Palo Alto Networks Shifts Zero Trust To Application Layer

This syndicated post originally appeared at Zeus Kerravala, Author at eWEEK.

Security pros should seek out a zero trust solution that operates at the application layer. This provides much greater security, agility and automation than offered by first generation products.

Palo Alto Networks has announced what it calls Zero Trust Network Access (ZTNA) 2.0, which shifts the focus of ZTNA from the network to the application layer.

Implementing zero trust has been top of mind for security pros for the past couple of years. Pre-pandemic, the topic had been gaining momentum, but interest in it exploded as work from home increased, applications moved to the cloud and the IT environment got more complex. In many cases, networks became too complicated to secure with traditional tools.

While ZTNA holds a lot of promise, the reality is that it was designed for a completely different environment and thus current solutions do have limitations.

The biggest issue is that most ZTNA 1.0 solutions violate the principle of least privilege. The Internet was designed around the concept that anything can talk to everything, which is why it’s so fast. The downside of this is that when a network is breached, the threat actor now has access to the entire environment. ZTNA flips that around and states that nothing can talk to anything else unless explicitly allowed, which is the concept of least privilege.

Network-Centric Zero Trust and Application Threats

The issue with most current ZTNA solutions is that they use network constructs such as IP address and port number. This can work if things are statically addressed, but most modern applications use dynamic addresses and ports. So the policies must grant access to a broad range of IP addresses and ports, exposing a much larger attack surface than is necessary.

Also, access is typically restricted at the application level, not at the sub-app or app function level, also exposing more than is required. Any malware that uses the same addresses and ports can breach the environment and then spread laterally.

By operating at the application layer, the principle of least privilege can be realized, as this enables precise access control at the application and even sub-application level, independent of the network. This can be particularly useful in highly dynamic environments when users and applications are constantly on the move, as no policies need to be rewritten or modified.

ZTNA 2.0 Continually Validates Trust

Another issue with traditional ZTNA is that once access to an application is granted, the connection is implicitly trusted in perpetuity. The assumption is that the user and app will operate in a trustworthy manner, which is not always the case.

Most breaches occur on allowed activity, so the “allow and ignore” model of ZTNA 1.0 solutions pose significant risk. Palo Alto Networks’ ZTNA 2.0 approach continually assesses trust based on changes in device posture and user and application behavior. As an example, if a user disables a security function or starts accessing applications from an unexpected location, the access will be revoked in real time.

The shift to the application layer enables continuous security inspection. In many ways, current ZTNA solutions were designed as an access control mechanism to be a smarter, better VPN. Incorporating continuous security inspection provides the ability to detect or prevent malware or lateral movement across connections once access is granted.

Palo Alto’s solution provides deep and continuous inspection of all traffic, even for allowed connections. This guards against zero-day attacks and other threats. This is important in scenarios where legitimate user credentials are stolen and used for nefarious purposes.

Cloud Native Apps Require Modernized Security

Lastly, ZTNA 2.0 protects all applications. First generation ZTNA can only secure private apps that use static IP addresses and ports. This leaves microservices-based, cloud-native applications, which use dynamic ports, wide open to attacks.

Voice and video apps are excellent examples of this and saw usage explode during the pandemic. Also, most ZTNA solutions are blind to SaaS apps and require CASB to be deployed alongside it. Given that businesses are moving more apps to SaaS, this is an increasingly bigger limitation of first generation ZTNA. Because ZTNA 2.0 operates at the application layer, it sees any app, cloud or legacy.

In addition to delivering ZTNA 2.0, Palo Alto Networks has also added the following new capabilities to Prisma Access:

  • ZTNA Connector simplifies the process of onboarding cloud native and traditional applications into the service, simplifying deployment.
  • Unified SASE solution enables customers to have a common policy framework and data model for all SASE functions.
  • Self-serve autonomous digital experience management proactively notifies administrators of issues that require immediate attention and then gives recommendations on how to remediate.

The world is slowly emerging from the impact of the pandemic and that brings several changes to the way we live now. One of the biggest differences is that hybrid work is here to stay for the foreseeable future, and that requires a completely different way of thinking about providing secure access to applications.

Zero trust is the right path forward but not all solutions are the same. Security pros should seek out a solution that operates at the application layer. This provides much greater security, agility and automation than offered by first generation products.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.