Zero Trust Network Access (ZTNA)

Zero Trust Network Access or ZTNA is a new way to connect your applications in a secure way. Via ZTNA, you control who may access which application(s). ZTNA brings more control on the cybersecurity within organisations. In this article you will learn which ZTNA solutions Kappa Data can offer.

Ask for a demo

On this page Kappa Data informs you here about the use of Zero Trust Network Access as an alternative for Virtual Private Networks (VPN) connections.

Zero Trust Network Access, what is it?

Since corona almost every desk-worker works from home from time to time. It is a good fit for work-life balance. But we need to do this in a secure and easy way.

There are a few challenges for remote workers. Most of the time they work from home, but often they are at a customer or in a public wifi environment. And what about the device they are working on? Can they use any device (home computer, office managed computer, …) Think of the applications they are trying to access. They can be hosted in the cloud, a datacenter or on prem.

The general purpose of ZTNA is to trust no-one on no-device from no-where and therefore check everything. Furthermore, the idea is to restrict access to the minimal and only allow what is really necessary. So there won’t be full network access.

Verify every user

Validate Devices

Limit Access

Verify Every User

The user needs to identify himself. Having different applications also means that users have different credentials. Some of them enforce complex passwords, others require the use of MFA, but it gets harder when a simple password is the only requirement. Brute fore attacks of rainbow table attacks are never far away.

In a perfect world you would expect any application to be re-linked with an identity provider. But no legacy application is up to that. Even greenfield new companies at some time drop into the problem of some incompatible applications they like or need to use.

Building a tunnel network around the users and the applications adds an additional layer of security to the applications. They need to identify themselves even before the application can be launched. If Single Sign-on is supported for both ZTNA and the application, only one time authentication is needed. But if the application does not support SSO, you need something like ZTNA to enforce security rules conform to the company requirements.

Device control

It would be so much easier if everybody only worked on the company managed laptop. Unfortunately, that’s often not the case. A lot of times people use their private computer, maybe just for a small task, but the same goes for contractors and suppliers.

They connect via a un-managed device. Depending on the product, you could check if the computer that is connecting is in line with the company policy (e.g. antivirus vendor). You can also first register the device and install a certificate on the device so this becomes a trusted device and can be part of the authentication process. Some vendors support web browser access without an agent. It will depend on the application itself if it can be supported but this would be handy for 3rd party access.

Use of applications

There are several types of applications. The easiest ones have web-based access. These are flexible in access control and are far easier to secure without losing too much usability. The problem we face is that applications run everywhere and access also comes from anywhere.

Public applications

They need to be protected either by public source IP or authentication redirection. The last way is not really ZTNA but the first one is. You can only access the cloud facing application via your ZTNA environment so compliancy rules can be met and required authentication enforced.

Datacenter hosted applications

They can be configured in two ways, depending on the ZTNA supported system. The most common way is by installing a reverse proxy in front of the application. This reverse proxy is often called a gateway. Some vendors allow this gateway to be enabled on their firewall or even installed as a container. This gateway terminates the micro tunnel (mTLS) that connects from the client agent to this gateway. A fix IP is needed in this situation.

Another datacenter way can be the reverse connection. Via an agent on the server or a gateway that connects to a pop or backend server, the connection can be initiated from the server side. This eliminates the need for a fix IP and could in some cases simplify the setup.

Internal applications

For internal applications you would expect not to need ZTNA, but the problem is that they are open to everybody in the network. Since segmentation and segregation is required by NIS2, an extension of the ZTNA way of working to the LAN becomes attractive. One of your vendors has this, but in all other cases a NAC would be recommended

The location

Generally, it doesn’t matter where you connect from. That’s the whole idea about ZTNA. Although in some cases there could be interesting to do some checks such as sudden changes of location that are not possible, or block access from specific regions. That way you could split access to sensitive areas and allow them only from trusted locations and allow less important services to be accessed from everywhere

Zero Trust Network Access solutions at Kappa Data

At Kappa Data we see different suppliers having Zero Trust Network Access solutions, which can work seperately on every device. Depending on your needs or requirements, Kappa Data can give you some advice regarding every solution.

Zero Trust Network Access of Barracuda Networks

A few years ago Barracuda bought Fyde and rebranded it to CloudGen Access. Today they are rewriting this product and are integrating it into SecureEdge, their SASE solution. Since SecureEdge has different deployment possibilities, you have a wide flexibility to choose the best fit for your use-case.

Barracuda also has a “light” version included in their Email Protection Plan to secure access to Office 365 environments.

If the environment already has Barracuda CloudGen firewalls in place, the gateway can be activated on the firewall itself, making it very easy to deploy.

Zero Trust Network Access Cato Networks

If you prefer ZTNA to be deployed in a SASE way, you must look at CATO networks. Seen from the ZTNA perspective, they put a (virtual or hardware) socket in front of an application, but that could as well be an IPSEC tunnel.

Users never connect their agent to a socket or a gateway, but always to the CATO backbone (via a POP – Points of Presence). These POP’s are all over the world and they are linked together via a low latency fiber connection.

This guarantees very fast (low latency) connections between the users and their applications. Agents automatically select the best available POP, totally transparent for the users. All is managed from within the same portal as the firewall rules, endpoint protection, XDR and all other CATO components.

Extreme Networks Universal Zero Trust Network Access

In a combined secured local LAN solution with public and hosted applications, UZTNA of Extreme Networks is the product to take a look at. Next to the traditional ZTNA technology, Extreme adds a cloud NAC technology that makes it possible to secure the internal network by making a dynamic VLAN selection depending on the user or the device. The strength is in the combination, no matter if a user is in the internal LAN or externally, the user always gets the fastes connection and is fully secured.

More information about Universal ZTNA can be found on page related to UZTNA

Juniper Secure Edge

A while ago Juniper acquired 128 Technologies, specialized in SD-WAN connectivity. This product is now integrated into the rewarded Mist platform, giving full visibility into end-to-end traffic between users and applications.

Elevating wired networks into this platform, leveled them high-up in the Gartner Leaders quadrant. We expect to see the same after 128 Technologies is fully integrated and it has become their SASE solution. And that is where ZTNA fits in, the SASE solution is called Secure Edge and has a ZTNA feature for secure user access and visibility.

Sophos Zero Trust Network Access

Strong in small and medium size enterprises, and a clear view in managed security, Sophos extends its secured connectivity part with ZTNA. As we know them, all is centrally cloud managed from within their portal called ” Sophos Central”. Since the Sophos firewalls can be used as a gateway and the Intercept X agents as a client, implementation is almost as easy as a click in the box.

You choose Sophos if you want an easy to mangage and affordable all-in-one solution.

Why choosing for Zero Trust Network Access?

Zero Trust Network Access (ZTNA) is gaining popularity among organizations looking to bolster their cybersecurity defenses. This approach fundamentally shifts the security paradigm to “never trust, always verify,” ensuring that every access request is authenticated, authorized, and encrypted before granting access to resources. This rigorous verification process significantly reduces the risk of unauthorized access and lateral movement within the network.

One of the primary benefits of ZTNA is its ability to minimize the attack surface. By concealing network resources from unauthorized users, ZTNA makes it considerably harder for attackers to discover and exploit vulnerabilities. This ensures that only authenticated and authorized users can see and access sensitive resources, thus enhancing overall security.

ZTNA also offers improved visibility and control over network activities. Detailed logging and monitoring of access requests provide insights into who is accessing what resources and when. This enhanced visibility helps organizations quickly identify and respond to suspicious activities, bolstering their defense mechanisms.

In the era of remote work, traditional perimeter-based security models have become less effective. ZTNA supports secure access to corporate resources from any location and device, ensuring that remote workers can operate securely. This capability is crucial as the workforce becomes increasingly mobile and dispersed.

Another advantage of ZTNA is its granular access control. It enables fine-grained policies based on the user’s identity, device posture, and context of the access request. By ensuring users have only the minimum necessary access, ZTNA reduces the risk of insider threats and unauthorized access to sensitive information.

Implementing ZTNA can also simplify security architecture by eliminating the need for traditional VPNs and complex network segmentation. This simplification can lead to cost savings in terms of infrastructure and management overhead, making ZTNA an economically attractive option.

Compliance and regulatory requirements regarding data protection and access controls are stringent in many industries. ZTNA helps organizations meet these requirements by providing robust access controls and detailed audit logs, which are essential for regulatory compliance.

ZTNA is particularly well-suited for modern IT environments that include cloud services, SaaS applications, and hybrid infrastructures. It provides consistent security policies across on-premises and cloud environments, ensuring comprehensive protection.

By continually verifying access requests and limiting the exposure of sensitive resources, ZTNA enhances resilience against breaches. This approach helps contain threats more effectively and minimizes the potential impact of security incidents.

Finally, ZTNA can improve the user experience by offering seamless and secure access to resources without the need for cumbersome VPN connections. This ease of access ensures that users can efficiently perform their tasks while maintaining robust security measures.

In summary, ZTNA provides a robust, flexible, and scalable approach to network security that aligns well with the evolving threat landscape and modern IT practices. Its comprehensive benefits make it an attractive choice for organizations aiming to enhance their cybersecurity posture.

Frequently asked questions

Check our FAQ section where you can find the first questions that have been asked to us during the last months.

En quoi le ZTNA améliore-t-il l’expérience utilisateur par rapport aux connexions VPN ?
ZTNA améliore l’expérience utilisateur de plusieurs façons :
- Accès transparent : offre aux utilisateurs un accès transparent aux applications sans avoir à établir et à gérer une connexion VPN distincte.
- Réduction de la latence : connecte directement les utilisateurs aux applications dont ils ont besoin, ce qui se traduit souvent par une latence réduite et des performances plus rapides.
- Connectivité simplifiée : élimine la complexité des configurations et de la maintenance VPN, facilitant ainsi la connexion sécurisée des utilisateurs.
- Politiques d’accès adaptatives : ajuste dynamiquement les politiques d’accès en fonction du contexte et du comportement des utilisateurs, offrant une expérience plus flexible et plus conviviale.
En quoi le ZTNA diffère-t-il des connexions VPN traditionnelles ?
Le ZTNA diffère des connexions VPN traditionnelles de plusieurs manières essentielles :
- Contrôle d’accès granulaire : le ZTNA accorde l’accès uniquement à des applications ou ressources spécifiques en fonction de l’identité vérifiée des utilisateurs et de la conformité des appareils, plutôt que de fournir un accès réseau général comme les VPN.
- Vérification continue : le ZTNA vérifie en permanence les informations d’identification des utilisateurs et des appareils lors de chaque tentative d’accès, tandis que les VPN authentifient généralement les utilisateurs uniquement au début de la session.
- Principe du moindre privilège : le ZTNA fonctionne selon le principe du moindre privilège, en limitant l’accès des utilisateurs aux seules ressources dont ils ont besoin, ce qui réduit le risque de mouvements latéraux au sein du réseau.
- Préparation au cloud : le ZTNA est conçu pour sécuriser l’accès aux ressources sur site et dans le cloud, ce qui le rend plus adapté aux environnements hybrides et multicloud modernes.
Qu’est-ce que l’accès réseau zéro confiance (ZTNA) ?
L’accès réseau Zero Trust (ZTNA) est un modèle de sécurité qui part du principe qu’aucun utilisateur ou appareil, qu’il se trouve à l’intérieur ou à l’extérieur du réseau, ne doit être considéré comme fiable par défaut. Au lieu de cela, le ZTNA vérifie en permanence chaque demande d’accès à l’aide d’une vérification d’identité stricte, de contrôles de conformité des appareils et de politiques de sécurité basées sur le contexte avant d’accorder l’accès aux applications et aux données.
Quels sont les principaux composants d’une solution ZTNA ?
Les principaux composants d’une solution ZTNA sont les suivants :
- Gestion des identités et des accès (IAM) : garantit la vérification des identités des utilisateurs et l’application des politiques d’accès en fonction des rôles et des attributs des utilisateurs.
- Évaluation de la posture des appareils : évalue l’état de sécurité des appareils avant d’accorder l’accès afin de garantir la conformité avec les politiques de l’entreprise.
- Micro-segmentation : divise le réseau en segments plus petits et isolés afin d’appliquer des contrôles de sécurité plus précis et de limiter l’accès.
- Politiques d’accès contextuelles : appliquent les politiques d’accès en fonction de facteurs contextuels tels que l’emplacement de l’utilisateur, le type d’appareil et le comportement.
- Surveillance continue : surveille en permanence l’activité des utilisateurs et des appareils afin de détecter et de réagir aux anomalies en temps réel.

Contact us for a demo

Are you curious to learn how Kappa Data can help you to deliver the right Zero Trust Network Access solution? Contact us for a demo via the below button.