Nate Drake explores the concept of ZTNA and the obstacles businesses face with its adoption

Every access request is verified, whether it comes from inside or outside the network.

©GETTY IMAGES/MOMENT/OSCAR WONG

IN 2010, John Kindervag of Forrester Research coined the term “zero trust model” to describe the need for stricter cybersecurity policies, particularly within corporate networks.

In the last five years, numerous cybersecurity platforms have claimed to offer zero trust network access (ZTNA): a robust and flexible security solution that goes above and beyond the traditional perimeter-based security model.

ZTNA operates on the principle that no user or device should be trusted by default. Instead, every access request is verified, whether it comes from inside or outside the network.

We haven’t used the word principle lightly, as while certain software vendors might have users believe otherwise, ZTNA isn’t tied to a specific product or technology. It’s more akin to a security philosophy governing how users and their devices should interact with network resources.

Since ZTNA solutions first appeared, they’ve been embraced by numerous sectors, such as healthcare, finance, and tech. Given how such organizations are prime targets for hackers, ZTNA offers the best solution for protecting sensitive data by enforcing granular access and network segmentation.

Despite the clear promise of zero trust, adoption isn’t without its challenges, though. These stem partly from adapting existing systems or retraining to use new platforms. People who are used to more lenient access policies may also balk at continuous verification, as they don’t directly benefit from the tighter security ZTNA offers.

Remote work and BYOD policies have made it almost impossible to enforce network security policies at the perimeter.

© GETTY IMAGES/DIGITALVISION/ JUSTIN PAGET. GETTY IMAGES/DIGITALVISION /LUIS ALVAREZ

The concept of zero trust network access first emerged in response to traditional security approaches to networks. Companies adopted the castle and moat mindset, whereby all threat actors were located outside the network perimeter, while every user and program inside could be trusted.

This approach may have had its merits when companies issued and vetted their own computers. However, the rise of remote work, cloud computing, and BYOD (bring your own device) policies has eroded the perimeter.

Attackers increasingly target cloud platforms to steal user credentials and data. This raises challenges for organizations that need to provide workers with access to sensitive network applications and files. In the past, initiatives like BYOD followed the old Russian proverb of “trust but verify,” but this is insufficient if the device itself is compromised.