The concept of zero trust has gained a lot of excitement in recent years. A zero trust architecture assumes an inherently hostile network and treats every user request as an external party. This practice has been crucial to secure increasingly remote, cloud-based working arrangements, especially as broken access control remains a top threat to modern IT.
Most organizations now understand the imperative to implement zero trust. However, it’s tricky to build a simple zero-trust architecture without negatively impacting application performance. This issue has worsened as most vendor solutions utilize costly network-based systems that create a bottleneck (not to mention a high-value attack target) as they rely on a single tunnel to enterprise application environments. For most scenarios, an application-based proxy is better suited to enable zero trust with less complexity and higher performance.
Below, we’ll compare and contrast two emerging variants of zero trust architecture: Zero Trust Network Access (ZTNA) and Zero Trust Application Access (ZTAA). We’ll identify the benefits and drawbacks of each approach and highlight use cases for each.
What Is Zero Trust Network Access (ZTNA)?
Zero Trust Network Access (ZTNA) abstracts direct application access by securing the network layer with a tunnel to the corporate environment. According to Gartner, ZTNA “creates an identity- and context-based, logical access boundary around an application or set of applications.” ZTNA is a trending vendor solution, with software providers such as Zscaler ZPA and Cloudflare Access in the spotlight.
A ZTNA solution will typically accomplish two things. First, it will build a tunnel from the corporate network to the cloud. Secondly, it will create a user interface overlay on top of the tunnel to control what enterprise resources a user can access. Thus, when hybrid or remote employees want to access an internal resource, they connect through the cloud service and reach the application in the enterprise network through the tunnel.
What Is Zero Trust Application Access (ZTAA)?
Instead of building a tunnel to secure the network layer, like ZTNA, Zero Trust Application Access (ZTAA) protects the individual applications themselves without any network infrastructure changes. To handle this, ZTAA places super-lightweight proxies (cloud-native and container-based) *within* the enterprise environment where the applications are sitting. Instead of adopting another network and tunnel, ZTAA enables users to run any network they want. Thus, ZTAA not only meets the capacity of the adopted network, but enables enterprises to keep their preexisting investments in network infrastructure.
Compared to most ZTNA solutions, ZTAA tends to provide more granular control to sub-application resources since it sits closer to the individual application. ZTAA also requires fewer components to function, reducing overall complexity. This better positions it to centrally handle multi-cloud, hybrid setups and integrate with cutting-edge cloud-native technologies, such as containerization and Kubernetes.
When To Use ZTNA vs. ZTAA
Although a ZTNA architecture helps reduce visibility into application environments, it suffers from some major downsides. Namely, performance can be severely impacted. Like a jammed highway lane, a ZTNA tunnel can quickly become backed up with simultaneous requests. In addition to acting as a bottleneck, the tunnel is a significant sole dependency, meaning that if broken, all internal applications are exposed.
ZTNA also introduces a few additional modules. This means configuration and ongoing maintenance requirements are heightened along with the added complexity. Furthermore, this setup usually only allows access management on the application level, limiting the granularity of access control. Lastly, a network-reliant solution is really the antithesis of zero-trust, which at its core assumes a hostile network.
So, with these realities in mind, when should IT adopt ZTNA versus ZTAA? Here are some use cases to consider that might help you gauge which is best for your situation.
Use cases for ZTNA:
When there are minimal performance requirements.
When the number of services is small, say 10-20.
When there’s not too much traffic or varying end-user types.
When you must maintain a tunnel and/or endpoint agents for corporate reasons.
Use cases for ZTAA:
When dealing with a larger suite of services and users.
When performance matters and elasticity is necessary for high-volume applications.
When seeking compatibility with cloud-native technologies.
Whereas ZTNA is a broader solution, ZTAA is more purpose-built for web applications.
When seeking an agentless VPN alternative. (Of course, a VPN can still be applied as a second layer of protection. Security is a layered approach!)
To reduce costs: ZTAA can be implemented for a fraction of the cost of tunnel-based ZTNA solutions.
To increase user experience, as ZTAA can be fully clientless.
Avoid The Tunnel To “Trust No One”
The State of Zero Trust Security: 2021 Report found that 90% of companies are either working on implementing zero-trust or plan to in the near future. The interest in zero-trust is clear — however, many misconceptions still cloud the market. The prime is the assumption that zero-trust correlates to “you need a tunnel.” But, the light at the end of that tunnel may just be an oncoming train.
If you still think you need a tunnel to secure your network, you can use ZTAA and a VPN for your remote users. Many enterprises have already invested a lot in VPN technologies, so why throw them away? You don’t need to buy a new tunnel from ZTNA and overhaul your network architectures — you can use a VPN with ZTAA altogether.
In summary, don’t get lost in the ZTNA tunnel — securing the network is often the wrong approach. Instead, most scenarios should consider a ZTAA architecture, which doesn’t suffer from the same performance bottlenecks as ZTNA. ZTAA also arguably offers an improved administrative experience, brings better cost savings, and gets you to your goal of zero-trust faster.