Zero trust is too trusting, why ZTNA 2.0 won’t be

Although the concept of zero seems to be a common one, trust can be These dates date back to 2009 when John Kindervag, a Forrester analyst, created them popularized the term Eliminated implicit trust. It wasn’t until the COVID-19 pandemic that adoption began to pick up steam. 

Okta research The percentage of companies that have a zero-rated company is high.trust Initiative doubled, from 24% in 2021 up to 55% by 2022. This coincides with the rise in remote and hybrid workplaces during the pandemic. What about the rest? is zero trust, exactly? 

Kindervag reports that a blog post, zero trust “is framed around the principle that no network user, packet, interface, or device — whether internal or external to the network — should be trusted.” This approach is: “every user, packet, network interface, and device is granted the same default trust level: zero.” 

Zero trust It means that all users need to authenticate in order to access enterprise apps and services, resources, or data. It’s a concept designed to prevent unauthorized threat actors and malicious insiders from exploiting implicit trust To gain access to sensitive data. 

But, some people think that zero is an absurd concept. trust is It is incomplete and needs to be re-evaluated in the form zero-trust Network access 2.0 (ZTNA 2.0).

Definition ZTNA 2.0 

It’s that simple. ZTNA 2.0 is A way to get to zero trust It applies least-privileged access at the application level without relying on port numbers or IP addresses, and implements continuous trust verification, monitoring user and app behavior, to ensure the connection isn’t compromised over time.

“ZTNA 1.0 uses an ‘allow and ignore’ model. What we mean by that is, once access to an application is granted, there is no further monitoring of changes in user, application or device behavior,” SVP Product and GTM Palo Alto Networks, Kumar Ramachandran.

Unter ZTNA 1.0. Once a user connects to an application once, the solution assumes implicit trust From that point forward. 

In effect, the lack of additional security inspection and user behavior monitoring means these solutions can’t detect compromise, leaving them vulnerable to credential theft and data exfiltration attacks. Ramachandran believes this. is This is a crucial oversight that can compromise the integrity of least-privileged access. 

“This might sound shocking, but the ZTNA 1.0 solutions implemented by vendors actually violate the principle of least privileged access, which is a fundamental tenet of zero trust. ZTNA 1.0 solutions rely on outdated contracts to identify applications, like IP addresses and port numbers,” Ramachandran said. 

On the other side, ZTNA 2.0 It monitors the context signals and authorizes and monitors all user access. If users start acting maliciously, it can withdraw access. 

Is this an authentic iteration zero? trust Is it a buzzword or an acronym? 

Outside of Palo Alto Networks’ perspective, analysts are divided on whether ZTNA 2.0 It stands alone as an iteration 0 trust, or whether it’s a buzzword.  

“Zero Trust 2.0 is nothing but marketing, really driven from one vendor. It’s not really an evolution of the technology. This means that there really isn’t a fundamental difference; zero trust is and has been about reducing access to what is required to do a job and no more, and to enforce this based on identity and context,” Charlie Winckless is a senior analyst at Gartner. 

“Much of the language around ZTNA 2.0 is simply catching up to innovators in the space and what their products already offered. Not all the capabilities will be needed by all clients, and selecting a vendor is more than about a fake marketing term. It’s the 2.0 release for the vendor, not of the technology.” Winckless stated. 

But, others believe differently. ZTNA 2.0 There are some minor tweaks that can be made to traditional zero trust. 

“ZTNA 2.0 was coined in 2020 by a vendor in response to the NIST 800-207 publication. The only real differences are the addition of continuous monitoring and step-up authentication via privilege assessment, based on the resource being accessed, some form of DLP [data-loss prevention] capabilities, and additional CASB [cloud access security broker] coverage,” Heath Mullins is a senior analyst at Forrester.

So why Does ZTNA 2.0 matter? 

Fundamentally, ZTNA 2.0 doesn’t challenge the underlying assumptions of zero trustIt seeks to reevaluate approaches that have been used in the past. ZTNA 1.0 solutions allow you to apply access controls that are not subject to compromise. 

“In more modern ZTNA 2.0 technologies, authorization not only occurs upon the initiation of a session, but continuously and dynamically throughout a connected session,” Andrew Rafla, principal of Deloitte and Touche LLP and member of Deloitte Risk and Financial Advisory’s cyber and strategic risk practice, said. 

“This feature helps alleviate the risk of compromised credentials and session hijacking attacks,” Rafla said. 

That is why stolen credentials contribute to almost 50% of data breaches, organizations can’t afford to assume that user accounts are unlikely to be compromised.  

This is why it’s important to consider zero-cost building.trust strategy, ZTNA 2.0 Solutions have a role in helping to apply effective controls at the application layer that are responsive to account theft attempts. 

That being said, zero trust This is an iterative method of securing user accessibility and implementing a ZTNA 2.0 solution can’t make an organization implement zero-trust Access controls “out-of-the-box.” 

Moving forward with the zero-tolerance policytrust journey 

It doesn’t matter if an organization uses ZTNA 1.0 ZTNA 2.0 Solutions for enabling its zero-emissions.trust The journey is the goal is The same: Eliminating implicit trustImplementing the principle os least privilege and preventing unauthorised access to critical data assets. 

It’s important to emphasize that, while ZTNA 2.0 Provides a useful component to the zero-trust journey for applying the principle of least privilege more effectively at the application level and making security teams more responsive to compromise, it’s not a shortcut to implementing zero trust. 

Null is only possible if you fully implement it. trust is Create an inventory of all resources and data in the enterprise environment. Then, systematically implement access control to stop unauthorized access. is prevented.