This article is part of a VB special. Read the full series here: Zero trust: the new security paradigm.
Although the concept of zero trust dates back as far as 2009, when Forrester analyst John Kindervag popularized the term and eliminated the concept of implicit trust. It wasn’t until the COVID-19 pandemic that adoption started to pick up.
Okta research notes that the percentage of companies with a defined zero-trust initiative more than doubled from 24% in 2021 to 55% in 2022, coinciding with the rise in remote and hybrid work environments during the pandemic. But what exactly is zero trust?
According to Kindervag in a blog post, zero trust “is based on the principle that no network user, packet, interface, or device – whether on or off the network – should be trusted.” Under this approach, “every user, package, network interface, and device is given the same default trust level: zero.”
Zero trust essentially means that all users must authenticate before accessing corporate apps, services, resources, or data. It is a concept designed to prevent unauthorized threat actors and malicious insiders from exploiting implicit trust to gain access to sensitive information.
However, some believe that the zero trust concept is incomplete and requires a new iteration in the form of zero trust network access 2.0 (ZTNA 2.0).
Defining ZTNA 2.0
In a nutshell, ZTNA 2.0 is a zero trust approach that applies least privileged access at the application layer without relying on IP addresses and port numbers, and implements continuous trust verification, user and app behavior monitoring, to ensure that the connection is not affected. after a while.
“ZTNA 1.0 uses an ‘allow and ignore’ model. What we mean by that is that once access has been granted to an application, there is no further monitoring of changes in user, application or device behavior,” said SVP of product and GTM at Palo Alto NetworksKumar Ramachandran.
Under ZTNA 1.0, once a user connects to an app, the solution assumes implicit trust from then on.
In fact, the lack of additional security inspection and user behavior monitoring means that these solutions cannot detect compromises, making them vulnerable to credential theft and data interception attacks. For Ramachandran, this is a critical mistake that ruins the underlying integrity of the least privileged access.
“This may sound shocking, but the ZTNA 1.0 solutions deployed by vendors actually violate the principle of least privileged access, which is a fundamental principle of zero trust. ZTNA 1.0 solutions rely on legacy contracts to identify applications, such as IP addresses and port numbers,” said Ramachandran.
On the other hand, ZTNA 2.0 continuously authorizes and monitors user access based on contextual signals, giving it the ability to revoke users’ access in real time if they start behaving maliciously.
Is this a legit repetition of zero trust or a buzzword?
Outside of Palo Alto Networks’ perspective, analysts are divided on whether ZTNA 2.0 stands alone as a zero-trust iteration, or whether it’s a buzzword.
“Zero Trust 2.0 is nothing but marketing, really driven by one supplier. It’s not really an evolution of technology. This means there isn’t really a fundamental difference; zero trust is and has been about reducing access to what it takes to do a job and no more, and enforcing it based on identity and context,” said Charlie Winckless, senior analyst at Gartner.
“A lot of the language around ZTNA 2.0 is just catching up with innovators in the space and what their products already offered. Not all capabilities will be needed by all customers, and selecting a supplier is more than a false marketing term. It is the 2.0 version in front of the seller, not the technology.” Winckless said.
However, there are others who believe that ZTNA 2.0 makes some limited adjustments to the traditional zero trust.
“ZTNA 2.0 was conceived in 2020 by a vendor in response to the NIST 800-207 publication. The only real differences are the addition of continuous monitoring and step-by-step authentication via privilege assessment, based on the resource being accessed, a form of DLP [data-loss prevention] capabilities and additional CASB [cloud access security broker] coverage,” said Heath Mullins, senior Forrester analyst.
So why is ZTNA 2.0 important?
Essentially, ZTNA 2.0 does not challenge the underlying assumptions of zero trust, but seeks to re-evaluate the approaches ZTNA 1.0 solutions take when applying access controls, which are prone to compromise.
“In more modern ZTNA 2.0 technologies, authorization occurs not just at the start of a session, but continuously and dynamically throughout a connected session,” said Andrew Rafla, director at Deloitte and Touche LLP, and a member of the cyber and strategic risk practice of Deloitte Risk and financial advice.
“This feature helps reduce the risk of compromised credentials and session hijacking attacks,” said Rafla.
Considering that stolen credentials contributing to nearly 50% of data breaches, organizations cannot afford to assume that user accounts are unlikely to be compromised.
So when looking at building a zero-trust strategy, ZTNA 2.0 solutions can play a role in helping to apply more effective application-level controls that respond to account takeover attempts.
That said, zero trust remains an iterative approach to securing user access, and implementing a ZTNA 2.0 solution cannot drive an organization to implement zero-trust access controls “out-of-the-box.”
Forward on the zero-trust journey
Whether an organization decides to use ZTNA 1.0 or ZTNA 2.0 solutions to enable its zero-trust journey, the end goal is the same: to eliminate implicit trust, implement the principle of least privilege, and prevent of unauthorized access to critical data assets.
It is important to emphasize that while ZTNA 2.0 provides a useful component in the zero-trust journey to more effectively apply the principle of least privilege at the application level and make security teams more responsive to compromise, it is not a shortcut to implementing zero trust.
The only way to fully implement zero trust is to inventory resources and data across the business environment and systematically implement access controls to ensure unauthorized access is prevented.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.