SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Palo Alto Networks says ZTNA 1.0 not secure enough
Fri, 13th May 2022
FYI, this story is more than a year old

Cybersecurity company Palo Alto Networks is urging the industry to move to Zero Trust Network Access 2.0 (ZTNA 2.0) because it says first-gen solutions have major gaps in security protection and can put organisations at risk.

Palo Alto Networks says ZTNA was developed to replace virtual private networks (VPNs) when it became clear that most VPNs did not scale adequately and were too permissive.

However, the company says ZTNA 1.0 still falls short.

Palo Alto Networks' founder and chief technology officer Nir Zuk says this is a critical time for cybersecurity.

"We are in an era of unprecedented cyberattacks, and the past two years have dramatically changed work for many, work is now an activity, not a place. This means that securing employees and the applications they need is both harder and more important," he says.

"Zero trust has been embraced as the solution and it is absolutely the right approach! Unfortunately, not every solution with Zero Trust in its name can be trusted."

Palo Alto Networks says for modern organisations where hybrid work is the norm, ZTNA 1.0 has several limitations.

It says the first-gen solution grants access to applications too easily because it can't control access to sub-applications or particular functions.

Palo Alto Networks says there is also no monitoring of changes in user, application or device behaviour, ZTNA 1.0 can't detect or prevent malware or lateral movement across connections, and it can't protect all enterprise data.

On the other hand, the company says ZTNA 2.0 capable products operate differently. For example, it looks at:

  • Least-privileged access enables precise access control at the application, and sub-application levels, independent of network constructs like IP addresses and port numbers.
  • Continuous trust verification after access to an application is granted, continuous trust assessment is ongoing based on changes in device posture, user behaviour and application behaviour. 
  • Continuous security inspection uses deep and ongoing review of all application traffic, even for allowed connections, to help prevent threats, including zero-day threats. 
  • Data protection provides consistent control of data across all applications, including private applications and SaaS applications, with a single data loss prevention (DLP) policy.
  • Security for all applications consistently secures all types of applications used across the enterprise, including modern cloud-native applications, legacy private applications and SaaS applications. 

Optiv engineering fellow Jerry Chapman says that security can be complicated because of ever-changing requirements and an increase in cloud and mobile technologies.

"Rethinking Zero Trust is essential for modern, hybrid organisations to prevent threats," he says.

"Together with Palo Alto Networks, we're advising our customers to incorporate ZTNA 2.0 principles like continuous review of identity and connection across their domains to stay secure."

Palo Alto Networks says its service Prisma Access is currently the cybersecurity industry's only solution that meets ZTNA 2.0 requirements. Prisma Access protects all application traffic with best-in-class capabilities while securing both access and data.