Zero trust is too trusting, why ZTNA 2.0 won’t be


Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.

While the concept of zero trust can be dated as far back as 2009, when Forrester analyst John Kindervag popularized the term and eliminated the concept of implicit trust. It wasn’t until the COVID-19 pandemic that adoption began to pick up steam. 

Okta research finds that the percentage of companies with a defined zero-trust initiative more than doubled from 24% in 2021 to 55% in 2022, coinciding with the increase in remote and hybrid working environments during the pandemic. But what is zero trust, exactly? 

According to Kindervag in a blog post, zero trust “is framed around the principle that no network user, packet, interface, or device — whether internal or external to the network — should be trusted.” Under this approach, “every user, packet, network interface, and device is granted the same default trust level: zero.” 

Zero trust effectively means that all users have to authenticate before they can access enterprise apps, services, resources or data. It’s a concept designed to prevent unauthorized threat actors and malicious insiders from exploiting implicit trust to gain access to sensitive information. 

However, there are some who believe that the concept of zero trust is incomplete and requires a new iteration in the form of zero-trust network access 2.0 (ZTNA 2.0).

Defining ZTNA 2.0 

In a nutshell, ZTNA 2.0 is an approach to zero trust that applies least privileged access at the application layer without relying on IP addresses and port numbers, and implements continuous trust verification, monitoring user and app behavior, to ensure the connection isn’t compromised over time.

“ZTNA 1.0 uses an ‘allow and ignore’ model. What we mean by that is, once access to an application is granted, there is no further monitoring of changes in user, application or device behavior,” said SVP of product and GTM at Palo Alto Networks, Kumar Ramachandran.

Under ZTNA 1.0, once a user connects to an app once, the solution assumes implicit trust from that point onward. 

In effect, the lack of additional security inspection and user behavior monitoring means these solutions can’t detect compromise, leaving them vulnerable to credential theft and data exfiltration attacks. For Ramachandran, this is a critical oversight that ruins the underlying integrity of least-privileged access. 

“This might sound shocking, but the ZTNA 1.0 solutions implemented by vendors actually violate the principle of least privileged access, which is a fundamental tenet of zero trust. ZTNA 1.0 solutions rely on outdated contracts to identify applications, like IP addresses and port numbers,” Ramachandran said. 

On the other hand, ZTNA 2.0 continuously authorizes and monitors user access based on contextual signals, giving it the ability to withdraw access from users in real time if they start behaving maliciously. 

Is this a legitimate iteration of zero trust or a buzzword? 

Outside of Palo Alto Networks’ perspective, analysts are divided on whether ZTNA 2.0 stands on its own as an iteration of zero trust, or whether it’s a buzzword.  

“Zero Trust 2.0 is nothing but marketing, really driven from one vendor. It’s not really an evolution of the technology. This means that there really isn’t a fundamental difference; zero trust is and has been about reducing access to what is required to do a job and no more, and to enforce this based on identity and context,” said Charlie Winckless, senior analyst at Gartner. 

“Much of the language around ZTNA 2.0 is simply catching up to innovators in the space and what their products already offered. Not all the capabilities will be needed by all clients, and selecting a vendor is more than about a fake marketing term. It’s the 2.0 release for the vendor, not of the technology.” Winckless said. 

However, there are others who believe that ZTNA 2.0 does make some limited tweaks to traditional zero trust. 

“ZTNA 2.0 was coined in 2020 by a vendor in response to the NIST 800-207 publication. The only real differences are the addition of continuous monitoring and step-up authentication via privilege assessment, based on the resource being accessed, some form of DLP [data-loss prevention] capabilities, and additional CASB [cloud access security broker] coverage,” said Heath Mullins, senior Forrester analyst.

So why does ZTNA 2.0 matter? 

Fundamentally, ZTNA 2.0 doesn’t challenge the underlying assumptions of zero trust, but seeks to reevaluate the approaches that ZTNA 1.0 solutions take to applying access controls, which are open to compromise. 

“In more modern ZTNA 2.0 technologies, authorization not only occurs upon the initiation of a session, but continuously and dynamically throughout a connected session,” said Andrew Rafla, principal at Deloitte and Touche LLP, and member of the cyber and strategic risk practice of Deloitte Risk and Financial Advisory. 

“This feature helps alleviate the risk of compromised credentials and session hijacking attacks,” Rafla said. 

Given that stolen credentials contribute to almost 50% of data breaches, organizations can’t afford to assume that user accounts are unlikely to be compromised.  

Thus, when looking at building a zero-trust strategy, ZTNA 2.0 solutions have a role to play in helping apply more effective controls at the application level that are responsive to account takeover attempts. 

That being said, zero trust remains an iterative approach to securing user access, and implementing a ZTNA 2.0 solution can’t make an organization implement zero-trust access controls “out-of-the-box.” 

Moving forward on the zero-trust journey 

Whether an organization decides to use ZTNA 1.0 or ZTNA 2.0 solutions to enable its zero-trust journey, the end goal is the same: Eliminating implicit trust, implementing the principle of least privilege and preventing unauthorized access to critical data assets. 

It’s important to emphasize that, while ZTNA 2.0 provides a useful component in the zero-trust journey for applying the principle of least privilege more effectively at the application level and making security teams more responsive to compromise, it’s not a shortcut to implementing zero trust. 

The only way to fully implement zero trust is to create an inventory of resources and data throughout the enterprise environment and systematically implement access controls to ensure that unauthorized access is prevented.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.