Zero trust network access (ZTNA) is an approach to network design that follows a “never trust, always verify” model. This means that no user or device will ever be trusted by default, even if they are connected directly to your local company network.
ZTNA has been a concept used in network design for decades, but the recent surge in remote working has seen ZTNA solutions gain center stage. The best ZTNA solutions offer a way for companies to keep assets like databases, servers, and applications secure while still allowing remote users access.
In June 2022, cybersecurity company Palo Alto Networks launched a new initiative called ZTNA 2.0, aimed at further improving ZTNA. In this guide, we’ll look at what ZTNA 2.0 brings to the table and how ZTNA may evolve over the next few years.
First-generation ZTNA: Improving on outdated network models
Traditionally, a company would allow its remote users to access resources like databases, applications, and servers through the use of a VPN. The remote employee connecting through the company VPN could access all the resources as if they were using a machine physically connected to the corporate intranet.
ZTNA, which Palo Alto Networks calls ZTNA 1.0, recognizes that using VPNs has significant weaknesses. Allowing remote users access to every resource on a company network is a big security risk.
ZTNA adds more fine-grained control over which applications users and devices can access at any time. No matter where the remote device is connecting from, it must always go through a central trust broker before gaining access to an application.
This is not only more secure, but it can also simplify network setup and allows for better scaling by using ZTNA to secure both intranet and cloud-based resources.
Do current ZTNA solutions do enough?
Palo Alto Networks believes that current ZTNA solutions fall short of the promise of true zero trust. Its position is that many ZTNA solutions will trust a connection after access is granted once.
Trusting a user or device for an entire session after one-time verification is a security risk. A lot can change after the verification has been performed, such as the remote device becoming compromised or stolen.
Palo Alto Networks states that many of the current ZTNA solutions work at the Layer 3 and Layer 4 levels of the Open Systems Interconnection (OSI) model. This means that they only have visibility of IP addresses and TCP/UDP transactions, so they can’t be particularly smart about the authentication and authorization they perform.
It also means that if your application uses dynamic IP addresses or ports, you’re required to open a broad range of IP addresses and ports. This undermines the idea that ZTNA offers fine-grained control over application access and means those ZTNA solutions are barely better than the VPN solutions that came before them.
How does ZTNA 2.0 differ from ZTNA 1.0?
ZTNA 2.0 is the name Palo Alto Networks has given to the security model used by its next-generation ZTNA solutions.
Most notably, ZTNA 2.0 enforces the principle of least privilege from Layer 3 to Layer 7 of the OSI model. This means that instead of seeing only IP addresses and TCP/UDP transactions, ZTNA 2.0 solutions have a better context of what is happening between users, devices, and applications.
In other words, instead of only being able to see which application a user is attempting to access, a ZTNA 2.0 solution can see what they’re trying to do with the application. This allows it to make better decisions on which transactions to allow and which to deny.
What else does ZTNA 2.0 add?
Instead of following an “allow-then-ignore” model, both devices and users are constantly monitored after access to apps is first granted.
If a user or device behavior changes significantly, a ZTNA 2.0 solution will require them to verify again. This is bolstered by continuous security inspection that aims to recognize and prevent threats such as viruses, malware, and network attacks.
ZTNA 2.0 also has features for data loss prevention (DLP). All data is secured by the system and no one can access the data without first going through the trust broker. This effectively limits the number of channels a malicious actor could attempt to use to gain access to sensitive data.
Not only does this make your data more secure, but it can also greatly simplify DLP across your apps as it is all handled by one central system.
Is ZTNA 2.0 the future?
The ZTNA 2.0 initiative recognizes the significant security challenges faced by companies since the explosion of remote work and the increased use of cloud apps. Not all ZTNA security solutions can provide much better answers to these challenges other than the use of VPNs.
Detractors of the ZTNA 2.0 initiative will say that it is merely a term coined by Palo Alto Networks to make its products look more secure than its competitors. Many comprehensive ZTNA solution providers, like Perimeter 81, already include a version of most or all of the features outlined in the ZTNA 2.0 whitepapers.
Conclusion
The ZTNA 2.0 initiative is an attempt by Palo Alto Networks to improve upon the implementation of zero trust network architecture solutions. Palo Alto Networks suggests that many current implementations are too lax and fall short of being truly zero trust.
It states that by monitoring users, apps, data, and devices more stringently than lesser solutions, a ZTNA 2.0 security system can make more intelligent decisions about when to accept or deny access while reacting more quickly to potential security threats.
For more information on ZTNA, take a look at our favorite ZTNA providers and our comprehensive guide to ZTNA.
