Zero Trust Solutions: Which ZTNA is Right For You?

What are Zero Trust Solutions?

A zero trust security model assumes that all persons and devices trying to access a network are not to be trusted until they are verified as legitimate. Thereafter, it only grants the least privileged access to resources required for an applicant.

Gartner defines a category of solutions known as zero trust network access (ZTNA), which are responsible for administering selective access to users and devices on a protected network. There are two primary types of ZTNA solutions—agent-initiated, which are more flexible but require devices to be managed, or service-initiated, which are easier to deploy but only support web applications.

What are Zero Trust Network Access (ZTNA) Solutions?

Today’s digital business environment requires users to have access to applications from any location at any time. Users require mobile access to corporate systems, and outside partners require access as well, giving rise to virtual private networks (VPNs) and demilitarized zones (DMZs).

Originally, once allowed inside a network, a user gained implicit trust—often excessively so. So long as the user was outside the perimeter, they were not trusted. Unfortunately, many users and attackers abused this implicit trust. A zero trust approach denies access to everybody by default, and provides selective access based on the person and device requiring access, and the corporate service being accessed.

How ZTNA grants selective access

Zero Trust Network Access (ZTNA) solutions can grant selective access based on criteria such as:

• Human identity
• Functional roles
• Device profiling and health checks
• Network used to connect
• Date, time and allowed duration of use
• Geographic location

ZTNA controls access to resources based on identity and context, reducing the attack surface. This creates individual security perimeters around each user, device, and application.

ZTNA creates a standardized user experience and applies security policies consistently, regardless of whether users connect from within the corporate network, from outside, using a corporate device or an unsecured personal device.

The trust broker

A central component of ZTNA solutions is a trust broker. Trust brokers can be provided as a third-party cloud service, or may be self-hosted, such as a physical appliance operating within the customer’s data center, or a virtual appliance managed by the organization in a public cloud.

A trust broker evaluates the applicant’s credentials and their device context. If the user is eligible to access the application, the broker communicates with a gateway function located logically near to the required application. Finally, the gateway creates a connection between the user and application.

In some ZTNA products, the gateway handles all communication once the user is connected. In other products, the broker remains present, to perform ongoing verification of the user and device.

Related content: Learn more in our detailed guide to zero trust model 

Types of Zero Trust Network Solutions

Gartner describes two main categories of ZTNA solutions.

Endpoint-Initiated ZTNA

Endpoint-initiated ZTNA takes its name from the agent installed on end-user’s devices. This agent transmits security-based information to a controller. The controller then prompts the device user for authentication, and returns a list of permitted applications. Following authentication of the device and its user, the controller opens connectivity to the device using a gateway.

Even after the user is authenticated and the gateway allows access, connectivity is still provisioned by the controller, and the user may only access the service through the gateway. Services are shielded from direct Internet access, which can prevent threats like denial of service (DoS).

After the controller secures connectivity, some ZTNA remove themselves from the data path; others remain within it.

Endpoint ZTNA adheres best to the Cloud Security Alliance’s (CSA)  software-defined perimeter (SDP) standard. However, it requires either device management infrastructure, or installation of a local software agent. Alternatively, a third-party unified endpoint security (UES) product can provide the trust broker with the required device posture assessment. This can be a middle ground between deploying an agent and full-featured device management.

Service-Initiated ZTNA

Service-initiated ZTNA, on the other hand, does not require the installation of an agent on the user’s device. It is a much more attractive approach for organizations that enable unmanaged devices (Bring Your Own Device or BYOD). This type of solution follows Google’s BeyondCorp concept.

In this approach, networks in which applications are deployed have a connector that establishes outbound connections to a cloud-based ZTNA solution. To access a protected application, a user must authenticate with the ZTNA provider, who validates the user using an enterprise identity management product. Upon successful validation, traffic can pass through the provider’s cloud, while isolating applications from direct access.

An advantage of service-initiated ZTNA is that the enterprise firewalls does not need to allow inbound traffic—because all traffic passes through the provider. However, the provider’s network must be evaluated, since it becomes a critical element and a potential point of failure.

Another downside of service-initiated ZTNA is the need to base an application’s protocol on HTTP/HTTPS. This limits the system to web applications and protocols, including secure shell (SSH) or remote desktop protocol (RDP) over HTTP. However, several vendors are now offering support for added protocols.

How to Choose a Zero Trust Solution?

Key considerations for evaluating a zero trust solution include:

• Is the installation of an endpoint agent required, and what operating systems and mobile devices does it support? How does the agent interact with other agents?
• Must the customer install and manage the ZTNA broker, does the vendor offer it as a service, or—ideally— is there a hybrid architecture involving both?
• Do you need a unified endpoint management (UEM) tool for security posture assessments of devices (operating system versions, password and encryption policies, patch levels, and so on)? What options exist for managing these on unmanaged devices?
• If an anomaly appears within the ZTNA-secured environment, will it be identified using user/entity behavior analytics (UEBA)?
• What colocation facilities or edge/physical infrastructure does the vendor provide? Are the vendor’s edge locations and/or points of presence (POPs) geographically diverse?
• Does the solution similarly secure legacy applications or only covers web applications?
• Is the vendor’s private disclosure policy credible and responsible? Does the vendor constantly test for product vulnerabilities and remove them?
• Is the licensing model priced per user or bandwidth? How does the vendor charge for overage if you exceed the number of users or allowed bandwidth in your package?

Zero Trust with Perception Point

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.

Contact us for a demo of our Advanced Browser Security solution, today.