Why today’s ZTNA products fall short

The pandemic caused many dramatic changes in the way we work, live, and connect with others. One of the most significant included the mass and rapid adoption of hybrid work, which requires employees to have access to sensitive data and business applications from anywhere.

Modern enterprises are responsible for protecting the sensitive information of customers and employees as well as their intellectual property from accidental leakage or theft. However, the task of protecting this data is more challenging to achieve in today’s world, where sophisticated breaches are increasingly prevalent.

With the explosion of cloud and Software-as-a-Service (SaaS) apps over the last several years, this data and these applications can now live virtually everywhere. To securely connect employees to the data and applications they need to do their work, organizations began to adopt zero-trust network access (ZTNA) solutions. Unfortunately, many of these initial ZTNA solutions (ZTNA 10) developed by security vendors contain some alarming deficiencies. Here are some of the issues they present:

Before unpacking the challenges with ZTNA 1.0, we first need to discuss remote access virtual private networks (VPNs). VPNs have long been used to deliver remote access to corporate networks. While this approach was never ideal, there were no practical alternatives, and it was deemed acceptable because it was infrequently used by only a relatively small number of users who were “trusted” once they were connected.

One important part of a zero-trust approach is least-privileged access. According to a Gartner report, “to properly implement the principle of least privilege and more effectively mitigate the risk of standing privileged access, IAM-focused security and risk management leaders (IAM leaders) should: reduce excessive privilege by embracing the principle of least privilege, and providing accounts that are limited in scope.”

The idea: limiting access to the bare minimum will reduce exposure if something goes wrong and enable security teams to effectively mitigate threats.

ZTNA 1.0 was intended to solve this challenge by limiting users’ access to only the specific applications they need, rather than entire networks. However, the way vendors designed ZTNA 1.0 solutions resulted in administrators needing to paint with a broad brush when writing access control policies, ultimately granting far more access than intended.

With applications and users everywhere, not just in the office, a more secure approach would enable new capabilities for precise access control for all types of applications, independent of network constructs like IP addresses and port numbers.

Another important zero-trust principle is continuous trust verification. Once an app gets granted access, continuous trust assessment becomes ongoing based on changes in device posture, user behavior, and application behavior.

ZTNA solutions essentially work as an access broker to facilitate connectivity to an application. When a user requests access to an application, the access broker authenticates the user and determines whether the user should have permission to access the requested application or service. Once the permission gets verified, the access broker grants access, and the connection between the user and the app becomes established.

With ZTNA 1.0, that’s it. The user was given complete access to whatever resides  within that application without any additional monitoring from the security system. We call this dynamic the “allow and ignore” model and it’s considered very risky. Once the access broker establishes the connection between the user and the application, there’s no more interrogation of the user, device, or application. Essentially, the broker presumes that it’s a trusted connection, or at least for the duration of that session, and all user and device behavior for that session goes unchecked. This lack of verified trust becomes a recipe for disaster.

With an awareness of vulnerabilities caused by the “allow and ignore” model, next-generation ZTNA solutions can implement continuous verification capabilities to constantly monitor for malicious or risky changes to device posture, user behavior, and application behavior. This allows the system to respond appropriately to suspicious behavior in real time.

For a solution to truly enable zero-trust, it must use deep and ongoing inspection of all application traffic, even for allowed connections, to help prevent all threats – including zero-day threats.

Because ZTNA 1.0 solutions often follow the “allow and ignore” model, they also lack the ability to conduct security inspections and don’t have the means to detect any malicious or other compromised traffic and respond accordingly. With no inline controls to expose and inspect the traffic payload to determine if anything malicious or unknown has been introduced, actions (like blocking traffic, terminating the session, or reporting anything unusual) can’t be taken to defend against an attack. This turns ZTNA 1.0 into a “security through obscurity only” approach, which further puts organizations, their users, apps, and data at risk of malware, compromised devices, and malicious traffic.

ZTNA 1.0 solutions also lack data protection capabilities since they can’t monitor data exfiltration or loss, especially for data within private applications. This leaves most of the organization’s app traffic vulnerable to data exfiltration from malicious insiders or external attackers. Solving for this challenge would require completely different data loss prevention (DLP) products to protect sensitive data in SaaS applications, which can introduce more complexity and risk.

It's better to provide a constant deep inspection of all traffic to defend against all threats, including zero-day threats, especially in scenarios where user credentials have been stolen and used to launch attacks. AI and machine learning-powered threat prevention technologies can help stop a majority of zero-day threats inline, meaning the corporate environment is automatically protected, regardless of available attack signatures.

We’ve all experienced it: Today, work has become an activity and not a place or location – we no longer “go to work;” we “start work” from wherever we are. This new reality impacts how organizations securely connect employees and devices to the applications and data they need to do their jobs. In a world where applications and users are everywhere, it's critical that we take a true zero-trust approach to security with zero exceptions. To do this, cybersecurity solutions need to continuously evolve to address the needs of today’s rapidly changing threat environment. By understanding ZTNA 1.0’s shortcomings, we can improve upon them in the next iteration of ZTNA. ESG and others have called this ZTNA 2.0.

Think of zero-trust posture as a journey. ZTNA 2.0 solves these problems (and more) by removing implicit trust to help ensure organizations are properly secured with a zero-trust solution that actually follows zero-trust principles. By addressing these key flaws, we can remove all implicit trust to ensure that organizations are properly secured to meet the challenges of modern threats, applications, and hybrid workforces.

Kumar Ramachandran, senior vice president, product and Go-To-Market, Palo Alto Networks