top of page

ZTNA, VPN, and Modern Approaches To Securing Data Flows

TLDR: Secret Chest is API-first with webhook support, so if a device exhibits abnormal behavior in a ZTNA solution or other security aparatus, it's easy to take a number of potentially increasingly escalatory actions to revoke access to credentials.

Once upon a time, computers were all in an office. They were easily controlled. Data was exfiltrated on floppy disks or through dial-up capabilities. Then, with the advent of portable computers and the internet, systems administrators and security professionals had to adapt to new ways for users to intentionally or unintentionally let data escape the hardened walls we built in the environment.

One of the earliest protections built was to employ a VPN. VPNs create a secure tunnel between a remote user's device and the corporate network. This tunnel encrypts all traffic, making it difficult for attackers to intercept and steal sensitive data. VPNs are still a good option for organizations that need to provide remote access to a large number of users. However, VPNs can be complex to set up and manage, and given that encapsulating data takes resources, they can add latency to network traffic.

Another protection was a proxy server. A proxy server is a server that acts as an intermediary between a client and a server. When a client requests a resource from a server, the proxy server forwards the request and then relays the response back to the client. This can be used for a variety of purposes on servers, such as caching, filtering, and load balancing. In corporate networks it can be used to inspect traffic as users access the internet, protecting users from certain types of attacks, catching data before it escapes the environment, and probably the most visible use to most users, limiting access to certain types of websites.

More and more workloads then moved to the internet as Software as a Service (SaaS) tools became more widespread and as mobile users became the norm. Some used proxies on the edge of their network to protect devices when they weren't in the office, but once there were few servers or internal resources at a company, many wanted to merge the concept of a VPN and a proxy to streamline IT operations.

Zero trust network access (ZTNA) is a security approach that assumes that no user or device can be trusted by default. Instead, access to applications and data is granted only after the user or device has been authenticated and authorized. ZTNA is a key component of zero trust security, which is a security framework that is designed to protect organizations from cyberattacks. The main difference between a proxy and ZTNA is that ZTNA is a security framework that is designed to protect against advanced threats. ZTNA provides a number of features that proxies do not, such as user and device authentication, policy enforcement, and threat detection.

ZTNA works by creating a trust boundary around each application or data resource. This trust boundary is enforced by a ZTNA appliance, which is a device that sits between the user or device and the application or data resource. The ZTNA appliance authenticates the user or device and authorizes access to the application or data resource based on the user's or device's identity, role, and context.

ZTNA offers several advantages over traditional security solutions, such as firewalls and VPNs. First, ZTNA is more granular than traditional security solutions. ZTNA can be used to grant access to specific applications and data resources, while traditional security solutions typically grant access to entire networks. Second, ZTNA is more secure than traditional security solutions. ZTNA uses a variety of security features, such as multi-factor authentication and user behavior analytics, to protect against cyberattacks. Third, ZTNA is more scalable than traditional security solutions. ZTNA can be easily scaled to accommodate the needs of growing organizations.

As organizations continue to adopt cloud-based applications and data resources, ZTNA will become increasingly important. ZTNA can help organizations to protect their applications and data resources from cyberattacks, even when those resources are located in the cloud.

Here are some of the benefits of ZTNA:

  • Increased security: ZTNA provides a more secure approach to remote access than traditional VPNs. By only granting access to specific applications and data resources, ZTNA can help to prevent unauthorized access and data breaches.

  • Improved user experience: ZTNA provides a more seamless user experience than traditional VPNs. Users do not need to be on the company network to access applications and data resources. This can be especially beneficial for mobile workers and employees who work from home.

  • Reduced costs: ZTNA can help to reduce the costs of managing remote access. By only granting access to specific applications and data resources, ZTNA can help to reduce the number of VPN licenses that are required.

Most ZTNA solutions are based on an open source tool called WireGuard, which was initially created in 2015. WireGuard is a lightweight, and easy-to-use cryptographic VPN that is quickly gaining popularity due to the number of tools that are based on it. To build a ZTNA solution with WireGuard, you will need the following:

  • A WireGuard server

  • WireGuard clients for each user or device that will need access to the network

  • A way to authenticate and authorize users and devices

The WireGuard server is responsible for creating and managing the secure tunnels between the clients and the network. The clients are the devices that will be used to connect to the network. The authentication and authorization system is responsible for verifying the identity of users and devices before granting them access to the network.

Once you have all of the necessary components, you can begin configuring your ZTNA solution. The following are some of the things you will need to do:

  • Configure the WireGuard server to listen for connections from clients.

  • Generate keys for each client.

  • Configure the clients to connect to the WireGuard server.

  • Configure the authentication and authorization system to verify the identity of users and devices.

Once your ZTNA solution is configured, you can begin using it to securely access applications and data resources on your network. Here are some of the benefits of using WireGuard to build a ZTNA solution:

  • Security: WireGuard is a very secure VPN protocol. It uses state-of-the-art encryption and authentication methods to protect your data from unauthorized access.

  • Ease of use: WireGuard is very easy to use. It is a lightweight protocol that does not require a lot of configuration.

  • Scalability: WireGuard is very scalable. It can be used to support a large number of users and devices.

  • Cost-effectiveness: WireGuard is a very cost-effective solution. It is free and open source software.

However, managing WireGuard can be a burden for organizations without a team with deep understanding of how to do so. Therefore, many opt to use one of the existing SaaS ZTNA solutions. Given the telemetry WireGuard gives into network traffic, and the APIs available in the software solutions that make it more accessible, organizations can then leverage a ZTNA to string more complex workflows together. For example, Secret Chest users can restrict access to specific credentials or even all credentials in the event that a device or user is no longer considered trusted. To learn more about doing so, sign up for our private beta!

5 views0 comments

Recent Posts

See All


bottom of page