How Does a ZTNA Work

ZTNA Blog Post Cover Image

While the specific tools used to implement Zero Trust Architecture may vary
Implementing a Zero Trust Architecture project calls out some key functions:

  • Application vs. network access: 
    ZTNA treats application access separately from network access. Connecting to a network does not automatically grant a user the right to access an application.
  • Hidden IP addresses: 
    ZTNA does not expose IP addresses to the network. The rest of the network remains invisible to connected devices, except for the application or service they are connected to.
  • Device security: 
  • ZTNA can incorporate the risk and security posture of devices as factors in access decisions. It does this by running software on the device itself (see "Agent-based ZTNA vs. service-based ZTNA" below) or by analyzing network traffic to and from the device.
  • Additional factors: 
  • Unlike traditional access control, which only grants access based on user identity and role, ZTNA can evaluate risks associated with additional factors like user location, timing, and frequency of requests, the apps and data being requested, and more. A user could sign in to a network or application, but if their device is not trusted, access is denied.
  • No MPLS: 
    ZTNA uses encrypted Internet connections over TLS instead of MPLS-based WAN connections. Traditional corporate networks are built on private MPLS connections. ZTNA is built on the public Internet instead, using TLS encryption to keep network traffic private. ZTNA sets up small encrypted tunnels between a user and an application, as opposed to connecting a user to a larger network.
  • IdP and SSO: 
    Most ZTNA solutions integrate with separate identity providers (IdPs), single sign-on (SSO) platforms, or both. SSO allows users to authenticate identity for all applications; the IdP stores user identity and determines associated user privileges.
  • Agent vs. service: 
    ZTNA can either use an endpoint agent or be based in the cloud. The difference is explained below.

Explaining the Zero Trust Framework

So, you are ready to create your zero-trust network?
Implementing zero trust principles within an organization’s environment requires the development of a zero trust network.
A zero-trust network implements and enforces zero trust policies, such as zero-trust network access (ZTNA) or Software Defined Perimeter (SDP),
consistently across an organization’s entire environment.

In this blog post, I prepared some tips to know if you really need ZTNA for this app