Digital transformation is not a “someday” goal but a “today” imperative. In this post-pandemic world, work is no longer just a place we go, but an activity we perform, with 82% of organisations adopting a hybrid cloud strategy. In fact, most organisations use an average of 110 SaaS apps within their environments. And, part of the challenge isn't just that apps are everywhere, but users are too – expanding the attack surface dramatically. When combined with a threat landscape that’s becoming more sophisticated, it's a perfect storm that demands organisations do something different to limit exposure and provide better security.
Interest in and adoption of Zero Trust Network Access (ZTNA) has exploded. However, the rapid transformation to hybrid work and hybrid networks/clouds has exposed weaknesses in the first ZTNA approaches. As part of our unveiling of ZTNA 2.0 with Palo Alto Networks Prisma® Access, I sat down with Andrew Rafla, Partner/Principal and Cyber Risk/Zero Trust Leader at Deloitte, to help demystify ZTNA and its evolution:
“One of the biggest challenges in achieving a Zero Trust state and truly moving toward this concept of ‘never trust, always verify’ is the fundamental understanding of the application and user estate,” Andrew told me. “In other words, what applications exist within a client’s environment, who should be able to access those applications, and under what conditions. These are fundamental questions that need to be answered, and only a ZTNA 2.0 model helps to fully realise the benefits of the zero trust model.”
The shortcomings of ZTNA 1.0
Previous iterations of ZTNA fall short of these requirements. First and foremost, the first generation of ZTNA vendor implementations (which we call ZTNA 1.0) violates the core foundational principle of least privilege access by using an application’s IP address or port number as a proxy for the application itself. Defining an application by network constructs invariably leads to a broad degree of access.
Imagine the analogy of securing a commercial airline flight. You show your boarding pass and passport when you go to the airport. Your passport serves as a user ID, your boarding pass represents a resource to gain access – one plane at a specific gate, departure date and time, and one seat in a specific section. With ZTNA 1.0, you get a boarding pass that just shows an IP address (essentially providing the address of the airport, but not limiting access to any plane at the airport).
The second limitation of ZTNA 1.0 is around “allow and ignore.” Just because you get past TSA security doesn't mean you can do whatever you want. You can’t disrupt flight attendants, or ignore rules. So you need continuous trust verification via continuous monitoring.
The third limitation has to do with data inspection and security. Returning to the airport analogy, this means that not only are the passengers (users) inspected, but also the luggage (data).
In a post-pandemic world, a ZTNA 2.0 model addresses these fundamental shortcomings to better protect today’s hybrid workforce.
Why is Zero Trust essential in a post-pandemic world?
In the decade since Zero Trust was first introduced, the business environment has shifted dramatically. In our post-pandemic world, organisations realise their employees need flexibility not only where they work, but how they work and the applications they now utilise to get their work done.
“The mobile and the hybrid workforce is here to stay,” Andrew explained during our conversation. “More and more organisations are realising that people just want to work for organisations that provide flexibility in how they work and where they work and the devices that they work from. One of the considerations around achieving a Zero Trust environment is really about supportability – supporting the increasingly mobile and hybrid workforce. That requires compatibility with both traditional laptop and desktop devices, as well as the common operating systems found on mobile devices.”
ZTNA 2.0 addresses these organisational requirements while maintaining the core fundamental principle of least-privileged access. It offers a consistent, frictionless end-user experience that maximises security capabilities without any additional burden. And finally, it enables continuous trust verification – providing deep security and data protection for all applications.
The journey to adopting ZTNA 2.0
When I asked Andrew what advice he would offer to organisations looking to adopt ZTNA 2.0, he offered several suggestions:
- Prioritise business needs over technology – It’s important that organisations don’t look at Zero Trust adoption as a rip-and-replace technology initiative. Rather, it should support key business initiatives in a way that will allow the organisation to be more secure, agile and resilient to change.
- Drive consensus around the need for Zero Trust – It’s not just the cybersecurity team, but also IT operations, help desk, end users and other business stakeholders.
- Take an iterative and incremental approach – Start with low-risk targets, such as a low-risk user population and/or set of applications, to minimise the potential for operational impact and implement lessons learned along the journey. Ultimately you can adopt those lessons learned for the company’s highest-value “crown jewels” – its mission-critical applications and data.
The journey toward Zero Trust is one that prioritises business needs over technology – putting organisations on the path to being more secure, agile and resilient to change in a post-pandemic world.
Palo Alto Networks Prisma Access is the industry’s only ZTNA 2.0 solution. Combined with Deloitte’s Zero Trust framework and professional services, Prisma Access helps organisations accelerate the adoption of a Zero Trust cybersecurity strategy.
Nomios and Palo Alto partnership
Nomios is a Palo Alto Networks NextWave Diamond Partner with advanced specialities and the distinction of multiple certified engineers on staff. Our engineers are recognised by Palo Alto Networks as technical experts and advocates of Palo Alto solutions. That means you can count on Nomios for the technical know-how and hands-on experience to accurately assess your business requirements, and design, implement and manage a Palo Alto Networks-based solution to suit your needs.