ZTNA 1.0’s Security Inspection Problem

Jun 01, 2022
3 minutes
... views

This post is also available in: 日本語 (Japanese)

ZTNA 2.0 Provides Deep and Ongoing Security Inspection

This is part 3 of “ZTNA Straight Talk,” a 5-part series where we take a closer look at the five tenets of ZTNA 2.0, the new standard for securing access.

The rapid move to hybrid work, brought about by the pandemic, drove the adoption of ZTNA as a new way to securely connect users with the applications that they need to get work done from anywhere. However, as I discussed previously, initial implementations of ZTNA have been deeply flawed.

In my previous post, I talked about how the ZTNA 1.0 concept of “allow and ignore” is a recipe for disaster. This concept maintains that once a connection is established, all user and device behavior for that session is trusted implicitly and goes unchecked. Unfortunately, there is another limitation with the “allow and ignore” approach – it prohibits security inspection of the traffic.

ZTNA 1.0 Lacks Security Inspection

Because the “allow and ignore” model lacks security inspection, there is no means for a ZTNA 1 .0 solution to detect any malicious or other compromised traffic and respond accordingly. This means there are no in-line controls to expose and inspect the traffic payload and determine if anything malicious or unknown is being introduced. Likewise, there is no mechanism to take action by blocking traffic, terminating the session, or reporting anything unusual, at the very least.

This turns ZTNA 1.0 into a “security-through-obscurity-only” approach, which further puts organizations, their users, apps and data at risk of malware, compromised devices and malicious traffic.

ZTNA 2.0 Includes Continuous Security Inspection

ZTNA 2.0, delivered by Prisma Access, provides deep and ongoing inspection of all traffic, to prevent all threats, including zero-day threats. This is especially important in scenarios where legitimate user credentials have been stolen and used to launch attacks against applications or infrastructure. ZTNA 2.0 offers complete protections that safeguard against even the most sophisticated threats, including WildFire sandboxing, Advanced URL Filtering, threat prevention, SaaS security, DNS security and more.

With our AI and ML-powered threat prevention technologies, we stop 95% of zero-day threats inline. This means you don’t need a first victim or have to wait for signatures to be updated to be protected – your environment is instantly protected.

The combination of continuous trust verification and continuous security inspection is a powerful model for delivering better security for today’s hybrid workforces and overcoming some of the shortcomings of ZTNA 1.0 solutions.

ZTNA 2.0 Is Zero Trust with Zero Exceptions

Pursuing a true Zero Trust posture is a journey, and ensuring that security inspection is conducted in a robust and consistent manner is an important step. That’s why continuous security inspection is an important component of ZTNA 2.0.

Watch our ZTNA 2.0 launch event, where we’ll discuss innovations and best practices for securing the hybrid workforce with ZTNA 2.0. Stay tuned for next week’s Palo Alto Networks blog, where I’ll discuss the third principle of ZTNA 2.0.

 


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.