Zero Trust Network Access (ZTNA)

Zero Trust Network Access or ZTNA is a new way to connect your applications in a secure way. Via ZTNA, you control who may access which application(s). ZTNA brings more control on the cybersecurity within organisations. In this article you will learn which ZTNA solutions Kappa Data can offer.

Ask for a demo
Zero Trust Network Access(ZTNA)
On this page Kappa Data informs you here about the use of Zero Trust Network Access as an alternative for Virtual Private Networks (VPN) connections.

Zero Trust Network Access, what is it?

Since corona almost every desk-worker works from home from time to time. It is a good fit for work-life balance. But we need to do this in a secure and easy way.
 
There are a few challenges for remote workers. Most of the time they work from home, but often they are at a customer or in a public wifi environment. And what about the device they are working on? Can they use any device (home computer, office managed computer, …) Think of the applications they are trying to access. They can be hosted in the cloud, a datacenter or on prem.
 
The general purpose of ZTNA is to trust no-one on no-device from no-where and therefore check everything. Furthermore, the idea is to restrict access to the minimal and only allow what is really necessary. So there won’t be full network access.

two-factor authentication
Verify every user
Type devices
Validate Devices
Limit Access

Verify Every User

The user needs to identify himself. Having different applications also means that users have different credentials. Some of them enforce complex passwords, others require the use of MFA, but it gets harder when a simple password is the only requirement. Brute fore attacks of rainbow table attacks are never far away.
 
In a perfect world you would expect any application to be re-linked with an identity provider. But no legacy application is up to that. Even greenfield new companies at some time drop into the problem of some incompatible applications they like or need to use.
 
Building a tunnel network around the users and the applications adds an additional layer of security to the applications. They need to identify themselves even before the application can be launched. If Single Sign-on is supported for both ZTNA and the application, only one time authentication is needed. But if the application does not support SSO, you need something like ZTNA to enforce security rules conform to the company requirements.
Verification user access

Device control

It would be so much easier if everybody only worked on the company managed laptop. Unfortunately, that’s often not the case. A lot of times people use their private computer, maybe just for a small task, but the same goes for contractors and suppliers.
 
They connect via a un-managed device. Depending on the product, you could check if the computer that is connecting is in line with the company policy (e.g. antivirus vendor). You can also first register the device and install a certificate on the device so this becomes a trusted device and can be part of the authentication process. Some vendors support web browser access without an agent. It will depend on the application itself if it can be supported but this would be handy for 3rd party access.

Use of applications

There are several types of applications. The easiest ones have web-based access. These are flexible in access control and are far easier to secure without losing too much usability. The problem we face is that applications run everywhere and access also comes from anywhere.

Application access
Public applications
They need to be protected either by public source IP or authentication redirection. The last way is not really ZTNA but the first one is. You can only access the cloud facing application via your ZTNA environment so compliancy rules can be met and required authentication enforced.
 
Datacenter hosted applications
They can be configured in two ways, depending on the ZTNA supported system. The most common way is by installing a reverse proxy in front of the application. This reverse proxy is often called a gateway. Some vendors allow this gateway to be enabled on their firewall or even installed as a container. This gateway terminates the micro tunnel (mTLS) that connects from the client agent to this gateway. A fix IP is needed in this situation.
 
Another datacenter way can be the reverse connection. Via an agent on the server or a gateway that connects to a pop or backend server, the connection can be initiated from the server side. This eliminates the need for a fix IP and could in some cases simplify the setup.
 
Internal applications
 
For internal applications you would expect not to need ZTNA, but the problem is that they are open to everybody in the network. Since segmentation and segregation is required by NIS2, an extension of the ZTNA way of working to the LAN becomes attractive. One of your vendors has this, but in all other cases a NAC would be recommended
 

The location

 
Generally, it doesn’t matter where you connect from. That’s the whole idea about ZTNA. Although in some cases there could be interesting to do some checks such as sudden changes of location that are not possible, or block access from specific regions. That way you could split access to sensitive areas and allow them only from trusted locations and allow less important services to be accessed from everywhere

Zero Trust Network Access solutions at Kappa Data

At Kappa Data we see different suppliers having Zero Trust Network Access solutions, which can work seperately on every device. Depending on your needs or requirements, Kappa Data can give you some advice regarding every solution. 

Zero Trust Network Access of Barracuda Networks

Cloudgen Access Barracuda

A few years ago Barracuda bought Fyde and rebranded it to CloudGen Access. Today they are rewriting this product and are integrating it into SecureEdge, their SASE solution. Since SecureEdge has different deployment possibilities, you have a wide flexibility to choose the best fit for your use-case.
 
Barracuda also has a “light” version included in their Email Protection Plan to secure access to Office 365 environments.
If the environment already has Barracuda CloudGen firewalls in place, the gateway can be activated on the firewall itself, making it very easy to deploy.

Zero Trust Network Access Cato Networks

If you prefer ZTNA to be deployed in a SASE way, you must look at CATO networks. Seen from the ZTNA perspective, they put a (virtual or hardware) socket in front of an application, but that could as well be an IPSEC tunnel.
 
Users never connect their agent to a socket or a gateway, but always to the CATO backbone (via a POP – Points of Presence). These POP’s are all over the world and they are linked together via a low latency fiber connection.
 
This guarantees very fast (low latency) connections between the users and their applications. Agents automatically select the best available POP, totally transparent for the users. All is managed from within the same portal as the firewall rules, endpoint protection, XDR and all other CATO components.

Extreme Networks Universal Zero Trust Network Access

Extreme UZTNA

In a combined secured local LAN solution with public and hosted applications, UZTNA of Extreme Networks is the product to take a look at. Next to the traditional ZTNA technology, Extreme adds a cloud NAC technology that makes it possible to secure the internal network by making a dynamic VLAN selection depending on the user or the device. The strength is in the combination, no matter if a user is in the internal LAN or externally, the user always gets the fastes connection and is fully secured.

 
More information about Universal ZTNA can be found on page related to UZTNA

Juniper Secure Edge

ZTNA Juniper Secure Edge

A while ago Juniper acquired 128 Technologies, specialized in SD-WAN connectivity. This product is now integrated into the rewarded Mist platform, giving full visibility into end-to-end traffic between users and applications.
 
Elevating wired networks into this platform, leveled them high-up in the Gartner Leaders quadrant. We expect to see the same after 128 Technologies is fully integrated and it has become their SASE solution. And that is where ZTNA fits in, the SASE solution is called Secure Edge and has a ZTNA feature for secure user access and visibility.

Sophos Zero Trust Network Access

Strong in small and medium size enterprises, and a clear view in managed security, Sophos extends its secured connectivity part with ZTNA. As we know them, all is centrally cloud managed from within their portal called ” Sophos Central”. Since the Sophos firewalls can be used as a gateway and the Intercept X agents as a client, implementation is almost as easy as a click in the box.
 
You choose Sophos if you want an easy to mangage and affordable all-in-one solution.

Why choosing for Zero Trust Network Access?

Zero Trust Network Access (ZTNA) is gaining popularity among organizations looking to bolster their cybersecurity defenses. This approach fundamentally shifts the security paradigm to “never trust, always verify,” ensuring that every access request is authenticated, authorized, and encrypted before granting access to resources. This rigorous verification process significantly reduces the risk of unauthorized access and lateral movement within the network.

One of the primary benefits of ZTNA is its ability to minimize the attack surface. By concealing network resources from unauthorized users, ZTNA makes it considerably harder for attackers to discover and exploit vulnerabilities. This ensures that only authenticated and authorized users can see and access sensitive resources, thus enhancing overall security.

ZTNA also offers improved visibility and control over network activities. Detailed logging and monitoring of access requests provide insights into who is accessing what resources and when. This enhanced visibility helps organizations quickly identify and respond to suspicious activities, bolstering their defense mechanisms.

In the era of remote work, traditional perimeter-based security models have become less effective. ZTNA supports secure access to corporate resources from any location and device, ensuring that remote workers can operate securely. This capability is crucial as the workforce becomes increasingly mobile and dispersed.

Another advantage of ZTNA is its granular access control. It enables fine-grained policies based on the user’s identity, device posture, and context of the access request. By ensuring users have only the minimum necessary access, ZTNA reduces the risk of insider threats and unauthorized access to sensitive information.

Implementing ZTNA can also simplify security architecture by eliminating the need for traditional VPNs and complex network segmentation. This simplification can lead to cost savings in terms of infrastructure and management overhead, making ZTNA an economically attractive option.

Compliance and regulatory requirements regarding data protection and access controls are stringent in many industries. ZTNA helps organizations meet these requirements by providing robust access controls and detailed audit logs, which are essential for regulatory compliance.

ZTNA is particularly well-suited for modern IT environments that include cloud services, SaaS applications, and hybrid infrastructures. It provides consistent security policies across on-premises and cloud environments, ensuring comprehensive protection.

By continually verifying access requests and limiting the exposure of sensitive resources, ZTNA enhances resilience against breaches. This approach helps contain threats more effectively and minimizes the potential impact of security incidents.

Finally, ZTNA can improve the user experience by offering seamless and secure access to resources without the need for cumbersome VPN connections. This ease of access ensures that users can efficiently perform their tasks while maintaining robust security measures.

In summary, ZTNA provides a robust, flexible, and scalable approach to network security that aligns well with the evolving threat landscape and modern IT practices. Its comprehensive benefits make it an attractive choice for organizations aiming to enhance their cybersecurity posture.

Frequently asked questions

Check our FAQ section where you can find the first questions that have been asked to us during the last months.

Contact us
  • How does ZTNA differ from traditional VPN connections?

    ZTNA differs from traditional VPN connections in several key ways:

    • Granular Access Control: ZTNA grants access only to specific applications or resources based on verified user identities and device compliance, rather than providing broad network access like VPNs.
    • Continuous Verification: ZTNA continuously verifies user and device credentials during each access attempt, while VPNs typically authenticate users only at the beginning of the session.
    • Least Privilege Principle: ZTNA operates on the principle of least privilege, limiting users’ access to only the resources they need, reducing the risk of lateral movement within the network.
    • Cloud Readiness: ZTNA is designed to secure access to both on-premises and cloud-based resources, making it more suitable for modern hybrid and multi-cloud environments.
  • How does ZTNA improve user experience compared to VPN connections?

    ZTNA improves user experience in several ways:

    • Seamless Access: Provides users with seamless access to applications without the need to establish and manage a separate VPN connection.
    • Reduced Latency: Directly connects users to the applications they need, often resulting in lower latency and faster performance.
    • Simplified Connectivity: Eliminates the complexity of VPN configurations and maintenance, making it easier for users to connect securely.
    • Adaptive Access Policies: Dynamically adjusts access policies based on user context and behavior, providing a more flexible and user-friendly experience.
  • What are the key components of a ZTNA solution?

    Key components of a ZTNA solution include:

    • Identity and Access Management (IAM): Ensures user identities are verified and access policies are enforced based on user roles and attributes.
    • Device Posture Assessment: Evaluates the security status of devices before granting access to ensure compliance with organizational policies.
    • Micro-Segmentation: Divides the network into smaller, isolated segments to apply more precise security controls and limit access.
    • Contextual Access Policies: Enforces access policies based on contextual factors such as user location, device type, and behavior.
    • Continuous Monitoring: Continuously monitors user and device activity to detect and respond to anomalies in real-time.
  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access (ZTNA) is a security model that assumes no user or device, whether inside or outside the network, should be trusted by default. Instead, ZTNA continuously verifies every access request using strict identity verification, device compliance checks, and context-based security policies before granting access to applications and data.

Contact us for a demo

Are you curious to learn how Kappa Data can help you to deliver the right Zero Trust Network Access solution? Contact us for a demo via the below button. 

Ask for a demo