Secure resources

In this topic, you will learn how Portnox ZTNA uses certificates – the same ones used for network access – to provide secure and controlled access to third-party applications and services (referred to as resources). This includes SSO-enabled web applications as well as on-premises resources like local web applications, allowing both local and remote users to safely connect to cloud resources and securely access on-premises and private cloud environments.

Security risks in accessing cloud and on-premises resources

In this section, you will learn about the security shortcomings and challenges of common methods for accessing applications and resources: how SSO still relies on passwords and MFA with their inherent weaknesses, and how private resources are often accessed through VPNs that grant broad network access rather than limiting access to specific resources, while also being costly and complex to manage.

Organizations typically access their resources in two main ways: cloud-based web applications via traditional SSO platforms like Entra ID, Google Workspace, or Okta Workforce Identity, and on-premises or private cloud resources usually accessed through VPNs. Both approaches have significant security and usability limitations.

In the case of SSO-enabled web applications:

  • They are typically accessed using traditional SSO combined with MFA. These methods share the same vulnerabilities as passwords and MFA (see: Passwordless authentication).

  • If the SSO access is compromised, an attacker can gain access to all connected applications. Although major providers like Microsoft, Google, and Okta invest heavily in security, the fundamental weaknesses of passwords and MFA remain.

  • SSO verifies the user’s identity but does not check the security or condition of the device being used. This means access could come from an insecure or compromised machine, such as one infected with a rootkit that can capture credentials and MFA tokens.

In the case of private resources hosted on-premises or in private clouds:

  • The most common method for accessing on-premises and private cloud resources is through VPNs, which tend to be expensive and complex to configure and maintain.

  • VPNs create a network tunnel between the user’s device and the entire internal network, granting broad access to all applications and services without granular control. This means a potential attacker could explore and exploit multiple resources once inside.

  • Similar to SSO access, VPNs grant network access without verifying the security status of the user’s device, potentially allowing compromised devices with malware to gain unrestricted entry into the local network.

Even if your network is secured with 802.1X and certificates, users often access resources from outside these protected environments, which significantly increases the risk of compromise through the weaknesses described above.

Secure access to SSO-enabled web applications

In this section, you will learn how certificate-based authentication addresses the limitations of traditional SSO by adding an extra layer of security.

Rather than depending only on user login, passwords, and MFA at the identity provider, Portnox ZTNA uses certificate-based authentication to verify a certificate issued to the user on the specific device. This ensures that both the user and the device are trusted before access to web applications is granted.

This approach:

  • Prevents attackers from accessing applications even if they have compromised user credentials and MFA. Although passwords and MFA are still used to log into the identity provider, they alone are insufficient to gain access to the application unless the attacker is using the device that holds a valid certificate for the user.

  • Enhances security without adding complexity for the end user. Certificate verification happens automatically within the browser, requiring no additional action from the user.

  • Uses industry standards: SAML and OpenID Connect (OIDC), which are supported by virtually all enterprise web applications that use SSO. Additionally, Entra ID’s Enterprise Application Management (EAM) is supported, allowing seamless access without requiring individual application configurations, as the process is managed directly by Entra ID’s identity provider.

Following the initial setup, which typically involves copying and pasting addresses, identifiers, and certificates between the application’s configuration screen and Portnox Cloud, user access is then managed based on groups, policies, and risk assessment. For users, the only visible change during daily use is an additional screen at login confirming certificate verification.

Secure access to private resources

In this section, you will learn how certificate-based authentication overcomes the limitations of VPNs by offering a significantly more secure way to access private applications on-premises or in private clouds.

Many large organizations are actively seeking alternatives to traditional VPNs to securely provide remote access to private resources. Portnox ZTNA offers a breakthrough approach by combining certificate-based authentication with granular resource access and continuous risk assessment, delivering a level of security that meets the highest standards for private access.

  • Granular access control: Unlike traditional VPNs, which typically grant users broad access to the entire network, ZTNA enforces strict, fine-grained policies that limit access to only the specific applications or resources the user is authorized for. This reduces the potential attack surface and prevents lateral movement within the network.

  • Certificate-based authentication: ZTNA leverages strong, passwordless authentication using digital certificates installed on trusted devices. This verifies not only the user’s identity but also the security posture of the device itself, providing a much higher level of trust compared to username/password or even MFA alone.

  • Simplified management: Centralized policy management in ZTNA solutions reduces administrative overhead. Unlike VPNs, which require complex configuration of gateways, tunnels, and network routing, ZTNA offers easier deployment and updates.

  • Improved user experience: By automating certificate verification and eliminating the need for VPN clients, ZTNA provides seamless and transparent secure access. Users avoid complex login steps and network configurations, improving productivity and reducing support requests.

  • Flexible Deployment: ZTNA supports secure access to both private cloud-based and on-premises resources without requiring extensive network redesign or complex VPN infrastructure, making it adaptable to diverse IT environments and hybrid cloud strategies.

  • Continuous Risk Assessment (see: Risk assessment): Beyond initial authentication, ZTNA continuously monitors device health, security posture, and user behavior. Access can be automatically revoked or restricted if suspicious or risky activity is detected, helping to prevent compromised devices from gaining or maintaining access. VPNs lack this dynamic security layer.

Meeting regulatory standards with certificate-based resource access

In this section, you will learn how certificate-based authentication with Portnox ZTNA helps organizations comply with key regulatory and security standards.

Regulations such as PCI-DSS, HIPAA, GDPR, and ISO/IEC 27001 require strict control and monitoring of access not only to networks but also to critical resources and sensitive data. Portnox ZTNA uses certificate-based authentication combined with granular access policies to ensure that only trusted users and devices can reach specific resources, fulfilling these requirements. Comprehensive logging and continuous risk assessment provide the audit trails and ongoing security necessary for compliance and risk management.

  • PCI-DSS (Payment Card Industry Data Security Standard): Supports Requirement 8 (Identify and authenticate access to system components) by enforcing strong, certificate-based user and device authentication before resource access. Meets Requirement 10 (Track and monitor all access to network resources) through detailed logging of resource access and user activity.

  • HIPAA (Health Insurance Portability and Accountability Act): Addresses the Security Rule’s Access Control Standard by restricting access to protected health information within resources to authorized users and secure devices only. Provides audit controls to monitor access and helps maintain data integrity by preventing unauthorized use.

  • GDPR (General Data Protection Regulation): Helps meet Article 32 (Security of processing) by enforcing strict access controls on resources handling personal data. Audit logs created by ZTNA demonstrate accountability and support compliance with data protection principles.

  • ISO/IEC 27001 (Information Security Management): Aligns with Annex A.9 (Access Control) by requiring certificate-based authentication and policy enforcement for resource access. Supports Annex A.12.4 (Logging and Monitoring) with comprehensive records of user authentication and resource access events, enabling thorough audits.

By combining strong device and user authentication with granular, certificate-based access to resources, Portnox ZTNA simplifies compliance and improves security posture, all while reducing the complexity typical of traditional VPN and password-based solutions.