Rethinking Zero Trust Network Access for a Zero Trust Strategy

Jun 08, 2020
5 minutes

As the world shifts to working from home, new demands are being placed on companies to provide fast and reliable access to company resources for remote workers. While virtual private networks (VPNs) have traditionally been used to securely enable remote users to access the same resources they could at the office, there are significant problems with this approach that organizations need to address. In response, many organizations have implemented Zero Trust Network Access (ZTNA) solutions, which combine the benefits of VPNs while seeking to avoid their flaws. But to completely protect an organization’s network from end-to-end, a Zero Trust strategy needs to be established. 


Zero Trust Network Access: Enhancements Over Traditional VPNs

VPNs offer organizations quick and easy solutions to allow remote workers access to the corporate network, while shielding data in transit from the prying eyes of attackers. To address the gaps that VPNs have, organizations are turning to ZTNA. ZTNA solutions offer:

  • Better Detection for Infiltration and Threats – Encrypting traffic is important, but a VPN only ensures that data is secured in transit, and doesn’t detect if the connecting endpoint is compromised. Additionally, because VPN traffic tunnels through firewalls, data isn’t inspected there either. ZTNA solutions provide better detection and visibility for threats.
  • Tighter Access Control – Oftentimes, standalone VPNs provide users with more access to privileged resources – applications, files and servers – than is needed for their jobs. This gives an attacker not only a secure foothold from a compromised endpoint but the ability to see and pivot to other privileged resources on a network. Network segmentation efforts mitigate some of this risk, but rolling it out can be painstakingly difficult, especially without a centralized tool to manage the process. It’s even more difficult when remote access needs to be rapidly provisioned to account for a surge in remote users. ZTNA offers tighter access and policy control, allowing an organization to quickly shut down unauthorized access.

Most ZTNA solutions today offer the benefits of VPNs but fail to address the inspection of traffic for threats. The assumption that once a user is verified one time, that user can be trusted can create problems if the user’s credentials or devices are compromised. This is where a Zero Trust strategy comes in.


Zero Trust Is a Strategy, Not a Plug-in Solution

Zero Trust has emerged as an end-to-end cybersecurity strategy that is deployed not just across users, but across endpoints, workloads, apps and content. By establishing this strategy, you assume that no user, endpoint, app or content can be trusted, even if it was previously authenticated and allowed into the network. An organization must assume that no entity can be trusted at any point in the journey throughout the network. 

The first step in a Zero Trust strategy is authenticating an entity (users, endpoints, apps or content) before it is given access to the corporate infrastructure. This is where ZTNA solutions come into play. ZTNA solutions put into practice Zero Trust concepts of least privileged access by controlling what users can access and how they can do so as they access the network or the front end of an application. User access is restricted only to those applications users need to do their jobs. With a cloud-based ZTNA, security policies can be implemented seamlessly across users, no matter their locations. 

However, this still doesn’t cover all the bases. It’s also important to detect for data exfiltration, scan for malware and be alert to behavioral indicators of compromise. Threat and vulnerability detection are also important for a complete Zero Trust strategy.


Prisma Access and Zero Trust 

Palo Alto Networks products can help organizations achieve an end-to-end Zero Trust strategy. Prisma Access is Palo Alto Networks’ answer to ZTNA – a cloud-delivered solution known as a secure access service edge (SASE), combining both SD-WAN and security capabilities into a single platform. Prisma Access is built upon the key requirements of ZTNA, authenticating a user at the secure access service edge, provisioning access to privileged resources, and continually monitoring user behavior once they connect.

Additionally, Prisma Access shields private applications from public exposure to the internet by directing users through the cloud-based SASE, where they are authenticated. User access is then provisioned according to the policies the organization sets for the given user, role or type of device, regardless of location. Finally, Prisma Access monitors all authenticated user traffic to and from the application for malware signatures, intrusion behaviors and indicators of data loss with our patented single-pass architecture. 

Zero Trust Network Access is just one aspect of a complete Zero Trust strategy. Learn more about what a Zero Trust strategy should entail in this video by Palo Alto Networks founder and CTO Nir Zuk. 

This post is part of a series covering “Zero Trust Throughout Your Infrastructure.”

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.