Why most Zero Trust Network Access solutions are too trusting
Many organisations have turned to Zero Trust Network Access (ZTNA) solutions to answer the challenges of providing secure access to data, apps and the network to users from any location. ZTNA can be roughly defined as a set of technologies that provide secure, remote and restricted access to applications. The phrases “just in time, and just enough” and “least privileged access” are often used to describe this technology. However, when evaluating ZTNA providers, it’s important to make sure they don’t implicitly trust users once they’ve connected.
Breaking down ZTNA
Palo Alto Networks was recently listed as a representative vendor in Gartner’s Market Guide for Zero Trust Network Access, which states, “ZTNA augments traditional VPN technologies for application access, and removes the excessive trust once required to allow employees and partners to connect and collaborate.” To better understand why this is, you can break ZTNA into three steps.
- A user is provided with secure access to an authentication system, either through an agent or agentless approach. An example of this could be a user on an unmanaged device accessing a Secure Access Service Edge (SASE) through a web browser where an SSL or TLS tunnel is established.
- The user’s identity is confirmed from a corporate authentication server and access to a privileged resource – such as a data centre or application – is granted based on the organisation’s policies. These might map to employee types like contractors or full-time employees, or to job functions, like finance or marketing.
Secure access is provisioned to the resource or application.
- This last step is where most ZTNA solutions stop: They don’t monitor user activity for threats after they connect. This approach makes two false assumptions. The first is that the credentials used to authenticate were not compromised. The second is you’ve only granted access to the applications the user “needs to use” and that you’re not trusting the user. Of course, that’s not true – you’re still trusting them with that application!
This last step is where most ZTNA solutions stop: They don’t monitor user activity for threats after they connect. This approach makes two false assumptions. The first is that the credentials used to authenticate were not compromised. The second is you’ve only granted access to the applications the user “needs to use” and that you’re not trusting the user. Of course, that’s not true – you’re still trusting them with that application!
A better approach to ZTNA with Prisma Access
As organisations look for solutions to help them apply ZTNA capabilities, it is important to look for solutions that offer a better approach to trust – solutions that can be part of a true Zero Trust strategy. This means seeking out solutions that not only authenticate before a user is given access but continue to do so throughout the user’s entire session connected to the network.
Prisma Access is Palo Alto Networks solution for ZTNA, delivering on the core tenets of limiting user access to only the applications they should have access to, while simultaneously preventing data exfiltration or threats from compromised endpoints. Prisma Access enables organisations to do the following:
- Shield Applications from Exposure to the Public Internet – Prisma Access uses agent-based and agentless secure VPNs to connect users to a cloud-based SASE. Prisma Access then performs full data inspection and authentication before allowing the user to connect to the shielded application. The application is never exposed to the public internet and no unauthenticated users are allowed to access it.
- “Just in Time and Just Enough” Authentication and Access Control – Prisma Access identifies, authenticates and assigns granular, role-based access control for users, whether the user is on a company-owned or unmanaged device. This enables organisations to implement uniform security policies regardless of where the user is located. In the spirit of Zero Trust, Prisma Access operates in default-deny mode, allowing users to see and access only those applications to which they have been granted access.
- Threat and Vulnerability Scanning – Unlike most ZTNA solutions, Prisma Access delivers the full detection capabilities of a next-generation firewall. As data enters or exits a data centre or application, Prisma Access performs single-pass inspection across all web and non-web traffic for malware signatures, intrusion behaviours and indicators of data loss. Prisma Access also performs a health check of the user’s device before it connects – verifying patch history, firewall and endpoint anti-malware states – to prevent a vulnerable device from introducing risk to the application.
When employing ZTNA, organisations need to fully commit to embracing the Zero Trust concept of explicit identity-based trust. Secure remote access buttressed by identity or role-based authentication is important, but it’s only part of truly effective ZTNA. Staying true to the philosophy of Zero Trust requires monitoring user activity for threats even after a user connects to privileged resources.