We live in a world where work is an activity, not a place. Following the pandemic's wake, more than three-quarters of global workers expressed that they want the option to work from home at least part-time. For organizations big and small, this means fully embracing hybrid work. Similarly, most of our applications have moved from the security of the private data center to the cloud. This trend has been accelerating, with 80% of organizations embracing hybrid cloud strategies. The ability to provide secure, seamless access to all applications from anywhere has never been more important.
Previously, we secured the organizations by deploying numerous security appliances within private data centers—like firewalls and web proxies—and funneling all traffic through them. Now that most applications and users have left the building, users connect directly to applications rather than heading into corporate headquarters or a branch office to access the apps they need to do their jobs.
This direct-to-app shift dramatically increases the attack surface, requiring more security and access controls to protect applications and data. In an effort to regain control over the expanding attack surface, zero trust network access (ZTNA) solutions emerged.
The Limitations of ZTNA 1.0
Legacy ZTNA solutions were introduced almost a decade ago when the threat landscape, corporate networks, and how and where people worked were vastly different. These legacy solutions, known as ZTNA 1.0, no longer align with the realities of work, and malicious actors know how to exploit the gaps within them.
ZTNA 1.0 provides organizations minimal protection as the technologies operate as a basic access broker. When a user requests access to an application, the broker verifies whether the user has permission to access an application. Once the permission is verified, the broker grants access, establishing a connection between user and application. And…that’s it. The user's session is now “trusted,” so the broker goes away, leaving the user with complete access to the application without any additional monitoring or scrutiny.
This is the architectural model of ZTNA 1.0. This model isn’t just problematic; in the context of today’s threat landscape, it’s dangerous. Here are five ways that ZTNA 1.0 puts organizations at risk:
- Violates the principle of least privilege: ZTNA 1.0 is overly permissive, granting access to applications based on old constructs like IP address and port numbers. This legacy approach doesn’t provide access control to sub-applications or specific app functions.
- Allows and ignores: Once access to an application is granted, ZTNA 1.0 implicitly trusts whatever or whoever accessed the application without monitoring user, application, or device behavior changes.
- No security inspection: ZTNA 1.0 can’t detect or prevent malware or lateral movement across connections. It focuses on application access, not securing traffic to and from applications.
- Doesn’t protect all enterprise data: ZTNA 1.0 doesn’t provide visibility or data control, leaving enterprises vulnerable to the risk of data exfiltration from attackers or malicious insiders.
- Can’t secure all applications: ZTNA 1.0 only secures a subset of private applications that use static ports, leaving private applications that use dynamic ports, cloud-native applications, or SaaS applications unprotected.
ZTNA 2.0 is a better way to protect everyone and everything, everywhere
Keeping company data secure is difficult now that work can be done everywhere. ZTNA 2.0 solutions offer infinite scalability and complete and consistent security for perimeterless organizations with:
- Least privilege access: ZTNA 2.0 enables precise access control at the application and sub-application levels, independent of network constructs like IP and port numbers.
- Continuous trust verification: After access to an application is granted, ZTNA 2.0 provides continuous trust assessment based on changes in device posture, user behavior, and application behavior.
- Continuous security inspection: ZTNA 2.0 uses deep and ongoing inspection of all application traffic, even for allowed connections. This helps prevent all threats, including zero-day threats.
- Protection of all data: ZTNA 2.0 provides consistent control of data across all applications, including private applications and SaaS applications, with a single data loss prevention (DLP) policy.
- Security for all applications: ZTNA 2.0 consistently secures all types of applications used across the enterprise, including modern cloud-native applications, legacy private applications, and SaaS applications.
Watch our ZTNA 2.0 launch event to learn about innovations and best practices for securing the hybrid workforce with ZTNA 2.0.
Kumar Ramachandran serves as Senior Vice President of Products for Secure Access Service Edge (SASE) products at Palo Alto Networks. Kumar co-founded CloudGenix in March 2013 and was its CEO, establishing the SD-WAN category. Prior to founding CloudGenix, Kumar held leadership roles in Product Management and Marketing for the multi-billion dollar branch routing and WAN optimization businesses at Cisco. Prior to Cisco, he managed applications and infrastructure for companies such as Citibank and Providian Financial. Kumar holds an MBA from UC Berkeley Haas School of Business and a Master's in Computer Science from the University of Bombay.