Zero Trust Network Access: The Paradigm Shifts.
Covid-19 and the global pandemic coupled with the national lockdowns that took place from 2020-2021 resulted in dramatic changes to how and where we now work. Initiatives like remote working, Zero Trust, and cloud transformation saw an unprecedented acceleration to accommodate the new reality. Our reality now is that work is no longer a place to go, but something we do instead.
As a result, the attack surface has increased exponentially, with many architectures now supporting direct-to-app connections versus backhauling traffic to data centres. ZTNA 2.0 with Palo Alto Networks is the best possible way to advance with the times and keep up with modernising workplaces.
Zero Trust Network Access 1.0 highlights the need for more robust detection.
What’s more, legacy remote access architectures further complicate the situation by providing too much access with little to no threat or vulnerability detection, leaving privileged resources vulnerable to user account compromise.
At the same time, we are seeing a dramatic increase in the volume and sophistication of cyberattacks ransomware operators have been especially busy during the pandemic, realising lucrative returns from their exploits.
It’s clear the legacy approaches for secure remote access and out-of-date architectures—like the initial iteration of Zero Trust Network Access (ZTNA)—are not able to handle the onslaught of new and increasingly sophisticated attacks across our exploding attack surfaces.
Limitations of ZTNA 1.0
First-generation ZTNA solutions—we’ll call them ZTNA 1.0—were introduced almost a decade ago, back when the threat landscape, corporate networks, and how and where people worked were vastly different. Today, ZTNA 1.0 solutions no longer align with the new world of work, and malicious actors are diligently finding ways to exploit the limitations of these ZTNA 1.0 approaches.
Before we explore the gaps that exist now, let’s look at what ZTNA 1.0 was built to protect. ZTNA 1.0 was designed to protect organisations by limiting their exposure and reducing their attack surface It works as an access broker to facilitate connectivity to an application When a user requests access to an application, the access broker determines whether the user should have permission to access an application. Once the permission is verified, the access broker grants access, and the connection is established.
And that’s it. The broker is no longer in the picture, and the user is now given complete access to the application without any additional monitoring from the security system.
This is the architectural model of ZTNA 1.0. This model isn’t just problematic in the context of today’s threat landscape—it’s dangerous. Here’s a look at five reasons sticking with ZTNA 1.0 may cause more harm than good when it comes to battling today’s cybersecurity threats:
1. Violates the Principle of Least Privilege:
The first issue with the ZTNA 1.0 model is it violates the principle of least privilege. When you hear the term Zero Trust, it implies that nothing is inherently trusted The intent is to ensure least privilege by connecting a user to an application and nothing else. In fact, all vendors offering ZTNA 1.0 solutions talk a pretty good game about this very principle, arguing against giving access to broad network segments by granting access to applications However, the reality with existing ZTNA 1.0 solutions is that application access is managed at Layer 3 and Layer 4 of the OSI model—the network and transport layers—using only IP address and TCP/UDP port constructs A network is not the same as an application, yet ZTNA 1 0 solutions rely on network level access controls to provide users application-level access Unfortunately, relying on policy at Layer 3 and Layer 4 creates a number of problems For example, if an app uses dynamic ports or IP addresses, you must grant access to broad ranges of IPs and ports, exposing more surface area than necessary. Access cannot be restricted at the sub-app level or app function level either; access can only be granted to entire apps And any malware that listens on the same allowed IP addresses and port numbers can freely communicate and spread laterally The bottom line is that ZTNA 1.0 grants far more access than is actually required, violating the principle of least privilege.
2. Follows the “Allow-and-Ignore” Model:
The second issue with ZTNA 1.0 solutions is their reliance on the allow-and-ignore model which is very risky. Why is the allow-and-ignore model risky? Once the access broker establishes the connection between the user and the application they are trying to access, that connection is trusted for the duration of that session, and all user and device behaviour for that session goes unchecked. Assuming trust can be verified only once and not checked again is a recipe for disaster. A lot can happen after trust is verified. User and application behaviour can change, and applications can be compromised. Security breaches can’t happen unless someone or something is allowed in to wreak havoc and cause harm, and many modern cybersecurity threats only piggyback on allowed activity to avoid triggering alarms.
3. No Security Inspection:
In addition to trusting whatever gets access to the network, ZTNA 1.0 solutions don’t inspect application traffic either. Once a connection is established, ZTNA 1.0 trusts that active session implicitly, therefore performing no additional traffic inspection. If the device is compromised and malware is introduced into the session, there is no means for a ZTNA 1.0 solution to detect any malicious or other compromised traffic and respond accordingly. This turns ZTNA 1.0 into a “security-through-obscurity-only” approach that further puts organisations, their users, apps, and data at risk of malware, compromised devices, and malicious traffic.
4. No Data Protection:
ZTNA 1.0 solutions don’t provide data protection—especially the data within private applications. This leaves most of the organisation’s traffic vulnerable to data exfiltration from malicious insiders or external attackers and requires completely different data loss prevention (DLP) solutions to protect sensitive data in SaaS applications ZTNA 1.0 introduces more complexity and risk as it requires organizations to use multiple point products to secure data everywhere.
5. Inability to Secure All Apps:
ZTNA 1.0 solutions don’t provide coverage for all applications They don’t support cloud-based apps or other apps that use dynamic ports or server-initiated applications—like support help desk apps that employ server-initiated connections to remote devices. ZTNA 1.0 solutions don’t support SaaS apps either Modern cloud native apps are comprised of many containers of microservices, often using dynamic IP addresses and port numbers—a recipe for disaster. ZTNA 1.0 access control becomes completely ineffective in these sorts of environments, as it requires access to be opened up for broad ranges of IPs and ports, defeating the point of Zero Trust. As more and more organisations continue on their cloud journey and run their businesses on cloud native applications, ZTNA 1.0 becomes obsolete.
The Advent of ZTNA 2.0
We’ve seen the digital transformations organisations have underway to run efficiently and provide employees access to all the tools they need—no matter where they choose to work. This transformation manifests itself most visibly in how employees now access these tools, connecting directly to the applications they need to get their work done And it shouldn’t matter whether the employee is at home, on the road, or in an office; the expectation is that each employee will be given access to the applications they need to perform their work without increasing the organisation’s attack surface. This transformation requires a paradigm shift in cybersecurity. Welcome to ZTNA 2.0, with Palo Alto Networks.
The Five Tenets of ZTNA 2.0
There are five key tenets of ZTNA 2.0:
1. ZTNA 2.0 uses the most stringent enforcement of the principle of least privilege, providing access control from the network layer—Layer 3—all the way to the application layer—Layer 7
2. ZTNA 2.0 delivers continuous trust verification. When a user’s behaviour changes, an application’s behaviour changes, or device posture changes, there must be a continuous assessment of the trust level granted and the ability to react—in real time—to any and all changes.
3. ZTNA 2.0 delivers continuous security inspection for all traffic to protect against all threats and threat vectors
4. ZTNA 2.0 protects all data, and it does this consistently across all application data, from the data within applications running on legacy mainframes all the way up to the data stored in modern, cloud native and collaboration applications.
5. ZTNA 2.0 protects and secures all applications across the entire organisation, including Private apps, cloud apps and SaaS. These five key capabilities overcome the limitations of ZTNA 1.0 solutions and provide better security outcomes to support the digital transformation, and hybrid workforce needs facing organisations today.
Prisma Access: The ZTNA 2.0 Engine
Palo Alto Networks’ Prisma Access provides the industry’s only cloud delivered ZTNA 2.0 solution designed around an easy-to-use, unified security product that delivers the best user experience. Overcoming the shortcomings of legacy solutions, only Prisma Access consolidates best-of-breed capabilities, such as ZTNA 2 0, SWG, Next-Gen CASB, FWaaS, DLP, and more, into a cloud-native global services edge that:
• Securely connects all users and all apps with fine-grained access controls to dramatically reduce the
attack surface
• Provides behaviour-based continuous trust verification after users connect
• Provides deep and ongoing security inspection to ensure all traffic is secure without compromising performance or user experience
• Provides consistent visibility with a single DLP policy to secure both access and data
• Secures all apps, all the time, including premises-based, internet-based, legacy, SaaS, and modern/ cloud native apps from a single product
The unique architecture of Prisma Access is built in the cloud to secure at cloud scale with true multitenancy while ensuring all customers are isolated from each other Leveraging the elastic scale of the largest cloud providers in the world along with access to dedicated premium fibre networks, Prisma Access delivers industry-leading SLAs for security processing as well as app performance what’s more, the native Autonomous Digital Experience Management capabilities provide proactive identification and resolution of potential problems before a user even knows about them. These capabilities guarantee the best possible performance and user experience
Three ZTNA 2.0 Starting Points for Your Organisation from Palo Alto Networks.
Getting started with ZTNA 2.0 should not be difficult, overwhelming, or come with compromises. It
boils down to alignment—mapping needs to the key concerns or challenges most organisations face to solve their challenges without requiring a massive architectural shift or business disruption
Here are the three key projects where you can begin implementing ZTNA 2 0 into your organisation
today:
• VPN replacement project:
Move away from on-premises VPN concentrators, and poor performing
backhauling architectures, inefficient network paths, and expensive-to-manage infrastructure.
• SWG replacement project:
Move away from premises-based and legacy proxy architectures to a modern, cloud-based approach to secure users accessing web and internet tools
• Advanced SaaS app security or Next-Gen CASB project:
Modernise security for and regain control over the explosion of SaaS applications, limit exposure, provide better protection for sensitive data, and get a handle on shadow IT.
Conclusion
Secure IT Consult (SITC) works with Palo Alto Networks to provide both licensing and professional services across the entire Palo Alto Networks portfolio, and the Prisma solution range. Zero Trust/ZTNA 2.0 with Prisma Access means unified security for the best user experience – the only cloud delivered ZTNA 2.0 solution, and SITC can provide everything you need from start to finish on your cybersecurity projects; installation, integration, planning, deployment, and managed services – everything you need for your cybersecurity and cloud computing in one partner, with Palo Alto Networks Certified Network Security Consultants capable of delivering the whole range.
With SITC, you can find Palo Alto Networks Certified Network Security Consultants with the capability to deliver for your cybersecurity solutions across a wide range of scenarios and projects, to the highest standards, in every way. For all things Palo Alto Networks, look no further than SITC.