Demystifying Zero

Trust Network Access

(ZTNA)
A Strategy for Evolving
Secure Access
Today, being hit with a data breach
is almost inevitable. No organization
is immune: Facebook, Marriott, and
even government agencies have been
victimized. Now, experts are predicting
more serious repercussions than
data theft including data and system
manipulation, and full exposure of
company secrets and intellectual
property. At the same time difficulties
in enforcing data protection have never
Protecting Data and Access in Annual number of data breaches and exposed records in the
a Digital World United States from 2005 to 2018 (in millions)
• Trust is no longer determined
1750
by location or IP address
1500
• Secure access must evolve to
the cloud where users and 1250
applications are moving
1000
• There isn’t a distinction
between “inside” the network 750

been more challenging—and more or “outside” the corporate

urgent. network any more 500

Ensuring security compliance 250

Most attacks result from compromised
credentials, vulnerable endpoints, • Dynamic endpoint visibility and 0
unmanaged IoT devices, or unprotected policy enforcement regardless
access to applications and resources. of user, app, and device 2012 2013 2014 2015 2016 2017 2018

Attackers gain an entry point to a network location

Data breaches Millons of records exposed
and begin to discover resources and
expand control. But organizations are Data Breaches by the Numbers Secure Access by the Numbers2
also vulnerable to unintentional mistakes:
in a recent study, human errors were the $3.86 the average global cost of a of organizations want to
data breach in 2018 according 48% improve endpoint security,
second largest cause of data breaches.1 million to Ponemon Institute remediation prior to access

records are stolen or exposed of organizations fear

291 every single second unauthorized app/resource
1
2017 Cost of a Data Breach Study by Ponemon 45% access including lax
the annual cost of cybercrime authentication or encryption
$600 to the global economy
according to the Center for want to fortify network and
billion Strategic and International 44% cloud access visibility and
Studies resource segmentation

1 2019 State of Enterprise Secure Access, IDG

2
2
Locking down valuable resources and applications is now
imperative. But how can you attain vital, new levels of security
without completely disrupting your digital business initiatives,
confusing your employees, breaking infrastructure and requiring a
massive resetting of your existing defenses?
The Solution is to implement Zero Trust
What is Zero Trust Network Access (ZTNA)?
ZTNA is also known as Software-defined Perimeter (SDP). It uses a centralized
policy controller that allows or denies a connection to specific applications.
These applications are hidden from discovery, significantly reducing the
attack surface. Before granting access, the controller leverages extensive
authentication and authorization to ensure the validity of the connection, such
as device type, date and time, and location. Only when all conditions are met is
the connection granted; otherwise, a default “deny” posture is assumed.

Zero Trust is a network security model that trusts no one, regardless of their
location. Increasingly, trust can no longer be established based on whether a
user is “inside” or “outside” the network. Every user is vetted before – and during What’s the difference between Zero Trust as a security model and Zero Trust
– a connection, and every connection is governed by a policy that controls what Network Access as a security architecture?
resources can be accessed.
Zero Trust Model Zero Trust Network Access Architecture
Leveraging Zero Trust means that enterprises enhance their security posture by:
No “inside” or “outside” distinction Centralized authentication of user, devices,
applications, and stateful device security
compliance checks

Authenticate everything before and during Centralized policy enforcement and

access separated control and data planes

Policy-based access through identity, role, Granular segmentation based on per-

device configuration as well as device application, per-user, and per-device
security state, application, behavior, and connectivity
Validating Controlling Protecting other parameters
users, and their devices’ access through granular and encrypting data
Trust established closest to resource Significantly reduced threat surface by
security posture policy enforcement transactions mitigating numerous APTs, malware, DDoS
attacks and rendering resources “dark”

3 4
Is it possible to augment your secure access architecture to achieve a Zero
Trust model without the extreme of throwing out your existing investments?
Zero Trust Network Access extends these
tenets by centralizing policy enforcement
Pulse Secure
so that every user – and their device – is Zero Trust
Zero Trust delivers several important capabilities: governed by a granular policy for every
Capabilities
resource they access. It authenticates
Zero Trust Network Access (ZTNA)—also known as Software Defined Perimeter every user before the connection is made,
ensuring that unauthorized users or Pulse Secure delivers a
(SDP)—can be gradually deployed, even in complex organizations.
devices are unable to access any resource comprehensive approach
whatsoever. to Zero Trust:
A hybrid model that encompasses both Zero Trust and ZTNA is possible.
• User identity,
ZTNA’s architecture lends itself to improved performance and scalability. Moreover, it also re-verifies a device’s including multifactor
security posture during a connection to authentication
Pulse Secure’s dual-mode capability offers investment protection, enabling you determine if the security state is no longer
• User role and
to use VPN and ZTNA architectures simultaneously. acceptable. In such cases, devices can be
permissions
quarantined or remediated, depending on a
policy set by the administrator. • Type and location of
the device used for
Finally, ZTNA renders resources “dark”. In access
other words, no DNS, internal IP address, • Stateful device
or visible port information is communicated compliance checks
until proper authorization takes place. before, and during, a
So, unauthorized users can’t traverse the connection
network, “looking” for resources to infiltrate. • Type of network used
This reduces the attack surface significantly (e.g. public hotspot)
by mitigating or eliminating numerous
threats like APTs and malware. • Per-application/per-
resource rules and
permissions
• Granular policy
enforcement

5 6
 Unique Advantages of Pulse Secure Zero Trust Solutions
With Pulse Secure, you get Zero Trust today and can implement ZTNA architecture
when and where you need it.
1 Pulse Secure is a pioneer of VPN technology. Our proven expertise has been in Enhanced user experience:
establishing secure, protected connections—coupled with the most advanced Pulse’s unified client offers easy and seamless
access options for multiple applications
modes of user and device authentication, authorization and verification. simultaneously.
2 Despite the new prominence of the term, Zero Trust has always been built into Simultaneous dual-mode connectivity:
our Secure Access platform. Deploy industry-leading SSL VPN and ZTNA on
the same virtual or physical appliance depending
3 Pulse Secure’s Zero Trust addresses immediate access issues and data on how you want to treat individual applications
or resources. For example, certain legacy or non-
protection concerns. At the same time, it enables organizations to implement sensitive applications may not warrant ZTNA and
ZTNA for specific use cases as necessary. the additional requirements for access control.
4 With Pulse Secure, enabling Zero Trust does not require changes to existing Deployable across the entire infrastructure:
Pulse SDP can be used on all networks and data
security or networking infrastructure, and it will only fortify access to centers—on-premise, private cloud and public
designated resources while preserving user experience. cloud.
Integration with existing SSO and
identity solutions:
Pulse Secure Zero Trust preserves integrations
with identity solutions from providers such as Okta,
Comprehensive Endpoint Compliance:
Offering the most comprehensive device
compliance for mobile, IoT and laptop/desktop
devices, Pulse Secure employs an array of agent
and agent-less client assessment techniques to
ensure that only compliant devices connect to
your network.
Powerful, granular role-based
access control:
A high-performance policy engine, wizard policy
editing, and SSO capabilities enable unified
access closest to applications residing in multi-
cloud or data centers.
Flexible Deployment:
Pulse Secure offers the industry’s most flexible,
scalable deployment options to choose from:
data center hardware or virtual appliances
and private cloud, public cloud or SaaS. Pulse
Secure has been deployed among the largest
enterprises and service providers in the world

“
Ping Identity and Microsoft ADFS. In addition, Pulse
due to proven performance and scale.
SDP augments these identity-based integrations by
Zero trust network access replaces traditional technologies, which supplementing multi-factor authentication (MFA)
with in-depth device- and host-based security
require companies to extend excessive trust to employees and compliance checks.
partners to connect and collaborate. Security and risk management
leaders should plan pilot ZTNA projects for employee/partner-facing
applications.
SIMULTANEOUS
DUAL MODE
Pulse SDP DEPLOYS ACROSS
ON-PREM
Market Guide for Zero Trust Network Access, April 29, 2019, Gartner CONNECTIVITY

“ ENHANCED
PRIVATE CLOUD AND
ACCESS UX
PUBLIC CLOUD

USE EXISTING SSO AND

7 IDENTITY SOLUTIONS
8
Getting Started Extending Zero Trust
With the influx of BYOD and IoT, the increase in workforce mobility, and the rise in With a simple software upgrade, Pulse SDP extends Zero Trust by rendering
malware, Zero Trust is more critical than ever. But it’s easier than you might think resources and applications “dark” (minimizing malware penetration and
to implement. lateral spread), and centralizing policy controls that make it possible to isolate
applications, allowing only specific users and specific devices access. The whole
Zero Trust is first enabled by our unified client. Leveraged across our portfolio,
solution is optimized for a streamlined user experience, enhanced security
it enables consistent, streamlined user experience and consistent policy control
compliance, and a reduced total cost of ownership.
across multiple platforms (Windows, macOS, iOS, Android). Client can be agent
or agentless. Pulse Secure is the only vendor to offer dual-mode support, making it possible
to have traditional VPN and SDP operating simultaneously. Moreover, our
Our Host Checker feature uses the client to query endpoint devices for an
deployment flexibility with physical, virtual, and cloud appliances offers true Hybrid
acceptable security posture before the device is allowed to connect – and it
IT protection, securing sensitive data across data center and cloud.
continues to check even during the secure connection. This prevents malware
(like WannaCry or NotPetya) and other endpoint exposures from penetrating your
network.
Learn how Pulse Secure can boost worker productivity, strengthen your network
Next, our traditional Secure Access solution has integrated multi-factor security profile, and enhance security compliance at www.pulsesecure.net.
authentication and authorization (MFA) and single sign-on (SSO) features designed
to ensure every user is vetted and secured.
Once users are connected, centralized policy management and enforcement
governs specific resources and applications your mobile workforce can access,
and prevents unauthorized users from accessing sensitive data.
Finally, Pulse Secure’s advanced SSL encryption technologies protect all data
transactions. With features like Always On, On Demand, and Per-application VPN,
data-in-motion is kept secure and compliant.

9 10
ABOUT PULSE SECURE
Pulse Secure provides easy, comprehensive software-driven Secure
Access solutions for people, devices, things and services that improve
visibility, protection and productivity for our customers. Our suites
uniquely integrate cloud, mobile, application and network access to
enable hybrid IT in a Zero Trust world. Over 20,000 enterprises and
service providers across every vertical entrust Pulse Secure to empower
their mobile workforce to securely access applications and information in
the data center and cloud while ensuring business compliance.
Learn more at www.pulsesecure.net.

Copyright 2019 Pulse Secure, LLC. All rights reserved. Pulse Secure, Pulse Secure logo, and Pulse SDP are registered trademarks of Pulse Secure, LLC. All
trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Pulse Secure assumes no responsibility for any
inaccuracies in this document. Pulse Secure reserves the right to change, modify, transfer, or otherwise revise this publication without notice.