Network Security

Zero Trust Network Access (ZTNA) vs. Zero Trust Application Access (ZTAA): Which is Better?

Zero Trust Network Access (ZTNA) vs. Zero Trust Application Access (ZTAA): Which is Better?
Written by ga_dahmani
Zero Trust Network Access (ZTNA) vs. Zero Trust Application Access (ZTAA): Which is Better?

The concept of zero trust has gained a lot of enthusiasm in recent years. A zero trust architecture assumes an inherently hostile network and treats each user request as an external party. This practice has been crucial in securing increasingly remote and cloud-based work arrangements, especially as broken access control it remains one of the top threats to modern IT.

Most organizations now understand the imperative to implement zero trust However, it is difficult to build a simple zero-trust architecture without negatively affecting application performance. This problem has been made worse because most vendor solutions use expensive network-based systems that create a bottleneck (not to mention a high-value attack target) and rely on a single tunnel for environments. of business applications. For most scenarios, an application-based proxy is better suited to enable zero trust with less complexity and higher performance.

DevOps Connection: DevSecOps @ RSAC 2022

Below, we will compare and contrast two emerging variants of the Zero Trust architecture: Zero Trust Network Access (ZTNA) and Zero Trust Application Access (ZTAA). We will identify the benefits and drawbacks of each approach and highlight the use cases for each.

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) abstracts direct access to applications by securing the network layer with a tunnel to the corporate environment. According to Gartner, ZTNA “creates a logical access boundary based on identity and context around an application or set of applications.” ZTNA is a trending provider solution, with software providers like Zscaler ZPA and Cloudflare Access in the spotlight.

A ZTNA solution will generally accomplish two things. First, you’ll build a tunnel from the corporate network to the cloud. Second, you’ll create a user interface overlay on top of the tunnel to control which business resources a user can access. So when remote or hybrid employees want to access an internal resource, they connect through the cloud service and reach the application on the corporate network through the tunnel.

What is Zero Trust Application Access (ZTAA)?

Instead of building a tunnel to secure the network layer, like ZTNA, Zero Trust Application Access (ZTAA) protects individual applications without any changes to the network infrastructure. To handle this, ZTAA places super-light proxies (cloud-native and container-based) *within* the enterprise environment where the applications are located. Instead of adopting another network and tunnel, ZTAA allows users to run any network they want. Therefore, ZTAA not only meets the capacity of the adopted network, but also allows companies to maintain their pre-existing investments in network infrastructure.

Compared to most ZTNA solutions, ZTAA tends to provide more granular control of sub-application resources as it is closer to the individual application. ZTAA also requires fewer components to function, reducing overall complexity. This better positions you to centrally handle hybrid multi-cloud configurations and integrate with cutting-edge cloud-native technologies like containerization and Kubernetes.

When to use ZTNA vs. ZTAA

Although a ZTNA architecture helps reduce the visibility of application environments, it does have some significant drawbacks. That is, performance can be severely affected. Like a jammed highway lane, a ZTNA tunnel can quickly become clogged with simultaneous requests. In addition to acting as a bottleneck, the tunnel is a significant single dependency, meaning that if it breaks, all internal applications are exposed.

ZTNA also features some additional modules. This means ongoing maintenance and configuration requirements increase along with additional complexity. Additionally, this setting typically only allows application-level access management, which limits the granularity of access control. Finally, a network-dependent solution is really the antithesis of zero trust, which is essentially a hostile network.

So with these realities in mind, when should IT adopt ZTNA versus ZTAA? Here are some use cases to consider that can help you assess which one is best for your situation.

Use cases for ZTNA:

  • When there are minimum performance requirements.
  • When the number of services is small, say 10-20.
  • When there is not too much traffic or different types of end users.
  • When you need to maintain a tunnel and/or endpoint agents for corporate reasons.

Use cases for ZTAA:

  • When it comes to a larger set of services and users.
  • When performance matters and elasticity is required for high-volume applications.
  • Looking for compatibility with cloud-native technologies.
  • While ZTNA is a broader solution, ZTAA is more designed for web applications.
  • When looking for an agentless VPN alternative. (Of course, a VPN can still be applied as a second layer of protection. Security is a layered approach!)
  • To reduce costs: ZTAA can be implemented for a fraction of the cost of tunnel-based ZTNA solutions.
  • To increase user experience as ZTAA can be completely clientless.

Avoid the tunnel to “trust no one”

the State of Zero Trust Security: 2021 Report found that 90% of companies are working on implementing zero trust or plan to do so in the near future. The interest in zero trust is clear; however, many misconceptions still cloud the market. The main one is the assumption that zero trust correlates with “you need a tunnel”. But, the light at the end of that tunnel may just be an oncoming train.

If you still think you need a tunnel to protect your network, you can use ZTAA and a VPN for your remote users. Many companies have already invested heavily in VPN technologies, so why throw them away? You don’t need to buy a new tunnel from ZTNA and review your network architectures – you can use a VPN with ZTAA in full.

In short, don’t get lost in the ZTNA tunnel: protecting the network is often the wrong approach. Instead, most scenarios should consider a ZTAA architecture, which does not suffer from the same performance bottlenecks as ZTNA. ZTAA also arguably offers an improved administrative experience, provides better cost savings, and gets you to your goal of zero trust faster.

About the author


Leave a Comment