
{{consumer="/components/cta/consumer"}}
Zero Trust Network Access (ZTNA) is an IT security solution that provides secure remote access to an organization’s apps, data, and services based on clearly defined access control policies. ZTNA differs from virtual private networks (VPNs) in that they grant access only to specific services or apps, where VPNs grant access to an entire network. As an increasing number of users access resources from anywhere, ZTNA solutions can help eliminate gaps in other secure remote access technologies and methods.
Zero Trust Network Access (ZTNA) enforces granular, adaptive, and context-aware policies for providing secure and seamless Zero Trust access to private apps hosted across clouds and corporate data centers, from any remote location and from any device. That context can be a combination of user identity, user or service location, time of the day, type of service, and security posture of the device.
ZTNA allows "least privilege" access to specific apps, and not the entire underlying network to any user with valid login keys, reducing the attack surface and preventing lateral movement of threats from compromised accounts or devices. ZTNA builds upon the concept of "Zero Trust", that asserts that organizations shouldn't trust any entity, whether inside or outside the security perimeters, and instead must verify every user or device before granting them access to sensitive resources, ensuring data safety and integrity.
ZTNA is one of the key components for Secure Access Service Edge (SASE), transforming the concept of a security perimeter from static, enterprise data centers to a more dynamic, policy-based, cloud-delivered edge, to support the access requirements of the remote workforce.
{{gartner-sase="/components/cta/gartner-sase"}}
Three Tough Questions About Your Data Protection
A connector software installed in the same network as the private app
establishes an outbound connection to the ZTNA service (or broker) hosted on the cloud through a secure, encrypted tunnel. The service is the egress point for private traffic into the network and is primarily responsible for:
Because of outbound, or "inside out,” connections to the ZTNA service, organizations don't need to open any inbound firewall ports for app access, shielding them from direct exposure on the public internet, securing them from DDoS, malware, and other online attacks.
ZTNA can support both managed and unmanaged devices. Managed devices follow a client-based approach where a company owned client or agent is installed on the devices. The client is responsible for fetching the device information and sharing the details with the ZTNA service. Connection is established with apps on validation of user identity and device security posture.
Unmanaged devices follow a clientless or reverse-proxy based approach. The devices connect to the ZTNA service through browser-initiated sessions for authentication and app access. While this makes it an attractive prospect for third-party users, partners, and employees connecting through personal or BYO devices, clientless ZTNA deployments are limited to app protocols supported by the web browsers.