Palo Alto Networks is calling on the cybersecurity industry to make the shift to next-generation zero-trust network access (ZTNA) — which the vendor calls ZTNA 2.0, claiming that traditional ZTNA products “have proven more dangerous than helpful” in today’s hybrid work and cloud migration world.

Two years ago, in the thick of the pandemic, most companies had to quickly shift to a remote work model. "They were either scaling up their home access solutions [such as] VPNs, etc., or they were migrating to what was available — often, it was a ZTNA 1.0 solution,” Kumar Ramachandran, SVP of product and GTM at Palo Alto Networks, told SDxCentral.

Now, as most countries are entering “the new normal” phase of COVID recovery, most businesses have established a hybrid workforce, which requires highly secured networks combined with great user experience, he added. 

“So people are looking at it and saying, 'How do I set my enterprise up for the next five, 10 years and put the right security model in place?' And that's where ZTNA 2.0 comes in,” Ramachandran said.

The problem is that most security companies are still offering the first-generation ZTNA and the recent heightened threat environment is driving a lot of urgency to a change, he noted.

“The feedback from most customers is that almost every other vendor in the marketplace [offers] ZTNA 1.0 solutions,” Ramachandran said.

Customers are witnessing threats like Log4Shell that ZTNA 1.0 products cannot protect against. “There is absolutely an urgency given that these threats are increasing,” he added.

First generation ZTNA products have “critical limitations” including providing too much access, “allow and ignore,” and little to no visibility or control over data, Palo Alto Networks founder and CTO Nir Zuk pointed out in a recent blog post.

"Allow and ignore" refers to the approach that once granted access to an app that its communication will be trusted forever, he explained. “ZTNA 1.0 assumes that the user and the app will always behave in a trustworthy manner, which is a recipe for disaster.”

In addition, ZTNA 1.0 products have no continuous security inspection and do not follow the principle of least privilege, Ramachandran echoed. 

“First-generation, or ZTNA 1.0 solutions, fall short in many ways on delivering on the promise of true zero trust,” ESG senior analyst John Grady said in a statement. “In fact, they grant more access than is desired. What’s more, once access is granted in ZTNA 1.0 solutions, the connection is implicitly trusted forever, allowing a handy exploit route for sophisticated threats and/or malicious actions and behavior.”

Grady argues it’s time to embrace a new ZTNA approach that he said “has been designed from the ground up to meet the specific challenges of modern applications, threats, and a hybrid workforce.”

Palo Alto Networks has dubbed the approach "ZTNA 2.0." Zuk noted that it's delivered via its Prisma Access solution, and identifies applications at Layer 7 and enables access control at the applications and sub-application levels. In addition, the solution offers continuous trust verification, security inspection of all traffic, and control of data across all applications. Finally, it also secures all applications used across the organization, including cloud-native, software-as-a-service, and legacy private apps.

ZTNA 2.0 makes sure that trust is not implicit, Ramachandran said. “It's zero trust with zero exceptions.”

For ZTNA 1.0 vendors that want to migrate to the next generation, Ramachandran said, “the starting point is understanding what [it means] to have a least privilege access model” that narrows down access and does not engage in security data, he added.

According to Zuk, Palo Alto Networks’ Prisma Access platform is designed to meet the ZTNA 2.0 requirements, It "helps protect all users and all types of applications across the enterprise," he said.

To enhance the ZTNA 2.0 services, the vendor today introduced several additions to the platform, including a unified console for its secure access service edge (SASE) platform which integrates its Prisma Access and SD-WAN products, and an autonomous self-serve digital experience management (ADEM) service that automates the trouble ticketing process.

“ZTNA 1.0 was a good start, controlling the user, the application, the access, what they can do with the application. But of course, with all the shortcomings we need ZTNA 2.0 which really brings us to where we need to be in terms of controlling the user and inspecting the traffic,” Zuk noted.