ZTNA
What is Secure Remote Access?
Secure remote access is a combination of security methods and technologies that allow outside end entities to connect to networks, without compromising digital assets or exposing networks to unauthorized parties. Remote users could be logging from lots of unsecure networks, such as a coffee shop public Wi-Fi. Users remain the main conduit by which bad actors gain access to the network. More than 60% of all breaches involve user credentials, stolen or hacked.
How is Remote Access Secured?
Secure access has all or most of these features, depending on how you configure "Remote Secure Access":
Data Privacy: A state in which information is concealed from the public and privy only to select people.
Data Integrity: The accuracy and consistency of data over its lifecycle.
Authentication: The process of verifying the identity of a person or thing.
Authorization: The function of specifying access rights to resources.
Accounting: The record-keeping and tracking of agent activities on a computer network.
How does ZTNA Compare to VPN
A VPN is a private connection across a public network that enables a user to exchange data safely with a private network, as if their computing device was directly connected to the private network.
Site-to-Site VPN: is a connection between two or more networks, such as a corporate network and a branch office network.
What is ZTNA?
ZTNA establishes a secure session between an end entity and a network, while ensuring granular control over access to resources and exercising zero trust, regardless of the location of either the end entity or the network. Part of the zero trust principle is the practice of the least privilege access. This means that users are only granted access to the resources necessary to fulfil their job requirements, and no more. As a network security concept, zero trust operates under the premise that no user or device inside or outside the network should be trusted, unless their identification and security status have been thoroughly checked. Zero trust operates on the assumption that threats, both outside the inside the network, are omnipresent. Zero trust also assumes that every attempt to access a network or an application is a threat. So, regardless of whether the end entity is remote or on-premises, the connecting computing device automatically establishes an encrypted session with the network. Specifically, this connection takes place between a ZTNA client at the end entity and the ZTNA access proxy, which could be a firewall. The proxy point hides the location of requested applications from the outside. The Proxy directs the client's request to the application, which could be on-site or in the cloud, only if the user meets access requirements. Other ZTNA components are authentication and security. Because the user is identified through authentication against an-on-premises backend server or an Identity-as-a-service (IDaaS), policy can be applied based on the user roles.
Also, the ZTNA policy server enforces policy-to-control access, specifically to applications. For example, access could, in part, be based on geolocation. So, if the remote device is connecting from an unexpected point in the world, access to an application could be denied or privileges reduced. Likewise, if a device fails a security sanity check, the user could be denied access. Security is composed of firewalls and the ZTNA access proxy, which control access and provide security to application resources.
ZTNA Workflow
Unlike IPsec VPN, but similar to SSL VPN, ZTNA is vendor specific. This means that each vendor can implement ZTNA in a way that best suits their specific requirements.
The diagram on this slide is the Fortinet ZTNA solution. The Fortinet ZTNA client is FortiClient.
How Does Fortinet ZTNA Work?
Traits | IPsec VPN | SSL VPN | ZTNA |
---|---|---|---|
Secures what level(s) of the OSI model? | Network | Transport to Application | Transport to Application |
What implementation is required at the client? | VPN client application | Web browser application or an SSL VPN client application | ZTNA client |
What access control to network resources exists after a session is established | No access control after a user has established a VPN connection. | Some granular access control as SSL connects users to specific apps and services, such as an email app. | Granular access control to specific application. Access control is based on user roles \ policy, plus ongoing security checks of the connected devices. |
Authentication | Authentication takes place between the VPN client application and the private network. | Authentication takes place by way of a login prompt from the browser after the SSL session is established. | Both the user and the device go through an authentication process and are re-identified and checked each time access to an app is requested. |
Tunnel type | IPsec tunnel only | Session-based or tunnel | Session-based only |
Category | Industry standard | Vendor specific | Vendor specific |
Configuration |
|
|
|
Last updated