In our Acronym Series, Nexum’s expert engineers define the industry’s most popular topics.
Acronym: ZTNA – Zero Trust Network Access
Definition: At the most basic level, Zero Trust Network Access (ZTNA) is a principle of providing no implicit trust and requiring validation and authentication for all levels of network access. You could view ZTNA as a subset of the larger zero trust concept, explicitly focused on network and application-level access controls. ZTNA represents a departure from legacy thinking where being “on the network” or “on the virtual private network (VPN)” meant you had access to everything. Under a ZTNA structure, access is determined individually.
ZTNA builds upon concepts that have been part of IT security for years, like role-based access control (RBAC), VPN, etc. There is significant confusion in the market over ZTNA concepts resulting from trying to classify ZTNA as a specific solution or product you can buy (it’s neither of those).
ZTNA can be broken down into a few core concepts and principles:
- Access is never implicitly granted or inherited from another object
- Access to any network, device, or application is individually evaluated and granted/denied as appropriate
- Access is granular and not limited to just the extremes of full or no access
- Access can be granted based on role but can also go deeper, including attributes such as device type, patch level of the device requesting access, geolocation, etc.
- Sometimes, the term “Kipling Method Policy” is used. This is a reference to Rudyard Kipling’s 1902 poem, “I Keep Six Honest Serving Men,” where he states the questions of what, why, when, how, where, and who taught him all he knew. Similarly, these fundamental questions must be answered to provide access in a ZTNA environment.
ZTNA is an important concept in the evolution of IT security. The key takeaway is that ZTNA is both a concept and a journey. You can’t buy ZTNA (though you can undoubtedly acquire services and technologies that will help you on the journey). Very few organizations can claim to be one hundred percent ZTNA-compliant. Recognize the benefits gained at each step of the journey, and don’t be discouraged when complete compliance isn’t realistic or possible.
Check Out More Resources
The Nexum team attended Black Hat 2023 and DEF CON 31 conferences in Las Vegas. Check out this post about their experiences and some guidance on the differences between the two events.