Chris ScheelsApril 22, 2021
ZTNA Guide, Part 2: ZTNA Architectures: Exploring Your Options
This blog is part 2 of our 4-part guide to Zero Trust Network Access (ZTNA). Part 1 provides a ZTNA definition and general conceptual overview. This part describes the different architectural approaches. Part 3 explains what you should look for in a ZTNA solution and part 4 reviews the top considerations you should keep in mind during ZTNA implementation.
There are multiple ZTNA architecture approaches: client-based vs. browser-based, self-hosted vs. as-a-service. All approaches offer benefits over traditional access solutions. Still the differences in their architectural makeup are worth considering when determining the right ZTNA solution for your organization’s current and future requirements.
Exploring Different ZTNA Architectures
ZTNA Architecture, Option 1A: Client-based
This architecture is similar to the Cloud Security Alliance (CSA) Software-Defined Perimeter architecture. In this setup, a client is installed on a server or user’s device and the endpoint initiates the connection process.
This approach's advantage is the ability to apply Zero Trust for all private resources, including custom or legacy applications and enhance device posture checks as criteria for trusted access.
There can be situations where access from an unmanaged device is required to connect and a client can’t be installed. For example, this can occur when setting up third-party or contractor access.
ZTNA Architecture, Option 1B: Browser-based
This architecture is similar to the Google BeyondCorp vision, which is essentially a “clientless” or browser-based approach. In this instance, the user connects to the web application via a common internet browser.
A browser-based ZTNA architecture provides frictionless web application access, a viable option for unmanaged devices in which a client's installation isn’t allowed or possible. It is best to use this approach for smaller, less complex, web-only applications or a one-off use case.
This type of ZTNA architecture only supports web applications and web protocols, which have significant limitations. Therefore, browser-based is not a viable solution for a full Zero Trust deployment, which requires integration with non-web-based applications.
ZTNA Architecture, Option 2A: Self-hosted Deployment
This ZTNA architecture gives organizations complete control of their deployment without any ongoing management from the ZTNA provider. This includes infrastructure instantiation, management and monitoring, software upgrades and security patches, as well as the configuration of policies, integrations and user onboarding.
Less vendor-dependent, which typically translates to lower cost and greater control across the data plane without introducing a vendor cloud solution.
Requires internal resources for initial setup and ongoing management to ensure up-to-date software versions across the entire enterprise.
ZTNA Architecture, Option 2B: As-a-Service Deployment
Deploying ZTNA as-a-service is a simplified way for achieving Zero Trust and can be very appealing for SMB and mid-market businesses. This approach leverages the vendor for hosting and managing the ZTNA controller and gateway, assuming responsibility for infrastructure instantiation, management, monitoring and applying upgrades and security patches.
Less internal resources are required to set up and maintain the ZTNA architecture, as well as comfort in knowing software is the most up-to-date.
As-a-service solutions require a premium for vendor hosting and often data passing through a vendor cloud can impact data control or compliance requirements.
Taking A Hybrid Approach
There are select few ZTNA providers that offer a hybrid model, which allows an enterprise to blend the advantages of all architectural approaches, depending on the use case. For example, this might include selecting browser-based access for third-party access to a web-based application and using the client for critical and legacy applications. Or, leveraging as-a-service deployment for a resource-constrained region while self-hosting where your internal staff can handle the ongoing management.
Picking the Right ZTNA Architecture
Before starting your Zero Trust journey, you must consider how you want to set up your ZTNA instance. As described above, setup will impact what components of the network can or can't be secured. The long-term strategy with Zero Trust is to protect the entire enterprise ... any user, any device, any resource, in any location. Therefore, we recommend a solution that allows for flexibility with as many deployment options as possible as you ramp up your Zero Trust implementation.
Want to explore how ZTNA architectures play into your ZTNA vendor selection?
Read the complete guide to ZTNA eBook.
Want to see how a ZTNA solution works?Schedule a demo