What is zero trust network access (ZTNA) and how can your business implement it?

A CGI image of a glowing blue padlock made of energy representing zero trust network security, surrounded with glowing points representing a network.
(Image credit: Getty Images)

In an age when cyber attacks can cause untold damage, limiting access to applications and data makes a lot of sense. As the UK’s National Cyber Security Centre (NCSC) points out, once they’ve authenticated to the network, attackers can gain access to everything that’s inside.

It's with this in mind the zero trust buzz phrase “never trust, always verify” has emerged, alongside a deluge of products and services claiming to help organizations implement it.

Zero trust network access (ZTNA) is defined by analyst giant Gartner as a set of products or services that “create an identity and context-based, logical access boundary around applications”. This sounds effective, but in reality, does ZTNA live up to the hype? Here’s what you need to know about ZTNA and how your business can implement it.

What is ZTNA and why is it useful?

ZTNA is a useful tool because it provides secure access to a set of resources, applications, and services for users and devices, regardless of their location or network environment, says Niall McConachie, regional director UK and Ireland at security key maker Yubico. 

He explains how previously, remote access to corporate resources was often facilitated via virtual private networks (VPNs), which grant users full access to the network once connected. “A ZTNA uses a more fine-grained and context-aware access control model, by enforcing the principle of least privilege. This provides users and devices with the minimum level of access necessary to perform their tasks. Instead of granting broad network access, it is tightly controlled and limited to specific applications, services, or data.”

In ZTNA, every access request is regarded as “potentially hostile”, meaning it needs to be “authenticated, authorized, and continually validated”, says Phil Robinson, principal consultant at Prism Infosec. ZTNA limits the impact of breaches because it stops attackers from penetrating further into the network and compromising systems by escalating privileges, he adds. 

There are operational advantages too. “Building an inventory of users, applications, services and data is advantageous as it improves visibility and control,” Robinson says. “The user-focused approach also promotes the use of more secure forms of access such as multi-factor authentication.”

What are the limitations of ZTNA?

On the face of it, ZTNA sounds great, but it’s important to know that the trend doesn’t guarantee robust security – especially if it’s not implemented optimally. 

Meanwhile, ZTNA is only in its early stages. According to Gartner, only 1% of large enterprises have a mature and measurable zero trust program in place today and only 10% will achieve one by 2026. Gartner also predicts that through 2026, more than half of cyber attacks will be aimed at areas zero trust controls don’t cover and can’t mitigate.

But it’s still worth paying attention. At the current time, ZTNA offers the highest level of protection, as well as “huge flexibility” in a changing threat landscape where employees work at least partially from home, says Mark Hughes, president of security at DXC Technology. “By emphasizing continuous monitoring and least-privilege access, ZTNA helps rapidly detect unauthorized access and reduces security risk.”

Yet there’s been a great deal of hype around ZTNA and so, while the concept itself is sound, it’s important not to fall for any “silver bullet-touting vendors”, says Robinson. “ZTNA is not a one-size-fits-all solution so there is no quick and easy deployment. There are multiple facets to implementing it and projects will need to accommodate the nuances of the business and its existing systems.”

At the same time, be aware that ZTNA isn’t always a complete VPN replacement. A common misconception is that going zero trust means you can remove your remote access VPN from the network and still be as secure, the NCSC says. “Unfortunately, it’s not quite as simple as that. If you have sufficient controls in place that you are confident in the identities of the user and device accessing your service, you may be able to provide access to your services just as securely as if you were using your VPN. However, you must first take into consideration other security properties the VPN provides that you may not have access to without it, such as enabling legacy systems to work remotely.”

How do you choose the best ZTNA tools? 

Many companies are selling ZTNA and they’ll all have their own pitch, so firms should be on their guard and assess everything available. It makes sense to focus on the product, says Danny Jenkins, CEO of ThreatLocker. “Ask companies to show you how the product works and what it does.”


Digital image of a padlock within a circle

(Image credit: Dell)

PowerEdge - Cyber resilient infrastructure for a Zero Trust world

Build your zero-trust architecture and discover tools that will  help you get there


It’s also important to note that, in order to actually implement ZTNA, multiple different security products and tools would need to be purchased, warns Lewis West, head of cyber security at recruitment consultant Hamilton Barnes. “There isn’t a zero trust security box that you can just take off the shelf and plug in, so to find the best options there will be an element of shopping around.”

Over time, West thinks more suppliers will offer all-encompassing packages – and some players are already taking steps in this direction. “Palo Alto, for instance, has one of the leading all-inclusive offerings, where businesses can purchase every part of the toolkit at once.”

How can your organization implement ZTNA? 

ZTNA is certainly useful, but with the concept at a very early stage, there’s no need to rush. Businesses that want to implement ZTNA must be prepared to take it slow and accept there will be some painful elements, says Robinson. 

Meanwhile, bear in mind that trust decisions will need to be continually adapted, says Neil Thacker, EMEA CISO at Netskope. “Just because access was granted this morning to an employee at home using an on-premises legacy application, doesn't mean it should still be given when the user wants to gain access to a public cloud instance,” he says.

A shot of a woman sat at her desk in a dimly lit office, with her eyes closed and a stressed expression on her face, her hands raised to massage her temples. In the foreground, blue code is rising to either side of the frame to indicate complexity in the task that her unseen screen is showing

(Image credit: Getty Images)

Why zero trust strategies fail

He agrees firms should take it slow and advises first implementing a zero trust project with a limited scope. “Focus on the most critical and sensitive applications first, before expanding it within the organization.”

There are benefits to ZTNA but experts agree moving towards the security architecture is a challenging task that must be done step-by-step. 

ZTNA can actually see risk increase, at least in the short term, says Robinson. He therefore advises conducting a risk assessment during the planning stages. “This can also identify any risks from outside the zero trust architecture and advise on any additional security controls you might need.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.