ZTNA - beyond the obvious
With data breaches and cyber attacks occurring on a daily basis, everybody is now talking Zero Trust. Governments are also playing the ZTNA card: for example, in 2021 the U.S. federal government mandated, by executive order, the implementation of Zero Trust architecture across governmental agencies. A similar approach is seen with the Germany’s Federal Office for Information Security (BSI).
Beyond the obvious (anybody can define ZTNA, right?), what are the key changes CIOs and admins need to take into account with ZTNA:
No more accessing applications via passwords only: ZTNA always assumes identities are appropriately secured against phishing. This means multi-factor authentication (MFA) is an integral part of the solution.
A client initiated architecture: software agents or clients deployed on endpoints become more important. Only client based software can offer the proper security controls (authentication, security posture and context, etc.), as opposed to network based inspection.
Service-initiated architecture as alternative to client agents: here, a software connector is installed in the same network as the server application, which initiates and maintains an inside-out connection to the cloud service where the application-to-user connection is connected together. Notice no inbound connection is opened to internal applications, dramatically reducing the attack surface. Also, the application thus exposed can be consumed via HTTPS by devices with no software agents, enabling BYOD scenarios.
VPN and firewalls are not a necessary part of the solution: in fact, ZTNA can be entirely based on software agents. Notice that both the client and service-initiated architectures above are entirely independent on firewalls and inbound connections to services (such as VPN).
Of course, ZTNA still requires strong access controls and micro segmentation on the server-side network where the applications are located. However, they key takeaway is relying more on software agents, eliminating reliance on passwords (MFA), and finally reducing the attack surface by eliminating inbound connections (VPN, RDP, HTTPS, etc.).
Now, we can state the obvious by asking chatGPT what ZTNA is:
"Zero Trust Network Access (ZTNA) is a cybersecurity strategy that assumes that all users and devices, both inside and outside an organization's network, are untrusted and must be verified before being granted access to resources. This approach is based on the idea that traditional network perimeter security is no longer sufficient in today's digital environment, where employees often access corporate resources from a variety of devices and locations."
More on client and service-initiated architectures here.