The ZTNA Superpowers in Prisma Access

This is part 2 of a 3-part series where we take a closer look at the ZTNA-related strengths of Prisma Access as cited in the recent Forrester New Wave™: Zero Trust Network Access, Q3 2021 report. Did you miss part 1? Read it here.

With users, devices, applications, and data everywhere, gone are the days when encrypted remote access tunneling was sufficient to get users to the resources they need to do their jobs. The “crusade to kill the VPN” was a major driving force behind Forrester’s recent Forrester New Wave™: Zero Trust Network Access, Q3 2021 report. In this report, Forrester notes that “VPN performance issues, more than any other factor, drove enterprises to adopt ZTNA for secure remote access to keep their remote employees working.” 

This has certainly been our experience during the pandemic. Still, many organizations continue to overlook the critical importance of threat detection and prevention, enterprise data loss, and credential compromise and abuse as differentiators amongst ZTNA solutions. 

VPN compromise, brute forcing of remote access tools like SSH and RDP, and 2FA bypass via social engineering are common tactics used in many recent breaches that have reached headlines. In fact, according to one recent study more than 80% of breaches involved compromised credentials. 

Unsurprisingly, user credentials and personally identifiable information are consistently among the top pieces of data sought by attackers. Worse, credential and remote access compromise are consistently among the hardest attacks to detect and consistently the longest to persist, typically taking close to a year to identify and contain, according to IBM’s annual Cost of a Data Breach Report.

With the new reality of hybrid work and continued proliferation of external applications, organizations have become perimeterless. Many organizations recognize they need to address this shift while still containing technology and policy sprawl. Point products don’t coordinate or orchestrate security policies, making automation difficult. And though Identity Providers are an obvious requisite, they only provide part of the solution. 

You can use the following 5 questions to assess your own organization’s security posture:

  1. How quickly can we implement policy changes if a user's authorization changes? 
  2. How many security controls are still based on IP addresses and networks? 
  3. How quickly can we identify and respond to improper or spoofed access attempts? 
  4. Do we have means of providing adaptive access or triggering additional action, such as MFA, to resources based on device type, time, location? 
  5. Can we mitigate the insider threat of an employee having authorized access to critical resources and attempting malicious activity?

This is why identity-based access is crucial. It’s about identifying and tracking users based on immutable characteristics, not IP addresses, and provisioning them with application-specific access and dynamically changing permissions as needed. 

This is exactly what we’ve built with Prisma Access. We integrate with multiple identity providers--including Okta, Google, and Microsoft--and multiple IDPs at the same time, providing customers a centralized way of managing role-based, granular access control for all users whether they are on managed or unmanaged devices. 

ZTNA Superpower 1: Threat Detection 

Prisma Access uses single-pass inspection to identify and map user-based access controls to applications. This capability is unique to Prisma Access, and it inspects traffic for signs of zero-day malware with layer three through seven inspection. 

Why is this capability so important? Because hackers and cyberattacks continually become more sophisticated. 

For example, attackers today commonly use second stage malware implants to gain access to a single application and then compromise users with elevated privileges. This attack strategy defeats the logical segmentation that most ZTNA solutions provide. However, Prisma Access is not a typical ZTNA solution— it can identify  and block these attacks in real time, using WildFire for behavior-based code analysis and signature-based malware and intrusion detection in a single pass. What’s even better is that this is all done without negatively impacting user experience. 

ZTNA Superpower 2: Credential Theft Prevention 

If credential theft is leveraged in the vast majority of breaches, we know that most of this theft is carried out through spear phishing: unsuspecting users entering passwords and usernames, many of which are reused across applications, into fake forms or replying to spoofed emails. Prisma Access detects and prevents credential phishing by blocking untrusted sites and scanning user credentials for corporate passwords and usernames as they’re entered into websites. 

ZTNA Superpower 3: Continuous Trust Assessment

With dynamic user group monitoring, Prisma Access automatically adapts controls based on risk factors even before IDP or identity stores are updated. Both user and device are continuously assessed - looking at the posture and location of the connecting device. For example, did the user recently reconnect from a different device? Did they resume their session in a different location? If the user is connecting from public WiFi, this also increases their risk profile. 

User and device trust is continuously and dynamically assessed, and all content is scanned for signs of credential compromise and data-loss. Prisma Access also implements policy-based MFA which challenges users to step up authentication as they access higher sensitivity applications or as their risk profile changes. We’re also enforcing this at the first packet, which is critical for preventing attempted lateral movement. 

Continuous verification is the bedrock of the Prisma Access policy and data path engines. Each access attempt and flow is assessed to ensure policy-based secure access from the user and device to the app while seamlessly preventing threats and data loss. We use purpose-built supervised and unsupervised models both "inline" on the data path and out-of-band, with Palo Alto Networks creating the world's first ML-powered inline security products. 

In the next blog post we’ll look at Prisma Access deployment flexibility and how we secure access to legacy on-premises and cloud based applications. In the meantime, you can download a copy of the Forrester report here.