Key Considerations When Choosing a ZTNA Solution

#1. Organizational Need and Aligning ZTNA with Strategic Goals

Any ZTNA solution you consider should fit your organizational needs and align with your strategic goals. Start by assessing the specific security requirements of your operations. This includes classifying the data in use at your organization in terms of sensitivity level and regulatory requirements.

Next, determine who needs access to what resources, where users will be accessing these resources from, and what devices they will be using. Identify ZTNA solutions capable of enforcing access policies for diverse locations and environments while also considering compliance and user experience.

From a broader perspective, you should ask yourself what you hope to achieve by implementing zero trust principles. For example:

• Are you undergoing digital transformation and want to move on from traditional perimeter-based security controls?
• Do you want to improve remote access and replace legacy VPNs currently in use?
• Is ZTNA deployment part of a broader transition to a Secure Access Service Edge (SASE) architecture?

Whatever the end goal is, ensure your chosen ZTNA solution has the features and capabilities to match. This could include ZTNA Multi-Factor Authentication (MFA) for more robust user identification or fast ZTNA performance to minimize the impact on user experience.

#2. Types of Zero Trust Security Tools

The next key consideration when choosing a ZTNA solution is which type to choose. Generally, ZTNA tools are categorized into two main types:

• Agent-based ZTNA: Also known as service-initiated ZTNA, this type of solution installs a software agent on each device or endpoint. The agent establishes a secure connection to a cloud-based trust broker that enforces access policies. Agent-based ZTNA enables more granular control over endpoints and persistent security enforcement, as well as deeper ZTNA device posture checks. This model works well for corporate-managed devices that allow you to install and update the ZTNA agent
• Agentless ZTNA: Also known as network-initiated ZTNA, this approach leverages browser-based or gateway access to secure unmanaged devices without requiring dedicated software. Access policies are enforced via Domain Name System (DNS) or routing controls. With easier deployment and greater flexibility, agentless ZTNA is ideal for contractors, partners, and Bring Your Own Device (BYOD) scenarios

Some security vendors also offer hybrid solutions that combine agent-based ZTNA and agentless ZTNA to allow organizations to tailor how they enforce access controls depending on the user’s device. For example, using agent-based ZTNA for managed devices and agentless ZTNA for other devices. This balances the enhanced ZTNA performance of agents with the easier deployment and greater coverage of agentless solutions.

#3. Core Security Features of a ZTNA Platform

When evaluating ZTNA platforms, focus on the core security features needed to protect your employees and workflows. These can include:

• Granular ZTNA Policy Enforcement: The ability to apply specific Role-Based Access Control (RBAC) to enforce the principle of least privilege and minimize your attack surface. Granular ZTNA policy enforcement should also take into account contextual data such as device, location, time of day, etc., to make dynamic risk-based adjustments. For example, a user following typical access patterns in their day-to-day work would be low risk. But what if their behavior suddenly changes and they are using a new device or trying to access information outside of normal work hours? In that case, their request may be denied, or they may be forced to verify themselves through more robust authentication processes
• ZTNA MFA: Solutions that offer native or integrated multi-factor authentication to ensure strong user verification. This could include a range of factors such as something you know (password, pin, etc.), something you have (hardware security token, a registered device that receives a one-time password, email code, or push notification, etc.), or something you are (biometrics such as facial recognition)
• Identity Integration ZTNA: Compatibility with Identity Access Management (IAM) tools or Identity Providers (IdP) for seamless integration. Look for identity integration that supports open and robust standards and works with on-premises directories as well as cloud identity services. Additionally, consider future operations and vendors that are continually evolving their identity integration ZTNA features
• ZTNA Device Posture Assessments: Continuous checks of endpoints before and during sessions to manage access. This includes device factors like OS patch, antivirus status, encryption, and configuration compliance. ZTNA device posture assessments prevent compromised or non-compliant devices from accessing business resources
• Data Loss Prevention (DLP) Capabilities: Track data access and enforce DLP policies that minimize the risk of unauthorized access. This can include enforcing encryption based on secure protocols or User and Entity Behavior Analytics (UEBA) to identify suspicious activity and reduce access
• Network Microsegmentation: Combined with granular ZTNA policy enforcement and least privilege access, segmenting your network into smaller subsets limits lateral movement to minimize the impact of compromised accounts. By isolating systems and enforcing strict security controls for users trying to move between them, you can prevent an initial breach from escalating into a serious incident

#4. Visibility and Reporting

Many of these security controls are enhanced or enabled by strong ZTNA visibility and reporting capabilities. ZTNA controls should cover your entire workforce, monitoring access requests, and providing detailed logs for analysis and compliance audits. Look for solutions that provide real-time visibility across all user sessions and return detailed reports on ZTNA policy enforcement.

Deep visibility of network access is vital for adaptive controls, UEBA, and many other enhanced security features. It provides the intelligence needed to fine-tune policies and optimize protection.

#5. Deployment Models and Scalability

Another key consideration when choosing a solution is the deployment model and its resulting ZTNA scalability to fit new business needs. In terms of deployment model, modern zero trust access selection comes down to:

• Cloud-based: Ideal for hybrid workforces, cloud-based solutions offer ZTNA scalability and flexibility with easy updates that can adapt to new threats and increase capacity as your business grows

• On-premises: More rigid and strict deployments that are better suited to highly regulated industries with data residency requirements

• Hybrid: Combines both to offer the benefits of cloud-based solutions while maintaining on-premises deployments for stricter data requirements

The right choice for your business will depend on your compliance needs, network environments, and workforce distribution. When considering a scalable, cloud-based deployment, look for vendors that maintain global points of presence (PoPs) to ensure strong ZTNA performance regardless of the number and distribution of users.

#6. User Experience & Performance

ZTNA platforms must balance robust security without significantly impacting user experience. Key factors include:

• Low-latency connections through optimized routing and a global PoP network
• Single sign-on (SSO) for streamlined access across applications
• Minimal disruption during device posture checks or MFA prompts

Poor ZTNA performance and user experience can lead to employees looking for workarounds, such as shadow IT. Users bypassing the security team and sharing sensitive data with unsanctioned apps undermines the implementation of ZTNA solutions.

#7. Integration with Broader Security Stack

ZTNA controls what users have access to, minimizing your attack surface. However, it is not a comprehensive framework and should be deployed within a broader security stack that offers a range of other capabilities. Therefore, you need to consider how a particular ZTNA solution will integrate with different tools and technologies to deliver extensive safeguards.

A common implementation of ZTNA is as a key component of SASE architecture that combines the framework into a full suite of networking and security tools, including:

• Software Defined-Wide Area Networking (SD-WAN)
• Secure Web Gateway (SWG)
• Firewall as a Service (FWaaS)
• Cloud Access Security Broker (CASB)