4m read time
Although the Zero Trust model is not new, it is now gaining prominence. Forrester Research started talking about the concept in 2010 and the need to “never trust, always verify” because much of our data and applications started moving beyond our traditional trust boundaries and perimeters. Today, 46% of organizations are using Zero Trust technologies — such as single sign-on or multifactor authentication (MFA) — according to Foundry’s 2021 Security Priorities Study.
While the march toward ZT tech adoption is important and worthwhile, any organization that wants to improve the employee experience should think about the next step: Zero Trust Network Access (ZTNA) 2.0.
At their core, ZTNA solutions revolve around application access, which has become a critical consideration amid hybrid work. ZTNA 2.0 takes it a step further by providing granular access to applications based on fundamentally understanding the application at Layer 7. It also provides continuous verification of users as they connect to apps, compared with VPN and ZTNA 1.0 approaches, which provide network-level or point-in-time application connections.
This is an important factor in the employee experience. Not only do VPNs grant access to everything on the network — which makes the network vulnerable to exploits — they also slow down data traffic. That’s because many employees today access software-as-a-service (SaaS) solutions, so the VPN has to backhaul data between an on-premises server and the cloud, creating latency issues.
Likewise, ZTNA 1.0 approaches only validate the user once, at the time of a connection request, then back away from the session, implicitly trusting that user, its device, and that connection for as long as that session is active. That assumes that users, devices, and applications will always behave in an acceptable way, which is rarely the case and a recipe for disaster.
ZTNA 2.0, on the other hand, constantly checks the user, the device, and application behaviors throughout the employee’s connection. And it applies these checks consistently to all apps that are used by today’s hybrid workforces.
The need for ZTNA 2.0
“We used to have monolithic, standardized IT stacks on which we built applications,” says Don Meyer, Director of Product Marketing at Palo Alto Networks. “As long as we knew the IP address and protocol for an application, that was sufficient because it was the only thing that communicated in and out of the app.”
In contrast, today’s modern apps are built around microservices, containers, serverless functionality, and even sub-functions that call upon additional services to fulfill some part of the application function. VPNs and ZTNA 1.0 solutions take an “all or nothing” approach, giving users more access than they most likely need.
“Consider, for example, modern collaboration solutions that use a variety of communication mechanisms,” Meyer says. “A user joining a VoIP call might turn on their video, which now creates a video data stream. They might share a doc via the chat function and invite others to join the conversation, annotate a document, or even share additional information. They’re effectively getting work done, but without granular access controls to say who and what can securely gain access to which communication function, users are inadvertently putting data and the network at risk.”
On the other hand, ZTNA 2.0 helps to reduce an organization’s attack surface with identity-based authentication and granular access controls based on user, application, and device IDs. It even allows organizations to implement location- or device-specific access control policies to prevent unpatched or vulnerable devices from connecting to corporate services.
In addition, ZTNA 2.0 provides pre- and post-authentication trust assessment of the connecting user, device, and application to ensure changes in posture or behavior are quickly identified and automatically resolved.
This benefits both users and network admins, says Meyer.
“ZTNA 2.0 gives IT and network security teams the needed tools to define very granular access privileges and policies,” he says. “Combined with user identification tools like MFA or single sign-on, you can get a much better handle on network security. ZTNA provides greater visibility and granularity in terms of control for compliance and protecting sensitive data.”
It also benefits the employee experience, essentially creating a “path of least-resistance access for them to get instant access to their resources,” Meyer says. “It saves time in setting up the VPN connection or re-establishing it throughout the day, and unlike VPNs, there’s no latency or network performance issues that result from having to backhaul traffic to a premises-based concentrator.”
Another ZTNA 2.0 advantage: It reduces the threat of lateral movement, resulting “in a dramatically improved security posture,” Meyer says.
Discover more about ZTNA 2.0 here.