ZTNA Zero Trust Network Access

• Gartner, Inc is a technological

research and consulting firm based
Gartner in Stamford, Connecticut that
conducts research on technology
and shares this research both
through private consulting as well as
executive programs and
conferences
• The ZTNA model was coined by Gartner to help eliminate the
granting of excessive trust to employers, contractors, and other
users who only need very limited access. The model expresses the
concept that nothing is to be trusted until proven trustworthy, and
more importantly that trust must be reauthenticated whenever
anything about the connection (location, context, IP address, etc.)
changes.
What Is Zero Trust
Network Access • Zero Trust Network Access (ZTNA) is an
IT security solution that provides secure
remote access to an organization’s
(ZTNA)? applications, data, and services based on
clearly defined access control policies. 
• When ZTNA is in use, access to specific applications or resources
are granted only after the user has been authenticated to the ZTNA
service. Once authenticated, the ZTNA then grants the user access
to the specific application using a secure, encrypted tunnel which
offers an extra layer of security protection by shielding applications
and services from IP addresses that would otherwise be visible.
 • ZTNA offers a way to connect users,
applications, and data, even when they do
not reside on the organization’s network, a
scenario increasingly common in today’s
multi-cloud environments where micro-
services based applications can reside on
multiple clouds as well as on-premises.

Benefits of ZTNA Modern organization need to have their

digital assets available anywhere, anytime,
from any device by a distributed user base.
• ZTNA fills this need by offering the
granular, context-aware access for business-
critical applications, without having to
expose other services to possible attackers.
Authentication and Access
• The primary use for ZTNA is to provide a highly granular access mechanism based on a user’s identity.
Where IP-based VPN access offers broad access to a network once authorized, ZTNA offers limited,
granular access to specific applications and resources. ZTNA can provide more levels of security with
location- or device-specific access control policies, which can keep unwanted or compromised devices
from accessing the organization’s resources.This access can be contrasted with some VPNs that offer
employee-owned devices the same access privileges that on-premises admins are granted.
• ZTNA differs from virtual private networks (VPNs) in that they
grant access only to specific services or applications, where VPNs
grant access to an entire network.
shortcomings of
VPNs when
compared to
ZTNAs 
Resource utilization
• As the number of remote users grows, the load on the VPN can lead to unexpectedly high latency and can
demand new resources be added to the VPN to meet growing demand or peak usage times. This can also
strain manpower for the IT organization.
Flexibility and Agility 
• VPNs do not offer the granularity of ZTNA. Additionally, it can be challenging to install and configure
VPN software on all the end user devices that need to be connected to enterprise resources.
• Conversely, it is much easier to add or remove security policies and user authorization based on their
immediate business needs. ABAC (attribute based access control) and RBAC (role based access control)
in ZTNAs simplify this task.
Granularity
• Once within a VPN perimeter, a user gains access to the entire system. ZTNAs take the opposite
approach, granting no access at all, unless an asset – application, data, or service – is specifically
authorized for that user.In contrast to VPNs, ZTNAs provide continuous identify verification based on
identity authentication. Each user and each device are verified and authenticated before they are granted
access to specific applications, systems, or other assets.VPNs and ZTNAs can be used in combination
with each other, for example to strengthen security on a particularly sensitive network segment, providing
an extra security layer should the VPN be compromised.
How do you implement ZTNA?
Implementation Models
 • As the name implies, in an endpoint-initiated
zero trust network architecture the user

Endpoint initiated
initiates access to an application from an
endpoint connected device, similarly to an
SDP. An agent installed on the device

ZTNA communicates with the ZTNA controller,

which provides authentication and connects
to the desired service.
 • In a service-initiated ZTNA, the connection
is initiated by a broker between application
and user. This requires a lightweight ZTNA
connector to sit in front of the business
applications that are located either on-
premises on at cloud providers. Once the

Service-initiated outbound connection from the requested

application authenticates the user or other
application, traffic will flow through the
ZTNA ZTNA service provider, isolating
applications from direct access via a proxy.
The advantage here is that no agent is
required on end user devices, making it more
attractive for unmanaged or BYOD devices
for consultant or partner access.
Delivery Models
 • Stand-alone ZTNA requires the organization
to deploy and manage all elements of the
ZTNA, which sits at the edge of the
environment (cloud or data center) brokering
Stand-alone ZTNA secure connections. Although this fits in well
with organizations that are cloud-averse,
deployment, management, and maintenance
become added burdens.
 • With ZTNA as a cloud-hosted service,
organizations can take advantage of the
cloud provider’s infrastructure for everything
from deployment to policy enforcement. In
this case the organization simply acquires

ZTNA as a cloud- user licenses, deploys connectors in front of

secured applications, and lets the cloud
provider/ZTNA vendor deliver the
hosted service connectivity, capacity, and infrastructure.
This simplifies management and
deployment, and cloud-delivered ZTNA can
ensure that the optimal traffic path is selected
for the lowest latency for all users.
Gartner estimates that
over 90 percent of
organizations are
implementing ZTNA
as-s-service.
Who are the ZTNA • Both traditional vendors of network security
products and a new generation of cloud-
based security services offer ZTNA products.
providers service Many also license their software to carriers,
CDNs and ISPs who offer a ZTNA service to

providers ? complement their other connectivity and

security products
 • Cisco Zero Trust Platform.
• Palo Alto ZTNA

Some examples
• Open Systems ZTNA
• Versa Networks ZTNA.
•  Zscaler ZTNA
References

https://www.vmware.com/topi
cs/glossary/content/zero-trust-
network-access-ztna.html

https://www.netify.com/learni
ng/market-guide-to-ztna-zero-
trust-network-access-services

https://www.comparitech.com/
net-admin/best-zero-trust-secu
rity-vendors/
Thank you