The Zero Trust Network Access (ZTNA) Puzzle Piece in SASE
In this article
Introducing the Zero Trust Network Access (ZTNA) component of the Zero Trust Architecture (ZTA), and how ZTNA links to the Secure Access Service Edge (SASE) framework.
That component of ZTA and the puzzle piece of SASE is Zero Trust Network Access or ZTNA. What are ZTA and ZTNA? Let's first look into the definition of both acronyms.
As ZTNA fits in the context of SASE, SASE is a framework that attempts to further the goals of zero trust, which is a philosophy and an architectural goal, while SASE is a framework for implementing zero trust concepts. Zero trust goals include the following: that all connection requests should be considered potentially hostile, regardless of where they originate; that even approved access should be restricted, with connections being set up based on a policy of least-privilege access; and that those connections should be continuously monitored and authorization reassessed as appropriate.
Secure Access Service Edge (SASE) merges network traffic and security priorities, ubiquitous threat and data protection, and ultra-fast, direct network-to-cloud connectivity. A SASE solution should be able to enforce uniform and ubiquitous security for a user from any location to any application, regardless of port/protocol being used, detecting and preventing malicious activity bidirectionally given insider threats and/or users inadvertently connecting from a previously infected host.
To understand how SASE supports a zero trust architecture, reference the NIST publication, 800-207 which defines Zero Trust as an approach primarily focused on data and service protection but can and should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications and other nonhuman entities that request information from resources). At the highest business level, there are seven fundamental principles or pillars of zero Trust shown below and more specifically, ZTNA is inherently embedded within the "Network" pillar of ZTA:
Zero Trust is a strategic approach that replaces implicit Trust with continuously assessed explicit Trust. It is based on identity and context supported by security infrastructure that adapts to an organization's risk appetite to improve security maturity. The key puzzle piece of ZTA that links to the SASE framework is the Network pillar. The Network pillar focuses on the vital principle, "Never implicitly trust; always verify before allowing access." That pillar of ZTA is defined as ZTNA, Zero Trust Network Access. A hybrid work environment requires applying zero trust principles to govern behavior by consumers, devices, networks, applications, and data—increasing confidence in policy enforcement everywhere. By evaluating several contextual elements—user role and identity, device identity and security posture, time of day, plus the sensitivity level of the data, and more—the resource Policy Enforcement Point itself can determine an appropriate level of confidence, or Trust, only for that specific interaction and only for that resource. ZTNA connects consumers anywhere, using any device, to corporate resources everywhere while continuously evaluating context, and adapting to reduce risk.
ZTNA must encompass the following characteristics to prevent lateral movement within the network:
- Ensure all resources can be securely accessed, regardless of their location.
- Leverage a least-privileged access strategy and strictly enforce access control.
- Inspect and log all traffic.
ZTNA also leverages continuous monitoring of user activity to ensure that the least privilege model remains throughout the entirety of the session, and any deviance results in the termination of the session.
The use cases for Zero Trust Network Access within a SASE framework are the following:
As organizations develop their roadmap for SASE, they must also consider a core pillar of ZTA by outlining a ZTNA strategy that links the Network WSAN Edge to the Security Service Edge within a SASE architecture. The figure below shows an example of an organizational security roadmap focusing on components within the ZTNA slice of a ZTA architecture.
Advancements within Zero Trust have evolved a second version of Zero Trust Network Acces, and at the current time of this writing, there is Version 1.0 and Version 2.0. ZTNA 1.0 is designed to provide secure, remote access to private resources without requiring a traditional VPN (Virtual Private Network) or proxy server. It was essentially providing consumers with a resource without much-added benefit beyond mitigating "trust" as a vulnerability. You cannot consider ZTA/ZTNA without the core function of Identity. Traditionally, when thinking about Identity, the focus is to identify the end-user. ZTA Version 1.0 is accomplished by employing either credentials, SAML, or device compliance and then applying a security policy once to allow authorization to a resource., possibly with a NAC solution.
What exactly is Identity with Context? Think of it as the new security perimeter. Using SSE for identity with context leads to logical boundaries for precise, least-privilege access which is continuously evaluated. In turn, it can accelerate an origination's organization's path to zero Trust by providing an easier way to validate initial access to the network and repeatedly validate network connections continuously evaluating and assessing the risk of that access. The concept of Identity as the new perimeter allows organizations to leverage existing analytics and data to enhance secure connectivity and gather various attributes leveraged for connectivity and security.
ZTNA Version 1.0
- Provides remote access to private resources on an "allow-then-ignore" model.
- Trusting a user or device for an entire session after one-time verification is a security risk. A lot can change after the verification, such as the remote device becoming compromised or stolen.
- Limited authentication protocols
- SAML & Open Authorization
- Limited security tools integration
- Firewalls and endpoint protection
- Basic risk analysis
- One-time Device Trust and risk scoring
ZTNA Version 2.0
- Additional authentication protocols
- If a user or device behavior changes significantly, the solution will require them to verify again.
- New features and capabilities
- OpenID Connect and Web Authentication
- Extensive integration capabilities
- Behavioral analysis and Machine Learning capabilities
Comprehensive, continuous, and accurate risk assessment
The strategy's motto is, "Never trust, always verify," which translates into a least-privilege access model to ensure that even when rogue entities enter networks, they cannot move laterally. Implementing the least privileged access reduces risk by limiting the organizational attack surface. Implementing a Zero Trust strategy dramatically increases visibility, helping organizations monitor and analyze all activities. Zero Trust essentially is a security framework defined by architecture. The framework replaces the implicit Trust granted in a traditional approach with a risk-based, "least privileged" system that extends across consumers, devices, networks, apps, workloads, and data.
Zero trust network access (ZTNA) is the modern remote access solution built on the principle of zero trust. Because ZTNA only grants application-specific access, not network access, it eliminates unauthorized lateral movement. With ZTNA, there is no inbound connectivity to the enterprise network and the resources remain hidden from discovery, reducing the digital attack surface.
More organizations are trying to understand how to approach ZTA by requesting briefings with our security experts at WWT. Our team of experts will also work with your organization to identify several "next steps" that can be taken to address your challenges, whether through deep-dive workshops, assessments, or service engagements.
We at WWT like to begin the journey with our customers in Working Sessions, where we will provide briefings on technologies such as SASE and ZTA. We have efforts today through the SASE channel around Evaluation Analysis, Briefings, On-Demand Labs, and Workshops where one of the outcomes is provided to our customers in a "SASE Workshop". Suppose customers are already on the SASE journey and are getting started with ZTA. In that case, we have resources from our Cyber Security team as a starting point, such as the Zero Trust Briefing and Enterprise Segmentation Workshop.
Additional tools are:
Zero Trust Accelerator, is used to determine the maturity of the existing state of pillars and provide an improvement plan (road map) that provides deliverables such as:
- Zero Trust Roadmap and Strategy
- Assess Pillar Maturity, Strategy Development, and Roadmap for Improvement
- Business-aligned governance recommendations for Zero Trust
- Zero Trust Architectural Approach and Recommendations
- Zero Trust gap analysis and prerequisite needs
If your organization is seeking assistance with SASE or ZTNA, please request a briefing with our SASE team. If your organization aims to implement the complete Zero Trust Architecture, you can request a briefing with our Cybersecurity experts.