The concept of Zero Trust — the removal of all implicit trust from our networks and digital transactions — is universally endorsed as the best approach to secure organizations today. However, as I discussed previously, an entire category of so-called zero trust solutions, which we’ll call ZTNA 1.0, contains alarming deficiencies in five key areas. The first area, which we’ll dive into today, is least privilege.
The principle of least privilege is an information security concept dictating that only the minimum amount of access required should be granted to a user or entity to conduct their work. The idea is that limiting access will reduce your potential exposure if something goes wrong.
ZTNA 1.0 Violates the Principle of Least Privilege
VPNs have long been used to provide remote access to corporate networks. While this approach of granting broad access to entire networks was never ideal, there were no practical alternatives, and it was deemed acceptable because it was infrequently used by only a relatively small number of users. However, the rapid shift to hybrid work and the sophistication of modern threats (especially attacks that involve lateral movement) have finally rendered traditional VPN obsolete.
ZTNA was intended to solve one of the biggest challenges of VPN by limiting users’ access to only the specific applications they need, rather than entire networks. However, the way vendors implemented ZTNA 1.0 solutions essentially translated an application into Layer 3/4 network constructs like IP (or FQDN) and port number. This limitation requires the administrator to paint with a broad brush when writing access control policies, ultimately granting far more access than intended.
Access Control for Modern Apps
The principle of least privilege is all about providing the minimum amount of privilege possible for users to get their work done. To address SaaS and other modern apps that use dynamic IPs and ports, ZTNA 1.0 solutions require you to allow access to broad IP and port ranges in order to get the access control (and application) to even work. This clearly violates the principle of least privilege as it creates a huge hole in your network that can be exploited by an attacker or malware.
With ZTNA 2.0, the system can dynamically identify the application and the specific function within the app across any and all protocols and ports using App-ID, regardless of what IPs and ports the app might be using. For administrators, this eliminates the need to think about network constructs and enables very fine-grained access control to finally implement true, least-privilege access.
Apps that Use Server-Initiated Connections Break with ZTNA 1.0
The next type of app that doesn’t play nicely with ZTNA 1.0 solutions are apps that require connections to be established from the server to the client. This includes mission-critical applications such as update and patch management solutions, device management apps, and helpdesk apps. The way ZTNA 1.0 has been implemented by many vendors, it only works when your users initiate these connections, and doesn’t allow app- or server-initiated connections at all. We have seen numerous examples where customers have tried to implement ZTNA 1.0 solutions, but were forced to maintain their legacy VPN solution purely to solve this use case!
ZTNA 2.0 solutions allow bi-directional access control using App-IDs to define application access policies, can easily enable least privilege access for all types of apps, including apps that use server-initiated connections.
Sub-App Control for Private Applications
Many private applications lack the built-in, fine-grained access control capabilities that exist in most modern SaaS apps. Something as simple as allowing users to access an application to view data, but not upload or download data, is simply not possible in a ZTNA 1.0 solution where the app is identified purely based on IP address and port number only. Providing this level of granular control at the sub-app level is trivial for ZTNA 2.0 solutions that leverage App-ID constructs to identify apps and sub-apps.
Effectively Enforcing Least Privilege Requires the Granular Controls of ZTNA 2.0
In a world where applications and users are everywhere, embracing the principle of least privilege is critically important to adopting Zero Trust effectively and reducing an organization’s risk. ZTNA 2.0 enables precise access control for all types of applications, independent of network constructs like IP addresses and port numbers. Be sure to watch our ZTNA 2.0 virtual event, where we discuss innovations and best practices for securing the hybrid workforce with ZTNA 2.0.
Kumar Ramachandran serves as Senior Vice President of Products for Secure Access Service Edge (SASE) products at Palo Alto Networks. Kumar co-founded CloudGenix in March 2013 and was its CEO, establishing the SD-WAN category. Prior to founding CloudGenix, Kumar held leadership roles in Product Management and Marketing for the multi-billion dollar branch routing and WAN optimization businesses at Cisco. Prior to Cisco, he managed applications and infrastructure for companies such as Citibank and Providian Financial. Kumar holds an MBA from UC Berkeley Haas School of Business and a Master’s in Computer Science from the University of Bombay.