Zero Trust Network Access: Build Your SASE on a Solid Foundation

By Jason Georgi, Field CTO, Prisma

Applications moving to the cloud and increased user mobility are changing the way networking and network security services must be delivered. Palo Alto Networks founder and CTO Nir Zuk believes that the future of network security is in the cloud, and has been driving this change for the past few years with Prisma Access, the industry’s most comprehensive SASE. In this ongoing series, Palo Alto Networks thought leaders explore the core tenets of an integrated, effective SASE solution, and more broadly, its implementation and implications.

Network architecture is evolving. This is especially true when considering that applications are in a range of locations and it’s not always going to be practical (or sensible) to send traffic back to the corporate data center or HQ for security. In today’s always-on, internet-based world, users and apps are everywhere, and the lack of visibility and enforcement are introducing new security problems. These challenges are compounded when network architectures have to evolve to ensure a better user experience. To protect your business, as network architecture evolves, so must the security model.

Users, Apps and Data: the Recipe for Zero Trust Network Access 

Proxies may seem like an easy solution to control and secure access to cloud apps, but if you’re like most organizations, you have some apps that cannot sit behind a proxy due to the protocols they use. If these apps are protected by a firewall, why use different protections in different areas? This question is especially relevant if you’re looking to “lift and shift” applications from your data center to a public cloud service. Your security approach needs to be able to inspect any application’s traffic, regardless of the protocols in use. Organizations need to apply better control and stronger protection with full Layer 7 content inspection in order to gain complete visibility into where users are connecting from, what applications they are using, what they are doing with the applications and what data they are trying to access. No proxy can do this.

Therein lies the need for Zero Trust Network Access (ZTNA). By applying the Zero Trust mantra, “Never trust, always verify,” organizations can ensure proper user context through authentication and attribute verification before allowing access to apps and data in the cloud or data center. A true ZTNA approach requires full content inspection to identify users and ensure policies can be applied to restrict access and ensure proper behavior once access is granted, regardless of application type. This allows organizations to minimize data loss and quickly mitigate security issues or threats that may arise. Trusting what happens within the session once access is granted by policy is not Zero Trust, it is a recipe for disaster, especially when granting access to unmanaged devices, third parties, and unknown bad actors.

All-in-one ZTNA Solutions Don’t Exist

Many products today claim to solve ZTNA through software-defined perimeter (SDP), identity access management (IAM), browser isolation (BI/RBI) or other solutions. However, these point solutions don’t address content inspection. Organizations can experience a false sense of security when traffic is sometimes inspected and sometimes not. To achieve full content inspection and consistent protection, organizations must make sure that they define their requirements properly. This results in more solutions that organizations must customize, manage and maintain, adding to the complexity of an already difficult task. So how can organizations achieve ZTNA without adding large bundles of non-integrated security products?

Network Architecture Has Evolved: Introducing SASE

As the world has evolved and extended to the cloud, so must network and security architectures. Utilizing multiple point products not only makes management and visibility difficult, it also creates security gaps; more policies to manage means more opportunities for misconfiguration. We believe these challenges are being addressed by a new model Gartner has developed, combining networking and security services into one cloud-delivered platform, called “secure access service edge,” or SASE (pronounced “sassy”). 

According to Gartner, “By 2023, 20% of enterprises will have adopted secure web gateway (SWG), cloud access security broker (CASB), ZTNA and branch firewall as a service (FWaaS) capabilities from the same vendor, up from less than 5% in 2019.”

To that end, Prisma™ Access, by Palo Alto Networks, is a single, comprehensive solution that provides all of the networking and security services that organizations need in a SASE architecture designed for all traffic, all applications and all users.

SASE with a Side of ZTNA

Simple policies and easy management are key for a SASE solution. Prisma Access is based on the key ZTNA principles, extending them across all the services within a SASE solution. By identifying and controlling users, devices and applications, irrespective of where they are, organizations can benefit from using a single cloud solution for ALL of their connectivity and security needs. 

Read our Applying Zero Trust to Cloud Environments whitepaper to learn more.

Gartner, The Future of Network Security Is in the Cloud, Neil MacDonald, Lawrence Orans, Joe Skorupa, 30 August 2019

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.