Demystifying zero-trust network access 2.0

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Existing zero-trust network access (ZTNA) approaches have widening gaps, leaving threat surfaces unprotected and enterprises at risk. Pursuing ZTNA 1.0 frameworks also leads to app sprawl, more complex tech stacks and unprotected SaaS apps, three things CISOs are working hard to avoid. 

ZTNA 2.0’s creators at Palo Alto Networks launched the framework earlier this year to close the gaps they’re seeing in ZTNA 1.0 customers’ frameworks. They’ve also launched a new zero-trust marketing campaign, complete with a commercial starring award-winning actress Gillian Anderson. 

In urging the cybersecurity industry to adopt ZTNA 2.0, Palo Alto Networks points to how existing approaches to ZTNA validate connections through a Cloud Access Security Broker (CASB) just once, then assume the connection can be trusted indefinitely.  

Another growing gap is how many applications and endpoints use dynamic ports and require a range of IP addresses to work. TCP/IP and TCP/UDP protocols provide coarse, packet-level access privileges; they can’t be used to define sub-app or app function level access, as these protocols weren’t designed for that purpose. 

Dynamic Host Configuration Protocols (DHCP) in virtual workforces are also commonplace. ZTNA 2.0 advocates contend it’s the inherent structure of the DHCP connections that, once trusted via CASB authentication, could be breached to launch man-in-the-middle, sniffing and reconnaissance attacks. 

Those risks are driving Palo Alto Networks to promote ZTNA 2.0. Two core goals of ZTNA 2.0 is to perform continuous trust verification and security inspection of all traffic across all threat vectors.  

Why ZTNA 2.0 now 

The essence of ZTNA’s current weaknesses is how vulnerable apps, platforms and network connections are that rely on the OSI Model‘s lower levels to connect across an enterprise. ZTNA 2.0’s creators contend that connections, endpoints (both human and machine), network traffic and integrations that travel on the third and fourth layers of the OSI Model are still susceptible to breach. 

This is because traffic on these model layers relies on the core components of the TCP/UDP network protocols. They also rely solely on IP addresses to define physical paths.

ZTNA’s critics contend that makes it especially challenging to enforce least-privileged access and trust verification in real-time. On the other hand, Palo Alto Networks says the exponential increase in virtual workforces, heavy reliance on hybrid cloud infrastructure and new digital-first business models are compressing the OSI Model layers, making ZTNA 2.0 needed.   

ZTNA 2.0 advocates contend there needs to be more stringent enforcement of least privileged access from the third to the seventh layer of the OSI Model. One of the gaps ZTNA 2.0 advocates point to is the lack of real-time trust verification across the upper layers of the model. Source: OSI Model graphic courtesy of Cloudflare. 

Will ZTNA 2.0 deliver? 

Zero trust is catching on fast among the largest enterprise companies with the technical staff and senior technical leaders who can delve into its architecture to see how it complements its compliance, risk and digital growth goals. 

Technical roles are the single biggest job type that investigates and works with ZTNA, accounting for 59% of initial interest. Identifying technical differentiators at the strategic level that contribute the most to their company’s compliance, risk management, cybersecurity and digital growth goals is most important for them. 

ZTNA 2.0 is a solid differentiator that appeals to technical professionals in leadership positions across large-scale enterprises. Only actual implementations will tell whether it delivers on the expectations it’s creating.  

Palo Alto Networks’ Prisma Access represents how the company defines ZTNA 2.0 from a product perspective. It’s ingenious how their product architecture is designed to scale and protect workloads at the infrastructure layer of a tech stack while delivering ZTNA 2.0 security to users accessing and completing data transactions. 

Palo Alto Networks also designed Prisma Access to consolidate ZTNA 2.0 compliance at the infrastructure level for device workloads, network access and data transactions. The goal is to help enterprises consolidate their tech stacks, which will also drive a larger Total Available Market (TAM) for the company. 

Prisma Access slots into their SASE strategy that rolls up into Security Services. ZTNA 2.0 design principles across every layer of their tech stack need to happen for this strategy to work.

Palo Alto Networks' Prisma Access platform productizes the core concepts of ZTNA 2.0, looking to reduce app sprawl, improve integration and provide greater visibility and control across an enterprise. 
Palo Alto Networks’ Prisma Access platform productizes the core concepts of ZTNA 2.0, looking to reduce app sprawl, improve integration and provide greater visibility and control across an enterprise. 

What ZTNA 2.0 gets right 

When executable code can be compromised in a cybersecurity vendor’s supply chain or entire enterprises over a single phishing attempt, it’s clear that cyberwarfare is reaching a new level. 

ZTNA 2.0 says that the growing gaps in enterprise defenses, some of which are protected by zero trust today, are still vulnerable. 

Palo Alto Networks’ architects got it right when they looked at how to better secure the upper levels of activity along the OSI model and how virtual workforces and digital initiatives are compressing it. 

For ZTNA 2.0 to grow as a standard, it will need an abundance of use cases across industries and reliable financial data that other organizations can use to create business cases enterprises’ board of directors can trust.

Originally appeared on: TheSpuzz