ZTNA in the Federal Government: An Onramp to Zero Trust

Zero Trust Network Access (ZTNA) is a component of Zero Trust that specifically addresses remote users requesting application access over a network. ZTNA is critical to the Zero Trust journey and offers a logical entry point to a broader strategy. That’s especially relevant given the volume of remote and hybrid federal workers needing to access their department’s or agency’s applications and data. But because existing ZTNA (or “1.0”) solutions were designed when remote was relegated to a best-effort approach, the explosion of remote users exposed the need for a new approach (what Palo Alto Networks calls ZTNA 2.0) to deliver on the intended outcomes of Zero Trust:

1.   Fine-grained access controls. ZTNA 1.0 solutions violate the core principle of least privilege by allowing too much access and essentially increasing the attack surface, especially for modern applications designed around microservice and container-based constructs. Current ZTNA approaches treat applications as a network construct at layers 3 and 4 (IP and port layers), providing only coarse-grained control that results in far-greater access than is necessary. An application is not the same as a network and cannot be controlled using network controls. ZTNA 2.0 solutions deliver the fine-grained layer 7 controls over modern applications to dramatically reduce the attack surface and deliver on the promise of true least privilege access. 

2.   Continuous trust verification. Current ZTNA 1.0 approaches vet users’ identity and access permissions to a requested application only once, which means trust is verified only once and implied thereafter. This assumption of implicit trust is the antithesis of the Zero Trust ethos. ZTNA 2.0 provides continuous trust assessments of users, devices and applications even after access to the application has been granted, ensuring that device posture or any changes to it, along with user and application behaviors, are all continuously monitored and verified. That enables responding to any changes or deviations in real-time. 

3.   Continuous threat inspection. Since an access broker does not sit in line with the network traffic, as is the case with ZTNA 1.0 solutions, it cannot, therefore, police the traffic and inspect it for threats. Lacking any inspection capabilities, malicious code on an endpoint can then have carte blanche access to an application and any sub-application functions that are processing within it. ZTNA 2.0 provides continuous deep inspection of all traffic with complete capabilities, such as sandboxing, Advanced URL security, Advanced Threat Prevention, SaaS security, DNS security and more, to protect against all threats and threat vectors, including zero-day threats.

4.   Protection for all data. Most ZTNA 1.0 solutions do not provide data protection – especially for private applications. This leaves a good portion of an agency’s traffic vulnerable to data exfiltration either from malicious insiders or external attackers. It also forces agencies to deploy completely different data loss prevention (DLP) solutions across their organization to protect sensitive data in private apps versus SaaS apps. ZTNA 2.0 applies advanced DLP capabilities consistently to all applications – private, SaaS-based and cloud-based – removing any need to guess which are protected and what data is secure. 

5.   Protection and security for all applications. Current ZTNA 1.0 solutions do not provide coverage for all applications. Cloud-based apps or other apps that utilize dynamic ports or server-initiated applications – like support help-desk apps with server-initiated connections to remote devices – are not in scope with ZTNA 1.0 approaches. Likewise, these 1.0 solutions don’t support SaaS apps either, requiring organizations to deploy completely different products to get similar controls. These disparate solutions are complex to interconnect and cannot provide holistic visibility. Any required changes need to be replicated across each tool, increasing the likelihood of error. Instead, ZTNA 2.0 solutions provide complete security with consistent control for all apps across the entire organization, including modern cloud-native microservices-based apps and SaaS apps, as well as traditional private apps or legacy apps – all from a single product that dramatically reduces complexity while driving stronger security outcomes.

ZTNA 2.0 Addresses the Shortcomings

Palo Alto Networks recently introduced ZTNA 2.0, which overcomes the limitations of ZTNA 1.0 solutions and makes the transition to a broader Zero Trust architecture easier. ZTNA 2.0 connects all users and all apps with fine-grained access controls while providing behavior-based continuous trust verification after users connect to dramatically reduce the attack surface.

Deep and ongoing security inspection of premises-based, internet-based, legacy, SaaS and modern/cloud-native apps ensures all traffic is secure, all the time, without compromising performance. ZTNA 2.0 also delivers consistent visibility with a single data loss prevention (DLP) policy to secure both access and data across the entire remote workforce.

Palo Alto Networks, a Pioneer of ZTNA 2.0

Palo Alto Networks Prisma Access solution empowers federal agencies to protect their hybrid workforce while providing exceptional user experiences, from one simple, unified security product. This cloud-native solution protects all application traffic while securing both access and data to dramatically reduce the risk of a data breach. A strong ZTNA 2.0 foundation paves agencies’ way to a more comprehensive Zero Trust journey.

Learn more about how ZTNA 2.0 from Palo Alto Networks is solving ZTNA 1.0 challenges. Please visit our Zero Trust for public sector page to learn how Palo Alto Networks is helping organizations across the public sector to accelerate their Zero Trust journey.