Skip to content

Best Practices for Zero Trust Network Access (ZTNA)

ZTNA & VPN – better, together

During the peak of the Covid-19 pandemic, there was an immediate need for the entire workforce to work remotely. Although the pandemic appears to be gradually subsiding, the office landscape may be changed forever. Some workers will return to the physical office, some will work on a hybrid model, and a large number will work remotely indefinitely.

As we move into this new normal, it is becoming increasingly clear that a remote workforce requires secure access to its organization’s LAN. Today, many companies use VPNs for this purpose to provide external users a secure remote connection to the organization’s internal network.

The times they are a ‘changing

VPNs were invented when most network traffic came from enterprise users who had company-owned computers connected to the corporate network. There was a perimeter or a clear separation between users inside and outside the trusted network.

Statically defined network perimeters no longer implement best practices for today’s distributed architectures which now span multiple data centers. Users need secure remote access to multiple locations in addition to on-premises and cloud-based applications. Organizations also must enable access for BYOD (Bring Your own Device) and IoT devices.

VPNs: a hacker’s new best friend

VPNs have recently become a very attractive target for hackers. A cybercriminal who acquires a user’s VPN login credentials or breaches the company’s VPN server can enter the network and cause enormous havoc.

During the past year, several major corporates using leading VPN vendor solutions such as Pulse Secure, Fortinet, and Palo Alto Networks experienced major data breaches even though these vendors are considered market leaders. Cybercriminals hacking these systems were able to exploit VPN software bugs that gave them access to backend servers.

Transitioning from VPNs to ZTNA

As a result of changing remote work needs and a new understanding of the security risks that VPNs may present in this new context, many CIOs and CISOs are examining trends in architectural improvements and considering whether to implement a Zero Trust Network Access solution. Additionally, to enforce the trend, there are a growing number of government regulations that require organizations to now implement ZTNA.

An example of this is the recent US Government Executive Order 14028 which was issued on May 12, 2021, by US President Biden in a bid to “Improve the Nation’s Cybersecurity”.

In short – for government-related organizations, implementing a Zero Trust architecture is now required by law. That’s a big deal.

According to Gartner Research:

“There is strong interest in zero-trust network access (ZTNA). Gartner inquiries on this topic have grown 127% in the first four months of 2021, as comparedwith the same period in 2020.” [1]

Gartner further adds:

 “Although there is a lot of excitement over the benefits of ZTNA, end-user organizations lack experience in implementing it.” [1]

Safe-T’s Best Practices for ZTNA

To support both the need and the trend, Safe-T has put together a list of best practices for ZTNA:

1. Trust no one by default

Implement a security approach that focuses on not trusting any users inside or outside of an organization. If a user is in the LAN, there should be no assumption of trust.

Ensure users are successfully authenticated for a specific application before there is any visibility or access to that back-end service. ZTNA incrementally opens access to users while continuously evaluating risk.

2. Grant least privilege access

Ensure users grant access only to business applications and resources required to perform authorized tasks. Access should be granted on a “need-to-know” least-privileged basis defined by granular policies.  Group policies connect authorized users to narrowly defined back-end services.

3. Implement micro-segmentation

Separate security perimeters into small zones governed by separate access rules to keep data secure by reducing the size of a system’s attack surface.

4. Implement VPNs & ZTNA side by side

Hackers consider third parties easy targets to breach. Third parties such as contractors, partners, and vendors can be security risks because they might not be aware of the organization’s security rules or may not pay close attention to them.

Third parties usually do not need full access to an organization’s network. They need access only to specific back-end applications to perform their jobs.

The solution for this is to use VPNs and ZTNA side by side. Internal users such as employees can use the existing VPN system. For these users there is no need to change the IT infrastructure and the user experience remains the same.

Third parties such as contractors would use the Safe-T Authentication Gateway which grants “need-to-know” least-privileged access.

5. Achieve IT regulatory compliance

Implement strict user access controls and policies to protect the organization’s internal networks and servers to help secure the network and meet IT compliance law requirements.


When transitioning to ZTNA, there will be some inevitable growing pains, but in the end, it’s clear that the benefits far outweigh any initial bumps in the road.  Safe-T’s ZoneZero® provides secure ZTNA access enabling organizations to enforce a Zero Trust Network Access without the constraints required by traditional methods.

[1] Gartner, “Best Practices for Implementing Zero Trust Network Access”, Lawrence Orans, John Watts, Neil MacDonald, 10 June 2021.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Safe-T® Group Ltd.
Safe-T Group Ltd. (Nasdaq, TASE: SFET) is a provider of Zero Trust Access solutions which mitigate attacks on enterprises’ business-critical services and sensitive data, while ensuring uninterrupted business continuity. Safe-T’s cloud and on-premises solutions ensure that an organization’s access use cases, whether into the organization or from the organization out to the internet, are secured according to the “validate first, access later” philosophy of Zero Trust. This means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network or in the cloud.

Safe-T’s wide range of access solutions reduce organizations’ attack surface and improve their ability to defend against modern cyberthreats. As an additional layer of security, our integrated business-grade global proxy solution cloud service enables smooth and efficient traffic flow, interruption-free service, unlimited concurrent connections, instant scaling and simple integration with our services.

With Safe-T’s patented reverse-access technology and proprietary routing technology, organizations of all size and type can secure their data, services and networks against internal and external threats.