Although many networking and security vendors use terms that include the phrase zero trust, not everyone is using it to mean the same thing. Adding to the potential for confusion are the terms zero trust access (ZTA) and zero trust network access (ZTNA), which often are used interchangeably. With so many similar terms and acronyms floating around, it’s important to make sure you understand what a vendor is actually talking about when you're discussing solutions.
I often talk with several customers each week and I’ve certainly seen a rising trend in requests to discuss our zero-trust solution. Most times, customers are looking for a broad overview to start their research into the topic. A small percentage want to dig into the details of our ZTNA solution. By listening to their questions and asking a few confirming questions, it is easy to determine where they are in the discovery process.
The concept of zero trust came about because the old network security model of “inside means trusted” and “outside means untrusted” no longer works. This perimeter-based approach has been tweaked over the years using virtual private networks (VPNs) and demilitarized zones (DMZs) to deal with new challenges such as users becoming mobile and business partners outside the network that need access. But this perimeter-based approach has an inherent drawback for today’s highly complex networks: it grants excessive implicit trust. Once you’re connected, whether directly or using a VPN, you are then trusted alongside the rest of the “internal network.”
The zero-trust model moves security away from implied trust that is based on network location. Instead, it focuses on evaluating trust on a per-transaction basis. With zero trust, network location or IP address no longer conveys an implication of trust. The zero-trust model stipulates that trust should be explicitly derived from a mix of identity and context-based aspects.
The name comes about because when it comes to network access, zero trust starts with a default deny posture for everyone and everything. (In other words, zero trust.) Using a zero-trust model, whenever a user or device requests access to a resource, they must be verified before access is given. That verification is based on the identity of the users and devices, plus other attributes and context, such as time and date, geolocation, and aspects of the device security posture.
After the device and user is verified, only the appropriate trust required is granted. Access is given based on the principle of least privilege. If a user requests access to an HR application and is verified, access to that application is the only access he is granted.
Just because users have been given access to something doesn’t mean that they now can see anything else. Access means only granting access to a specific resource, not the entire network. A key element of the zero-trust model is that the trust must be continually reevaluated. If important attributes of the user or device change, the verification may be revoked and access removed.
Zero trust access (ZTA) is about knowing and controlling who and what is on your network. Role-based access control is a critical component of access management. Only by knowing definitively who a user is can the appropriate level of access be granted based on their role. Is the user an employee, a guest, or a contractor? What is their role and what network access rights does that role entitle them to?
ZTA covers user endpoints where management control and visibility is required. Aligning to the zero-trust model means implementing a least access policy that grants the user the minimum level of network access required for their role and removing any ability to access or see other parts of the network.
But ZTA doesn't focus solely on who is on the network; it also incorporates security for what is the on network. The ever-growing profusion of network-connected devices can include a host of IoT devices that can range from printers to heating and ventilation devices and door access systems. These devices do not have a user name and password to identify themselves and a role. For these "headless" devices, network access control (NAC) solutions can be used to discover and control access. Using NAC policies, the zero trust principles of least access can be applied to these IoT devices, granting sufficient network access to perform their role and nothing more.
Zero trust network access or ZTNA is becoming an industry standard term, thanks to Gartner and other analysts. Unfortunately, ZTNA isn't the most obvious naming convention, because although it’s called zero trust network access, it’s really all about brokered access for users to applications. So it might have been clearer to call it zero trust application access, but for better or worse, it's ZTNA. A key takeaway is that ZTNA is an element of the larger ZTA proposition.
Because of the rise in remote working, ZTNA has received more attention lately because it's a way of controlling access to applications regardless of where the user or the application resides. The user may be on a corporate network, working from home, or someplace else. The application may reside in a corporate data center, in a private cloud, or on the public internet.
Although traditional VPNs have been a mainstay for decades, ZTNA is the natural evolution of VPN and offers better security, more granular control, and a better user experience in light of the complexity of today’s networks, so it can be a smarter choice for securely connecting a remote workforce.
With a traditional VPN, the assumption is that anyone or anything that passes network perimeter controls can be trusted. But ZTNA takes the opposite approach: no user or device can be trusted to access anything until proven otherwise. Unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.
Because people access resources outside of a traditional network, the perimeter is dissolving and trust can’t be granted based on location anymore. So when you're reading about zero-trust solutions, the key thing to remember is that used generically, the term zero trust simply means no one should automatically be trusted; once verified, only limited access should be given; and re-verify. Building on that concept, ZTA focuses on understanding who and what is accessing the network, and ZTNA revolves around application access and is often discussed as an alternative to using a VPN.