Why the World Needs ZTNA 2.0
In This Article
The following article was written by Nir Zuk, Founder and Chief Technology Officer, Palo Alto.
Interest in Zero Trust has exploded recently, partly due to its catchy name and seemingly broad usage throughout the cyber security industry (Zero Trust washing?). But, there is also another more compelling reason for the rise in interest in Zero Trust – we really need it.
When speaking with customers, many of them tell me they are struggling to get a handle on the risks associated with hybrid work and direct-to-app connectivity. The new reality is that our attack surfaces have expanded dramatically while cyberattacks continue to grow in volume and sophistication. The whack-a-mole approach of deploying a new tool for every type of application or threat makes security management and enforcement way too complex.
Most organizations have discovered that old and clunky VPN-based solutions just don't cut it from a security and performance perspective. These legacy solutions have no concept of context and thus do not understand how to apply application, user or device-based, least privilege access. Instead, they give trusted access to entire network segments. In the world of hybrid work and cloud migration, legacy VPN is dead.
Zero Trust Network Access (ZTNA) approaches emerged to address the challenges caused by legacy VPN. However, the first generation of products (which we call ZTNA 1.0) have proven more dangerous than helpful because of several critical limitations:
- Too Much Access is Not Zero Trust – Supports only coarse-grained access controls while classifying applications based on L3/L4 network constructs, such as IP address and port numbers. Thus, ZTNA 1.0 provides way too much access, especially for apps that use dynamic ports or IP addresses.
- Allow and Ignore – Once access to an app is granted, that communication is then trusted forever. ZTNA 1.0 assumes that the user and the app will always behave in a trustworthy manner, which is a recipe for disaster.
- Too Little Security – Only supports a subset of private apps while unable to properly secure microservice-based, cloud-native apps – apps that use dynamic ports like voice and video apps, or server-initiated apps like Helpdesk and patching systems. Moreover, legacy ZTNA approaches completely ignore SaaS apps and have little to no visibility or control over data.
Clearly, ZTNA 1.0 falls short on the promise of replacing legacy VPN. We need a different approach.
Introducing ZTNA 2.0
At Palo Alto Networks, we believe it's time to move towards a new approach we're calling ZTNA 2.0. Delivered from Prisma Access, ZTNA 2.0 is designed around an easy-to-use, unified security product. ZTNA 2.0 solves the shortcomings of ZTNA 1.0 by delivering the following:
- Least Privilege Access – Achieved by identifying applications at layer 7, enabling precise access control at the app and sub-app levels, independent of network constructs like IP and port numbers.
- Continuous Trust Verification – Once access to an app is granted, trust is continually assessed based on changes in device posture, user behavior and app behavior.
- Continuous Security Inspection – Providing deep and ongoing inspection of all traffic, even for allowed connections, to prevent all threats including zero-day threats.
- Protection of All Data – Providing consistent control of data across all apps used in the enterprise including private apps and SaaS, with a single DLP policy.
- Security for All Apps – Safeguarding all applications used across the enterprise, including modern cloud-native apps, legacy private apps and SaaS apps. This includes apps that use dynamic ports and apps that leverage server-initiated connections.
Today, work is no longer a place we go, but an activity we perform. At the height of the pandemic, many businesses focused on trying to scale their VPN infrastructure. When that didn't work, they quickly pivoted to the ZTNA 1.0 solution, only to discover it didn't live up to their expectations. ZTNA 2.0 is the necessary paradigm shift to overcome the existing limitations of ZTNA 1.0, and it is the right architecture to support your organization in the long term.