July 12, 2022

What Is ZTNA and How Will it Affect Your Cloud?

By Gilad David Maayan

What is Zero Trust Network Access (ZTNA)?

In a zero-trust security model, all user connections are authenticated, and users only receive the access and privileges they need to fulfill their role. This is very different from traditional security solutions like VPN, which offered users full access to the target network, implicitly trusting a user after they successfully authenticated.

Zero trust network access (ZTNA) solutions are designed to implement and enforce an organization’s zero trust strategy. Users who want to connect to your organization’s applications can connect only if they really need access, and if there is nothing unusual or anomalous about their access request. This significantly reduces the cyber risks and threats facing organizations.

To illustrate the impact of zero trust solutions on cybersecurity, in its 2021 Cost of Data Breach Report, IBM noted that organizations with a proven approach to zero trust had an average cost of a breach $1.76 million lower than organizations without zero trust—only $3.3 million for an organization with zero trust vs. $5.4 million without it. With most organizations moving workloads to the cloud, this is an important consideration for cloud cost management.

Removing Cybercrime

At the same time, according to the report, only 35% of organizations have partially or fully adopted zero trust, and 22% more plan to adopt it in the future. Of the organizations adopting zero trust, only 48% describe their zero trust implementation as mature. In total, only 17% of surveyed organizations have a mature zero trust implementation.

How Does ZTNA Work?

ZTNA solutions create a virtual perimeter around physical devices (on-premises) and logical resources (in the cloud). ZTNA is not a single technology. It incorporates several techniques for authenticating and providing access to requesting users or devices.

Most ZTNA techniques have the same focus: they ensure applications are hidden from view of a user until access is confirmed by a trusted broker. The broker uses the following process to check if access should be allowed:

  1. Users are initially authenticated when they log in
  2. The device connecting to the network is also checked to ensure it is known, trusted, and has the latest patches and security updates.
  3. Even if the user and device are trusted, access is only granted according to the principle of least privilege (POLP). The user or device is exactly the permissions they need depending on their role.

Requirements for ZTNA in the Cloud

1. Cloud Integrated Access

Access to cloud resources must be tightly connected to services in the cloud. Securing access to cloud resources requires integration with existing cloud access services, specifically identity and access management (IAM) and key management systems (KMS).

Integrating with cloud services enables a ZTNA solution to perform real-time monitoring and application access enforcement. This can reduce complex permission management, ensure identity protection for cloud-based applications, and centralize key management.

2. Identity Brokerage

Identity-based access is central to a zero trust strategy. However, identities distributed across networks, applications, and the cloud often create security weaknesses. A ZTNA solution must track and control identities for cloud access across networks, applications and cloud environments.

It is important to continuously monitor identities, to determine if an identity used to access your cloud is a shared account or has possible spoofing activity. When using shared accounts, it is important to track activity and attribute it to specific users.

3. Data and Context Awareness

Secure access cannot be achieved without monitoring the context in which a user is accessing applications and data. Modern ZTNA solutions make this context an inseparable part of the access policies and authorization process. This is a highly effective way to prevent account takeover and data theft in the cloud.

Another aspect of ZTNA is the ability to detect personally identifiable information (PII) and other types of sensitive data. This can allow ZTNA to perform data loss protection, ensuring data security and compliance.

4. Adapt to Dynamic Environments

ZTNA can analyze permissions, resource usage, and integrate KMS as part of authentication. It adjusts application permissions based on network policies and automatically creates policies as new resources become available. It also applies analytics to optimize access control rights based on runtime analysis of cloud and on-premise environments.

How to Choose a Zero Trust Solution for Your Cloud?

Here are some important considerations for evaluating zero trust solutions:

  • Does the solution require endpoint proxies, and if so, which platform does it support?
  • Does the solution require installing and managing a ZTNA proxy, and is it available both as cloud service and deployable agent?
  • Does the solution require a Unified Endpoint Management (UEM) tool to assess device security posture, such as password level, encryption, and security patches?
  • What options does the solution provide for controlling access via unmanaged devices, which are increasingly common?
  • Does the ZTNA solution provide User and Entity Behavior Analysis (UEBA) for smart detection of anomalies in the environment?
  • What is the global distribution of the ZTNA vendor and how many points of presence (PoP) does it operate?
  • What types of applications does the ZTNA solution support—web applications, legacy applications, mobile applications, and APIs.
  • What is the licensing model? Is it based on price per user, price per bandwidth, or some combination?


In this article, I explained the basics of ZTNA and covered four key requirements for zero trust access in the cloud:

  • Cloud integrated access—ZTNA must integrate with native cloud services like IAM
  • Identity brokerage—ZTNA must consistently manage identities across on-premise networks and clouds.
  • Data and context awareness—ZTNA should take into account the current security context and the sensitivity of the data being accessed.
  • Adapt to dynamic environments—ZTNA should analyze usage patterns and dynamically adapt its policies.

I hope this will be useful as you take your next steps towards zero trust adoption in the cloud.

By Gilad David Maayan

Gilad David Maayan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Check Point, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.

Maximize Workforce Efficiency: Top HR Data Analytics Platforms

HR Data Analytics Platforms In today’s rapidly evolving workplace, human resources (HR) departments are not [...]
Read more

Karen Buffo, CMO of MixMode, on the Rise of AI in Safeguarding Digital Assets

Welcome to our Q&A session with Karen Buffo, CMO of MixMode, hosted by CloudTweaks. Today, [...]
Read more
Daniel Barber

Q&A Daniel Barber – 2024 AI + Data Privacy Predictions

2024 AI + Data Privacy Predictions In a recent interview with CloudTweaks, Daniel Barber, Co-Founder [...]
Read more
Nagaraj Kuppuswamy

Next-Generation Threats: Securing Multi-Cloud Environment

Next-Generation Threats Using cloud services from multiple cloud service providers is the fundamental tenet of [...]
Read more

AI-Powered Analytics: Q&A with Sonata Software’s Manu Swami

Welcome to today’s enlightening Q&A session on “AI for Enhanced Analytics,” where we are privileged [...]
Read more
Chris Bray

Quantum Leap: How Post-Quantum Cryptography Will Dominate 2024 Boardroom

2024 Cybersecurity Predictions As we step into 2024, the technological landscape is poised for transformative [...]
Read more


Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.