How Zero Trust Network Access (ZTNA) Works
In the ZTNA model, access is only approved once a user is authenticated by the ZTNA service which then provides an application or network access via a secure and encrypted tunnel. The service prevents users from seeing applications or data that they do not have permission to access, thereby preempting lateral movement by a would-be attacker. This kind of movement is something that would otherwise be possible if a compromised endpoint or approved credentials could be used by an unauthorized device or agent to pivot to other services or applications.
With ZTNA, protected applications are also hidden from discovery, and access to them is restricted via the ZTNA service (also known as a trust broker) to a set of preapproved entities. A trust broker will only grant access to an entity if the following conditions have been met:
- The entity (a user, device, or network) supplies the broker with the right credentials.
- The context in which access is requested is valid.
- All applicable policies for access within that given context have been followed.
In ZTNA, access policies are customizable and can be changed based on system needs. For example, in addition to the requirements above, you can implement location or device-based access control that prevents vulnerable or unapproved devices from connecting to a protected network.