Zero Trust Network Access (ZTNA)

Somehow it has become fashionable for everyone to "do" zero trust networking. Sigh. Not much we can about that. Instead, we'll describe what NetFoundry's Ziti ZTNA actually does for you.

You will close all your open inbound firewall ports. No exceptions, no whitelisted IPs. After all, do you really have ZTNA if you are trusting IP addresses?  In summary: replace 10s to 1000s of firewall ACLs with one inbound firewall rule: deny-all.  

ZTNA for all use cases.  Of course, zero open ports and zero whitelisted IPs is only possible if you have a platform that works for all your sessions. And NetFoundry's Ziti platform does exactly that.  Critical to this is you can put parts of the data plane into your environments, so you don't have to backhaul latency sensitive sessions.  So, you have ZTNA for every use case, from APIs to remote management:

Your networks will be passport gated.  Nothing gets on your private Ziti overlay without passports.  Cryptographically validated X.509s are the passports.  The Ziti platform takes care of automated enrollment, PKI and certificate renewals.  The X.509 functions like it is a Yubikey or hardware dongle physically loaded on each device, so is much more difficult to steal or hijack than passwords, SMS codes, etc.  The solution is similar to network access control (NAC) solutions, except it is for Internet-distributed devices and apps, and secured with modern cryptography.

You don't need to control the networks.  What?  Yeah, that's not an error.  Ziti enables you to deploy 'endpoints' as software, anywhere, even inside the process space of your apps (via Ziti SDKs).  Why does that matter?  Well, if you are an app developer, SaaS provider or ISV, then you can provide zero trust networks across any set of edges, clouds and networks...while your customers just need an Internet connection.  Suddenly, B2B and IoT and APIs are simple to secure.  Adios VPNs, MPLS, private mobile APNs.  Meanwhile, if your app needs to be super secure, such that nothing has access to it (not even the hosts!), then you finally have a solution.  It looks like this.

 

You converge networking and security, moving the policy enforcement point.  Ok, that sounds like more zero trust networking jargon.  Here's what it means.  There are no connections until after security is in place.  Remember the X.509 passports?  Those are required before you are allowed to initiate a session.  You need to identify, authenticate and authorize before you can send packets on the Ziti overlay fabric.  So you move the policy enforcement point all the way back to the initiation of the session - rather than the traditional approach of waiting for the sessions to get all the way to the edges of your network, and then needing to bolt on security at the edges of your network (firewalls etc.) to try to determine which of those flow are secure, and which aren't. 

Mutual TLS east-west and north-south.  Mutual TLS (mTLS) is a big deal.  Not just for ZTNA or compliance requirements, but because it is far more secure.  It is also simpler (mTLS immediately reduces the noise which ops needs to deal with by ensuring only authenticated clients can talk on your zero trust Ziti network).  But of course there is a catch.  mTLS can be difficult to implement.  Some use service mesh to implement mTLS in east-west architectures.  That's ok but north-south doesn't disappear.  In fact, with increasing hybrid and multicloud flows, north-south is becoming more important.  So Ziti provides mTLS in all directions, controlled by you from one platform, across all edges and clouds, even mTLS for IoT.  As always with Ziti's ZTNA, you choose.  Meaning, you can use Ziti for all your mTLS, or to plug your north-south mTLS hole, or for specific sites or for specific apps.  Your choice.