As mentioned above, ZTNA circumvents the challenges associated with VPN while providing enhanced protections for modern organizations. Rather than giving excessive access to the network and all internal resources, ZTNA is focused on the zero-trust principal of least privilege, and gives secure access to specific resources one at a time based on a user's access context. This is typically accomplished through identity and access management (IAM) capabilities like single sign-on (SSO) and multi-factor authentication (MFA), as well as contextual access control. Leading ZTNA solutions can provide this functionality natively as well as integrate with whatever solutions you already have in place.
Leading ZTNA solutions are architected in and delivered through the public cloud. This allows them to forgo the use of costly hardware appliances that would otherwise need to be installed and maintained on premises. In this way, ZTNA delivers enhanced performance over sluggish tools like VPN, and offers significantly improved, automated scalability that is not available with appliance-based architectures which require reactive racking and stacking of costly appliances in order to scale.
As a final point, due to the rise of bring your own device (BYOD), organizations evaluating ZTNA vendors should choose solutions that offer agentless deployment options for securing browser-based access on personal devices to on-premises apps like Jira or Confluence. For protocols outside of HTTP or HTTPS that require the use of thick clients, like RDP or SSH, ZTNA solutions require the use of an agent.
Securing on-premises resources is not merely a matter of statically allowing or blocking access to applications. Organizations today also need intelligent security functionality that identifies sensitive files and data patterns at access and prevents them from falling into the wrong hands in real time. Data loss prevention (or data leakage prevention) describes a number of capabilities which provide varied levels of access to data in order to prevent unauthorized access and illegitimate usage. DLP is a critical component of ZTNA because an organization's most sensitive information commonly resides on premises.
There are multiple ways DLP solutions can identify data patterns that ought to be protected. Simpler tools scan for keywords like "confidential" or "sensitive" within documents, and use basic regex to identify instances of patterns like Social Security numbers (XXX-XX-XXXX). More developed solutions provide advanced regex to scan for multiple data patterns while using logical operators (and, or, not) and mathematical operators (count). Additionally, advanced solutions can scan for file formats, fingerprints (templates), and exact data matches.
Through the above mechanisms, DLP solutions can identify sensitive or regulated files and data patterns that need to be protected. From there, they can take a variety of actions that are designed to prevent leakage. As an illustration, if a user attempts to download a document that contains sensitive data such as a handful of customer credit card numbers, the solution can identify said data at access. Consequently, depending on the user's authorization, it can encrypt the file on download or enforce digital rights management (DRM), which requires additional authentication and provides read-only access to the file via the web browser. Likewise, if an uploaded file is deemed sensitive or suspect, a copy can be created in an admin-only folder for review.
As mentioned in the preceding section, remote work security requirements go far beyond the simple allow and block mechanisms of VPN. Additionally, on top of preventing the leakage of sensitive data and files, organizations must defend against threats like malware and ransomware. As was made painfully obvious in recent years with the global outbreaks of threats like Petya and WannaCry, malware can quickly proliferate across an organization, grind its operations to a halt, and bring it to its knees.
Leading ZTNA solutions include native advanced threat protection (ATP) functionality for securing on-premises resources against malware. This allows them to scan files in transit for threats and block them as needed--preventing threats at rest from spreading to user devices, and preventing threats on user devices from infecting internal resources. Where ZTNA solutions offer agentless deployment options, uploads and downloads from even unmanaged devices can be scanned for threats. This capability is increasingly important given the meteoric rise of BYOD and the challenges associated with controlling software on non-corporate devices.
ZTNA vendors providing built-in threat protection typically integrate the detection engines of leaders in the AV space, like CrowdStrike, into their solutions. This affords them highly specialized, behavior-based threat detection. Unlike reactive signature-based approaches which rely upon static lists of patterns, signatures, or hashes known to be associated with malware, behavior-based engines use machine learning to scrutinize files and their potential behaviors across dozens of attributes. In this way, they can detect even zero-day malware with an unknown signature.
Zero trust network access technology is one part of a complete SASE (secure access service edge) platform. SASE offerings integrate complementary technologies so that they can secure any interaction between any devices, apps, web destinations, on-premises resources, or infrastructure. Through a single portal, admins can customize a single set of automated policies which can protect data consistently wherever it goes. For comprehensive, integrated security, organizations evaluating ZTNA solutions should ensure that their tool of choice is part of a complete SASE offering. Along with ZTNA, two of the other core components of SASE are described below.
Through cloud access security broker (CASB) functionality, SASE platforms deliver end-to-end protection for data in sanctioned cloud resources, including IaaS platforms like AWS and Azure as well as managed SaaS like Office 365 and Salesforce. Reverse proxies provide agentless deployment modes that can safeguard access from any device, including personal and remote endpoints, which are becoming increasingly common in modern work environments.
Secure web gateway (SWG) technology is another core component of SASE offerings. SWGs offer web security in the form of URL filtering as well as real-time DLP and ATP policies which block leakage and threats like malware. They also secure shadow IT (unmanaged apps) by blocking them, rendering them read only, and coaching users to sanctioned alternatives. Where SWGs are deployed locally on users' endpoints, scalability and performance are enhanced.