Zero Trust Network Access Is an Oxymoron
Though Zero Trust is really quite simple and should be viewed as a very strong form of the age-old principle of least privilege, that does not mean that it is the same thing. In fact, one of the most significant differences from what came before is that when it comes to access, Zero Trust is based on application access, not network access. I was surprised, then, when Gartner's new SASE (secure access service edge) model included something called Zero Trust Network Access (ZTNA). This term is an oxymoron, and I make this point because it matters. The distinction between network access and application access is important.
Traditionally, access to corporate applications has been based on network access. You need to be on the corporate network in order to access corporate applications. If you are in one of your company's office buildings, then you connect to the corporate Wi-Fi network or Ethernet, possibly with an extra step of network access control (NAC). If you are elsewhere, then you use a virtual private network (VPN). Either way, there will be some authentication and authorization step after which you are on the corporate network. At this point, you have an elevated level of privilege and can access corporate applications.
This elevated level of privilege that comes with network access, however, also comes with additional capabilities that you really don't need. Specifically, you can see every application that is routable on that network. You may not be able to log in to every such application, but you can see them -- that is, you can route packets to them. This distinction is important. If you can see an application, you can likely get it to execute code (for example, present a login screen or begin some other form of login challenge). And if you can get it to execute code, you may be able to exploit a vulnerability.
You could literally scan the network for vulnerable applications and then exploit them. Of course, you may be well intentioned and would never do such a thing, but not everyone is. More importantly, you could have malware on your device, and if you are on the corporate network, then so too is that malware. Scanning the network for vulnerable applications is exactly what malware does. That is exactly how malware spreads and finds high-value applications that it can exploit, and how ransomware finds high-value data that it can encrypt and then demand ransom for decryption.
What we see here is a clear violation of the principle of least privilege. You need access to certain applications, but you do not need to be able to see any other applications, let alone scan the network for vulnerabilities. Zero Trust fixes this problem by using an application-based access model.
With Zero Trust access, there is no direct routability between users and applications, and instead all access is routed through proxies. Generally, Zero Trust access is provided as a service with the proxies in multiple internet locations. Therefore, users need only a connection to the internet. Users never need to be on the corporate network.
Even in the case of remote access, there is no need for a VPN. When a user tries to connect to an application, they are redirected to one of these proxies. Only after the proxy authenticates the user and establishes that the user is authorized to use that application does it establish a forward connection to that application and allow communication between the user and that application. How it is that the proxy does this authorization, authentication, and forward connection varies by implementation and is beyond the scope of this article.
We can now see the clear contrast between the traditional network-based access model and the Zero Trust application-based access model. With network-based access, applications are exposed to the network -- either the entire internet or the corporate network -- visible to anyone who might need access. In contrast, with application-based access, applications are invisible and become exposed only to those who do need access and only after they have been authenticated and authorized.
With Zero Trust application-based access, users never need to be on the corporate network, and a VPN is never needed.