As businesses embrace hybrid and remote working conditions, protecting sensitive data and applications is now a huge priority. Traditional VPNs are proving to be outdated; due to this, companies are now moving to more advanced models like the Zero Trust Network Access (ZTNA). Under the ZTNA, there are two different frameworks; two of the most common ones are endpoint-initiated and service point-initiated.
What is ZTNA?
The ideology behind the ZTNA is “never trust, always verify.” Instead of granting access to the whole network, ZTNA ensures that employees are only given access to the applications that they need and nothing more. Decisions about access are guided by identity, device health, and contextual factors such as time or location. This security solution ensures employees have safe and secure remote access.
Endpoint-Initiated ZTNA Architecture
In this model, users’ devices (laptops, phones, tablets) play a key role in establishing connections between the user and the application.
How it works:
- A lightweight ZTNA client is installed in the user’s device.
- The client authenticates the user and the device through a centrally controlled system.
- After the user is verified, the client issues a direct and secure channel to the application.
Advantages:
- Direct Connectivity: Faster access to applications without directing them through multiple hoops.
- Device Checks: Security policies can verify the device’s health (OS version, antivirus status, or encryption) before granting access.
- Identity: Access is tied to both the user and their device.
Challenges:
- This model requires agents to be present at endpoints, making it difficult for work environments that consist of unmanaged devices.
- Distributing and updating the client software can be very time-consuming.
Service Initiated ZTNA Architecture
In this model, the connection starts at the application side instead of the user’s endpoint.
How it works:
- A ZTNA connector is placed near your application. (in a data center, cloud, or SaaS environment)
- The connector establishes an outbound connection to the ZTNA cloud service.
- When a user requests access to an application, the connector creates a secure connection in the background, removing the need for software on the user’s device.
Advantages:
- Agentless Access: Ideal for BYOD setups, where the endpoints aren’t managed.
- Simplicity: No client deployment, meaning faster rollouts.
Challenges:
- Device posture checks are limited compared to endpoint-initiated models.
- Often depends on browser access, which may not work for every application.
Choosing the Right Architecture
Both models are beneficial, but the right one really depends on your business priorities. Here are some examples of how you can decide:
- For high-security environments (finance, government), endpoint-initiated ZTNA is preferred because it ensures strict device compliance and that only authorized users get access.
- For flexible or mixed environments (companies working with freelancers, BYOD-friendly companies), service-initiated offers an easier onboarding process and broader accessibility.
A lot of companies adopt a hybrid ZTNA approach, where they make decisions based on the user types and applications. Choosing providers, like TATA Communications, that offer tailored solutions, becomes crucial in ensuring you employ the best measures.
As businesses continue to evolve, the conversation about service-initiated and endpoint-initiated ZTNA shouldn’t be about which one is better because they’re both good. Instead, the focus should be on which one fits better with your company. What remains constant is that businesses are now moving towards ZTNA models for security, and not doing so can be risky for the company in more ways than one. A business that adopts the right architecture or a hybrid approach can secure access, reduce risks, and enhance productivity.
