BLOG: Don’t End Up Increasing Your Risk with Outdated ZTNA Solutions



Zero Trust Network Access (ZTNA) is an important step toward an improved security posture and a seamless employee experience, especially for organizations that are still using virtual private network (VPN) connections.

“Organizations that implement ZTNA principles decrease their cyberattack surface by alleviating concerns around lateral movement of threats in the network,” says Don Meyer, Director of Product Marketing at Palo Alto Networks.

“It incorporates more robust credentials and secure mechanisms like multifactor authentication to trust and verify users, devices, and applications,” he adds. “It enables organizations to leverage and share more consistent workflows around how users get authenticated, and to which applications, while making it easy for employees to gain access to the resources they need.”

Although the first generation of ZTNA (or 1.0) solutions addressed many of the challenges and vulnerabilities of VPNs, there are some significant limitations in 1.0 approaches. Meyer says ZTNA 1.0 doesn’t go far enough to protect today’s hybrid workforce.

“It actually violates the principle of least privilege. It only looks at certain IP addresses, protocols, and ports, relying on low-level networking constructs like Layers 3 and 4 for enforcing access privileges to applications.”

A network is not the same as an application, and relying on policy controls at Layers 3 and 4 creates several problems. For example, if an app uses dynamic ports or IP addresses, access must be granted to a broad range of IPs and ports, exposing more surface area than may be desired. Furthermore, access can only be granted to the entire app and cannot be restricted at the sub-app level or app function level, either. Thus if any malware listens on the same allowed IP addresses and port numbers, it then can freely communicate and spread laterally via these sub-app functions..

In other words, given today’s modern applications — which are built on microservices, containers, and serverless functionality, for example — ZTNA 1.0 actually provides more access than users should have.

Other issues

“A second area where we see ZTNA 1.0 falling short is around what we call ‘allow and ignore,’” Meyer says.

This principle is fundamental to the design of ZTNA, which leverages an access broker to field and vet requests from users to applications. It not only verifies the user, but also ensures they should have access to a particular application. Once the identity and access rights are confirmed, the access broker stitches together a connection for the user to the app — then gets out of the picture.

“That means that anything that occurs during that established session goes unchecked,” Meyer says. “There’s nothing to determine if the behaviors of the user, device, or application are undesirable or risky.”

For example, ZTNA 1.0 does not inspect user traffic from the application after the employee establishes a connection. If that individual’s device or credentials become compromised, or a malicious insider uses their access to a resource to disrupt the application or host, then a serious security incident can occur.

A paradigm shift with ZTNA 2.0

Organizations can achieve the ZTNA promises of improved network security and employee experiences — as well as other benefits — by applying ZTNA 2.0 principles, which deliver:

●       True **least-privilege access **– Achieved by identifying applications at Layer 7, enabling precise access control at the app and sub-app levels, independent of network constructs like IP and port numbers.

●       Continuous trust verification – Once access to an app is granted, trust is continually assessed based on changes in device posture, user behavior, and app behavior.

●       **Continuous security inspection **– Providing deep and ongoing inspection of all traffic, even for allowed connections, to prevent all threats including zero-day threats.

●       **Protection of all data **– Providing consistent control of data across all apps used in the enterprise including private apps and software-as-a-service (SaaS), with a single data loss prevention policy.

●       Security for all apps – Safeguarding all applications used across the enterprise, including modern cloud-native apps, legacy private apps, and SaaS solutions. This includes apps that use dynamic ports and those that leverage server-initiated connections.

“ZTNA 2.0 helps organizations consolidate the numerous security and protection tools they’re managing,” Meyer says. “Rather than address sub-functions or subsets of applications with multiple point products, ZTNA 2.0 aligns security and networking with a consistent set of controls for both application access and the availability of data.”

ZTNA 2.0 not only reduces the attack surface, it also ensures employees have the right access to the right resources they need — no matter whether they’re working remotely or in on-site facilities.

Learn more about ZTNA 2.0 and how Prisma® Access protects today’s hybrid workforce with unified security.