What is Zero Trust Network Access (ZTNA) and Why Does it Matter?

Security is not something that's simply tacked on to an existing system. It's a fundamental aspect of that system's design. This is especially true of computer networks and systems. When they were designed, the concept of network security was very different than today. The early pioneers of these technologies had no way of foreseeing the modern internet or how widespread computing would be in day to day life. This is why the concept of ZTNA - Zero Trust Network Access, is becoming important as a way to design the inherent security flaws in traditional networks away.

What Does "Zero Trust" Mean?

With traditional network security models, there is a certain level of so-called "implicit" trust. In other words, once you've passed into the system with your credentials, you're treated as if you're generally trusted.

We see this a lot in enterprise network setups. Remote users have a hard time forcing their way into the local network. WiFi users still have a hard time, but often only need a username and password and then have extensive access to network hardware.

Unsecured hardpoints are even worse. If you plug into an Ethernet port on-premises, you might have access to every other computer and device on the whole system.

In a system that practices zero trust, the goal is never to assume that any device or user connected to the network is trustworthy.

A Fundamental Shift In Network Security

As mentioned above, traditional networks are all about physical network topology. About putting a moat around the castle, so to speak. ZTNA represents a significant level of abstraction from that approach.

Users who need access to resources on the network only get access to those resources. They don't see the rest of the network. In fact, they don't see anything they aren't supposed to, which is after all the whole point.

Within the ZTNA framework, applications are segmented natively. A given user's authorization entitles them to specific apps and services, nothing more. The so-called "user-to-application" model.

The User-to-Application Model

The key part of the ZTNA approach is the user-to-application model. It's not about the network; In a real sense, the hardware network becomes invisible. By using end-to-end "microtunnels".

Since ZTNA is about specific roles, resources, and applications, there is no need to bother with things like IP addresses or other physical network attributes. That's all taken care of by the ZTNA infrastructure and software.

Since this approach focuses on a conceptual rather than physical network, it makes it much harder for both users and outsiders to do anything malicious. Of course, as ZTNA systems become more common, I have no doubt that the hackers of the world will find new tactics and methods of exploitation to get what they want.

However, there's no arguing that the traditional network approach has far too many designed-on security issues. So that's no excuse to keep things the way they are!

ZTNA As a Corporate VPN Alternative

You'll hear a lot about ZTNA as an alternative to existing VPNs. It's an exciting development because a traditional VPN's encrypted tunnel is essentially a virtual Ethernet cable. Once connected to the remote system, you're seen as being part of the local network. This is why enterprises use VPNs to connect their employees to their intranets.

A ZTNA solution would connect employees only to the apps and services they need to do their work. It would be easy to segment users according to a need-to-know basis. Not only would this provide much better security from outside attacks, but it also makes things more secure within the company.

After all, while employees must be trusted to some extent, blind trust is never a good strategy. It's also a good way to streamline the experience of individual teams. No one has to deal with applications and services they don't use. They don't have to communicate with people who aren't relevant to their specific roles.

In this way, ZTNA can actually become more than a network design approach. It can become a way to manage the organizational structure.

ZTNA As a Private VPN Alternative

Most people reading this probably don't use a corporate VPN very often. It's the private type of VPN that's most relevant to the majority of people. Services like NordVPN or ExpressVPN offer an encrypted tunnel to their servers, which simply pass internet traffic directly to you. The point is to hide your true location and obscure your online activity from your ISP.

As you can tell, the idea of ZTNA isn't particularly relevant to these sorts of personal VPN subscription services. From a certain point of view, you're already using it as a sort of zero-trust service.

The VPN provider gives you a straight tunnel to the internet as a whole. They don't give you access to their local network resources! This means that, for now, public VPN use should look and work the same as it always has.

A Safer Net For Everyone

That doesn't mean that ZTNA isn't going to impact the average person. It's a strong countermeasure against the relentless scourge of data breaches we all suffer under. It makes it much harder for those who get past that first "moat" to then rummage around everything else they can find.

So if the people who store our information and provide online services to us practice zero trust, it's much less likely that you'll become the victim of a breach. Only time will tell if the future of network design and security will be one of zero-trust, but it looks like this is the most promising path ahead.