SASE/ZTNA technology
In addition to ZTNA security, Forcepoint’s platform offers other elements of SASE architecture, including a Cloud Access Security Broker (CASB) and a Secure Web Gateway (SWG).