{"id":112369,"date":"2020-06-08T06:00:14","date_gmt":"2020-06-08T13:00:14","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=112369"},"modified":"2020-06-05T15:36:44","modified_gmt":"2020-06-05T22:36:44","slug":"network-zero-trust-strategy","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/06\/network-zero-trust-strategy\/","title":{"rendered":"Rethinking Zero Trust Network Access for a Zero Trust Strategy"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">As the world shifts to working from home, new demands are being placed on companies to provide fast and reliable access to company resources for remote workers. While virtual private networks (VPNs) have traditionally been used to securely enable remote users to access the same resources they could at the office, there are significant problems with this approach that organizations need to address. In response, many organizations have implemented <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/01\/cloud-zero-trust-network-access\/\"><span style=\"font-weight: 400;\">Zero Trust Network Access<\/span><\/a><span style=\"font-weight: 400;\"> (ZTNA) solutions, which combine the benefits of VPNs while seeking to avoid their flaws. But to completely protect an organization\u2019s network from end-to-end, a <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-a-zero-trust-architecture\"><span style=\"font-weight: 400;\">Zero Trust<\/span><\/a> <i><span style=\"font-weight: 400;\">strategy<\/span><\/i><span style=\"font-weight: 400;\"> needs to be established.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Zero Trust Network Access: Enhancements Over Traditional VPNs<\/b><\/h2>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-a-vpn\"><span style=\"font-weight: 400;\">VPNs<\/span><\/a> <span style=\"font-weight: 400;\">offer organizations quick and easy solutions to allow remote workers access to the corporate network, while shielding data in transit from the prying eyes of attackers. To address the gaps that <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/03\/cloud-connectivity\/\"><span style=\"font-weight: 400;\">VPNs<\/span><\/a><span style=\"font-weight: 400;\"> have, organizations are turning to ZTNA. ZTNA solutions offer:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><b>Better Detection for Infiltration and Threats <\/b><span style=\"font-weight: 400;\">\u2013 Encrypting traffic is important, but a VPN only ensures that data is secured in transit, and doesn\u2019t detect if the connecting endpoint is compromised. Additionally, because VPN traffic tunnels through firewalls, data isn\u2019t inspected there either. <\/span><i><span style=\"font-weight: 400;\">ZTNA solutions provide better detection and visibility for threats.<\/span><\/i><\/li>\n<li style=\"font-weight: 400;\"><b>Tighter Access Control<\/b><span style=\"font-weight: 400;\"> \u2013 Oftentimes, standalone VPNs provide users with more access to privileged resources \u2013 applications, files and servers \u2013 than is needed for their jobs. This gives an attacker not only a secure foothold from a compromised endpoint but the ability to see and pivot to other privileged resources on a network. Network segmentation efforts mitigate some of this risk, but rolling it out can be painstakingly difficult, especially without a centralized tool to manage the process. It\u2019s even more difficult when remote access needs to be rapidly provisioned to account for a <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/04\/network-secure-access\/\"><span style=\"font-weight: 400;\">surge in remote users<\/span><\/a><span style=\"font-weight: 400;\">. <\/span><i><span style=\"font-weight: 400;\">ZTNA offers tighter access and policy control, allowing an organization to quickly shut down unauthorized access.<\/span><\/i><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Most ZTNA solutions today offer the benefits of VPNs but fail to address the inspection of traffic for threats. The assumption that once a user is verified one time, that user can be trusted can create problems if the user\u2019s credentials or devices are compromised. This is where a Zero Trust strategy comes in.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Zero Trust Is a Strategy, Not a Plug-in Solution<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Zero Trust has emerged as an end-to-end cybersecurity strategy that is deployed not just across users, but across endpoints, workloads, apps and content. By establishing this strategy, you assume that no user, endpoint, app or content can be trusted, even if it was previously authenticated and allowed into the network. An organization must assume that no entity can be trusted at any point in the journey throughout the network.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The first step in a Zero Trust strategy is authenticating an entity (users, endpoints, apps or content) before it is given access to the corporate infrastructure. This is where ZTNA solutions come into play. ZTNA solutions put into practice Zero Trust concepts of least privileged access by controlling what users can access and how they can do so <\/span><i><span style=\"font-weight: 400;\">as they access <\/span><\/i><span style=\"font-weight: 400;\">the network or the front end of an application. User access is restricted only to those applications users need to do their jobs. With a cloud-based ZTNA, security policies can be implemented seamlessly across users, no matter their locations.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, this still doesn\u2019t cover all the bases. It\u2019s also important to detect for data exfiltration, scan for malware and be alert to behavioral indicators of compromise. Threat and vulnerability detection are also important for a complete Zero Trust strategy.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Prisma Access and Zero Trust\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Palo Alto Networks products can help organizations <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/05\/network-end-to-end-zero-trust\/\"><span style=\"font-weight: 400;\">achieve an end-to-end Zero Trust strategy<\/span><\/a><span style=\"font-weight: 400;\">. <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/access\"><span style=\"font-weight: 400;\">Prisma Access<\/span><\/a><span style=\"font-weight: 400;\"> is Palo Alto Networks\u2019 answer to ZTNA \u2013 a cloud-delivered solution known as a<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-sase\"><span style=\"font-weight: 400;\"> secure access service edge<\/span><\/a><span style=\"font-weight: 400;\"> (SASE), combining both SD-WAN and security capabilities into a single platform. Prisma Access is built upon the key requirements of ZTNA, authenticating a user at the secure access service edge, provisioning access to privileged resources, and continually monitoring user behavior once they connect.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, Prisma Access shields private applications from public exposure to the internet by directing users through the cloud-based SASE, where they are authenticated. User access is then provisioned according to the policies the organization sets for the given user, role or type of device, regardless of location. Finally, Prisma Access monitors all authenticated user traffic to and from the application for malware signatures, intrusion behaviors and indicators of data loss with our patented single-pass architecture.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Zero Trust Network Access is just one aspect of a complete Zero Trust strategy. Learn more about what a Zero Trust strategy should entail in this video by Palo Alto Networks founder and CTO Nir Zuk.\u00a0<\/span><\/p>\n<p><div class=\"styleIt\" style=\"width:560px;height:315px;\"><lite-youtube videoid=\"zzZ4q9DSnbg\" ><\/lite-youtube><\/div><\/p>\n<p><i><span style=\"font-weight: 400;\">This post is part of a series covering \u201c<\/span><\/i><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/tag\/zero-trust-throughout-your-infrastructure\/\"><i><span style=\"font-weight: 400;\">Zero Trust Throughout Your Infrastructure<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">.\u201d<\/span><\/i><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Zero Trust strategy is not a plug-in solution. Zero Trust Network Access can be one aspect of an end-to-end approach to Zero Trust.<\/p>\n","protected":false},"author":663,"featured_media":108494,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768,6765],"tags":[6833,7006,101,73,7129,7135],"coauthors":[7134],"class_list":["post-112369","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","category-secure-the-enterprise","tag-prisma-access","tag-secure-access-service-edge","tag-vpn","tag-zero-trust","tag-zero-trust-throughout-your-infrastructure","tag-ztna"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/03\/IMG_2009.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=112369"}],"version-history":[{"count":4,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112369\/revisions"}],"predecessor-version":[{"id":112407,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112369\/revisions\/112407"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/108494"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=112369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=112369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=112369"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=112369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}