We’re all familiar with VPNs - no introduction necessary. Some of us are familiar with ZTNA - a quick introduction for those who are not:
ZTNA (Zero Trust Network Access) is a secure remote access solution that implements zero trust security principles. It operates on the assumption that neither the user nor the device is trusted by default. ZTNA ensures that remote workers are granted access to specific resources based on various criteria, including user groups, device types, IP addresses, and locations.
In simple terms, ZTNA allows organizations to grant selective and secure access to their applications and resources without exposing their entire network. A growing number of organizations are aiming to replace traditional VPNs in favor of a Zero Trust-based approach.
Where does the browser come in?
First, let's understand what a zero trust browser is. A zero trust browser is an endpoint control based on the Chromium framework. It can replace the standard browser within an organization, or it can function as a browser plug-in compatible with any browser, implementing zero trust controls at the browser level. The user and the device undergo authentication and the organization gains complete visibility into the browser and control over their data. The browser itself is isolated from network and device based-threats like malware, ransomware and phishing attacks.
A zero trust browser integrates ZTNA to effectively replace VPNs for accessing SaaS applications, internal web applications, and non-web protocols. The organization has control over access and data protection policies, applying rules based on user groups, device posture, geographic locations, or application specific. Additional zero trust browser controls include session recording, data loss prevention (DLP), watermarking, Personally Identifiable Information (PII) masking and anonymization, web filtering, browser isolation, transactional Multi-Factor Authentication (MFA), Single Sign-On (SSO), advanced phishing protection, and download and upload controls.
Cool, so how does an Enterprise Browser can replace VPN?
For corporate access to Software as a Service (SaaS) applications, access is made conditional on the zero trust browser. This configuration can be achieved through IP validation, identity provider (IDP) integration, Robotic Process Automation (RPA), or other methods, depending on the organization's architecture. User and device validation are mandatory, and access rights and data controls adhere to the controls seen above.
For private web applications:
By deploying a forward proxy, the zero trust browser directs traffic to specific URLs via the proxy. This approach supports internal DNS resolution and eliminates the necessity for public domains and IPs.
By deploying a reverse proxy, the zero trust browser channels traffic to specific internal applications.
SSH and RDP Access:
The zero trust browser establishes a secure tunnel from the endpoint to on-premises applications and servers. Secure Shell (SSH) and Remote Desktop Protocol (RDP) sessions are initiated within the browser window via ZTNA. These sessions benefit from full session monitoring and DLP controls.