* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www2.paloaltonetworks.com/blog/category/secure-the-cloud/)
* Why Most Zero Trust Netwo...

# Why Most Zero Trust Network Access Solutions Are Too Trusting

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F07%2Fzero-trust-network-access-solutions%2F)  
[](https://twitter.com/share?text=Why+Most+Zero+Trust+Network+Access+Solutions+Are+Too+Trusting&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F07%2Fzero-trust-network-access-solutions%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F07%2Fzero-trust-network-access-solutions%2F&title=Why+Most+Zero+Trust+Network+Access+Solutions+Are+Too+Trusting&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/07/zero-trust-network-access-solutions/&ts=markdown)  
\[\](mailto:?subject=Why Most Zero Trust Network Access Solutions Are Too Trusting)  
Link copied  
By [Ben Forster](https://www.paloaltonetworks.com/blog/author/ben-forster/?ts=markdown "Posts by Ben Forster")  
Jul 17, 2020  
5 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[Prisma Access](https://www.paloaltonetworks.com/blog/tag/prisma-access/?ts=markdown)  
[SASE](https://www.paloaltonetworks.com/blog/tag/sase/?ts=markdown)  
[ZTNA](https://www.paloaltonetworks.com/blog/tag/ztna/?ts=markdown)

Many organizations have turned to Zero Trust Network Access (ZTNA) solutions to answer the challenges of providing secure access to data, apps and the network to users from any location. ZTNA can be roughly defined as a set of technologies that provide secure, remote and restricted access to applications. The phrases "just in time, and just enough" and "least privileged access" are often used to describe this technology. However, when evaluating ZTNA providers, it's important to make sure they don't implicitly trust users once they've connected.

## Breaking Down ZTNA

Palo Alto Networks was recently listed as a representative vendor in Gartner's [Market Guide for Zero Trust Network Access](https://start.paloaltonetworks.com/gartner-report-market-guide-ztna.html), which states, "ZTNA augments traditional VPN technologies for application access, and removes the excessive trust once required to allow employees and partners to connect and collaborate."^1^ To better understand why this is, you can break ZTNA into three steps.

1. A user is provided with secure access to an authentication system, either through an agent or agentless approach. An example of this could be a user on an unmanaged device accessing a [secure access service edge](https://www.paloaltonetworks.com/cyberpedia/what-is-sase) (SASE) through a web browser where an SSL or TLS tunnel is established.
2. The user's identity is confirmed from a corporate authentication server and access to a privileged resource -- such as a data center or application -- is granted based on the organization's policies. These might map to employee types like contractors or full-time employees, or to job functions, like finance or marketing.
3. Secure access is provisioned to the resource or application.

This last step is where most ZTNA solutions stop: They don't monitor user activity for threats after they connect. This approach makes two false assumptions. The first is that the credentials used to authenticate were not compromised. The second is you've only granted access to the applications the user "needs to use" and that you're not trusting the user. Of course, that's not true -- you're still trusting them with that application!

## A Better Approach to ZTNA with Prisma Access

As organizations look for solutions to help them apply ZTNA capabilities, it is important to look for solutions that offer a better approach to trust -- solutions that can be part of a true [Zero Trust strategy](https://www.paloaltonetworks.com/blog/2020/06/network-zero-trust-strategy/). This means seeking out solutions that not only authenticate before a user is given access but continue to do so throughout the user's entire session connected to the network.

[Prisma Access](https://www.paloaltonetworks.com/prisma/access) is Palo Alto Networks solution for ZTNA, delivering on the core tenets of limiting user access to only the applications they should have access to, while simultaneously preventing data exfiltration or threats from compromised endpoints. Prisma Access [enables organizations](https://www.paloaltonetworks.com/resources/datasheets/prisma-access) to do the following:

* **Shield Applications from Exposure to the Public Internet --** Prisma Access uses agent-based and agentless secure VPNs to connect users to a cloud-based [SASE](https://start.paloaltonetworks.com/sase-4-dummies.html). Prisma Access then performs full data inspection and authentication before allowing the user to connect to the shielded application. The application is never exposed to the public internet and no unauthenticated users are allowed to access it.
* **"Just in Time and Just Enough" Authentication and Access Control --** Prisma Access identifies, authenticates and assigns granular, role-based access control for users, whether the user is on a company-owned or unmanaged device. This enables organizations to implement uniform security policies regardless of where the user is located. In the spirit of Zero Trust, Prisma Access operates in default-deny mode, allowing users to see and access only those applications to which they have been granted access.
* **Threat and Vulnerability Scanning** -- Unlike most ZTNA solutions, Prisma Access delivers the full detection capabilities of a next-generation firewall. As data enters or exits a data center or application, Prisma Access performs single-pass inspection across all web and non-web traffic for malware signatures, intrusion behaviors and indicators of data loss. Prisma Access also performs a health check of the user's device before it connects -- verifying patch history, firewall and endpoint anti-malware states -- to prevent a vulnerable device from introducing risk to the application.

When employing ZTNA, organizations need to fully commit to embracing the Zero Trust concept of explicit identity-based trust. Secure remote access buttressed by identity or role-based authentication is important, but it's only part of truly effective ZTNA. Staying true to the philosophy of Zero Trust requires monitoring user activity for threats even after a user connects to privileged resources. Read Gartner's [Market Guide for Zero Trust Network Access](https://start.paloaltonetworks.com/gartner-report-market-guide-ztna.html) report to learn more.

*^1^ Gartner, "Market Guide for Zero Trust Network Access," Steve Riley, Neil MacDonald, Lawrence Orans, June 8, 20120.*

*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.*

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Rethinking Zero Trust Network Access for a Zero Trust Strategy](https://www2.paloaltonetworks.com/blog/2020/06/network-zero-trust-strategy/)

### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### The Industry's Most Comprehensive SASE Just Got Better with CloudGenix](https://www2.paloaltonetworks.com/blog/2020/04/network-cloudgenix/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)

[#### Working from Home During COVID-19: Secure Access for Remote Workers](https://www2.paloaltonetworks.com/blog/2020/04/network-secure-access/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Better Together: Security + SD-WAN by Palo Alto Networks](https://www2.paloaltonetworks.com/blog/2019/11/cloud-sase-secure-sd-wan/)

### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown)

[#### Top 5 Cybersecurity Misconceptions: Cybersecurity Awareness Month](https://www2.paloaltonetworks.com/blog/sase/top-5-cybersecurity-misconceptions-cybersecurity-awareness-month/)

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### SASE Solution: Why A Single Vendor Approach Needs a Next-Gen SD-WAN](https://www2.paloaltonetworks.com/blog/sase/a-successful-sase-initiative-begins-with-a-next-generation-sd-wan/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language