This post is also available in: 日本語 (Japanese)
Why Zero Trust Is Essential in a Post-Pandemic World
This blog is part of our “ZTNA Partners,” a series where we take a closer look at how our partnerships protect today's hybrid workforces and environments with ZTNA 2.0.
Digital transformation is not a “someday” goal but a “today” imperative. In this post-pandemic world, work is no longer just a place we go, but an activity we perform, with 82% of organizations adopting a hybrid cloud strategy. In fact, most organizations use an average of 110 SaaS apps within their environments. And, part of the challenge isn't just that apps are everywhere, but users are too – expanding the attack surface dramatically. When combined with a threat landscape that’s becoming more sophisticated, it's a perfect storm that demands organizations do something different to limit exposure and provide better security.
Interest in and adoption of Zero Trust Network Access (ZTNA) has exploded. However, the rapid transformation to hybrid work and hybrid networks/clouds has exposed weaknesses in the first ZTNA approaches. As part of our unveiling of ZTNA 2.0 with Palo Alto Networks Prisma® Access, I sat down with Andrew Rafla, Partner/Principal and Cyber Risk/Zero Trust Leader at Deloitte, to help demystify ZTNA and its evolution:
“One of the biggest challenges in achieving a Zero Trust state and truly moving toward this concept of ‘never trust, always verify’ is the fundamental understanding of the application and user estate,” Andrew told me. “In other words, what applications exist within a client’s environment, who should be able to access those applications, and under what conditions. These are fundamental questions that need to be answered, and only a ZTNA 2.0 model helps to fully realize the benefits of the zero trust model.”
Previous iterations of ZTNA fall short of these requirements. First and foremost, the first generation of ZTNA vendor implementations (which we call ZTNA 1.0) violate the core foundational principle of least privilege access by using an application’s IP address or port number as a proxy for the application itself. Defining an application by network constructs invariably leads to a broad degree of access.
Imagine the analogy of securing a commercial airline flight. You show your boarding pass and driver's license when you go to an airport. Your license serves as a user ID, your boarding pass represents a resource to gain access – one plane at a specific gate, departure date and time, one seat in a specific section. With ZTNA 1.0, you get a boarding pass that just shows an IP address (essentially providing the address of the airport, but not limiting access to any plane at the airport).
The second limitation of ZTNA 1.0 is around “allow and ignore.” Just because you get past TSA security doesn't mean you can do whatever you want. You can’t disrupt flight attendants, or ignore rules. So you need continuous trust verification via continuous monitoring.
The third limitation has to do with data inspection and security. Returning to the airport analogy, this means that not only are the passengers (users) inspected, but also the luggage (data).
In a post-pandemic world, a ZTNA 2.0 model addresses these fundamental shortcomings to better protect today’s hybrid workforce.
In the decade since Zero Trust was first introduced, the business environment has shifted dramatically. In our post-pandemic world, organizations realize their employees need flexibility not only where they work, but how they work and the applications they now utilize to get their work done.
“The mobile and the hybrid workforce is here to stay,” Andrew explained during our conversation. “More and more organizations are realizing that people just want to work for organizations that provide flexibility in how they work and where they work and the devices that they work from. One of the considerations around achieving a Zero Trust environment is really about supportability – supporting the increasingly mobile and hybrid workforce. That requires compatibility with both traditional laptop and desktop devices, as well as the common operating systems found on mobile devices.”
ZTNA 2.0 addresses these organizational requirements while maintaining the core fundamental principle of least-privileged access. It offers a consistent, frictionless end-user experience that maximizes security capabilities without any additional burden. And finally, it enables continuous trust verification – providing deep security and data protection for all applications.
When I asked Andrew what advice he would offer to organizations looking to adopt ZTNA 2.0, he offered several suggestions:
- Prioritize Business Needs over Technology – It’s important that organizations don’t look at Zero Trust adoption as a rip-and-replace technology initiative. Rather, it should support key business initiatives in a way that will allow the organization to be more secure, agile and resilient to change.
- Drive Consensus around the Need for Zero Trust – It’s not just the cybersecurity team, but also IT operations, help desk, end users and other business stakeholders.
- Take an Iterative and Incremental Approach – Start with low-risk targets, such as a low-risk user population and/or set of applications, to minimize the potential for operational impact and implement lessons learned along the journey. Ultimately you can adopt those lessons learned for the company’s highest-value “crown jewels” – its mission-critical applications and data.
The journey toward Zero Trust is one that prioritizes business needs over technology – putting organization on the path to be more secure, agile and resilient to change in a post-pandemic world.
Palo Alto Networks Prisma Access is the industry’s only ZTNA 2.0 solution. Combined with Deloitte’s Zero Trust framework and professional services, Prisma Access helps organizations accelerate the adoption of a Zero Trust cybersecurity strategy.
To learn more about Prisma Access and ZTNA 2.0, watch the ZTNA 2.0 Launch Event on-demand.