* [Blog](https://www.paloaltonetworks.com.au/blog)
* [SASE](https://www.paloaltonetworks.com.au/blog/sase/)
* [Product Features](https://www.paloaltonetworks.com.au/blog/sase/category/product-features/)
* The ZTNA Superpowers in P...

# The ZTNA Superpowers in Prisma Access

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsase%2Fthe-ztna-superpowers-in-prisma-access%2F)  
[](https://twitter.com/share?text=The+ZTNA+Superpowers+in+Prisma+Access&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsase%2Fthe-ztna-superpowers-in-prisma-access%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsase%2Fthe-ztna-superpowers-in-prisma-access%2F&title=The+ZTNA+Superpowers+in+Prisma+Access&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/sase/the-ztna-superpowers-in-prisma-access/&ts=markdown)  
\[\](mailto:?subject=The ZTNA Superpowers in Prisma Access)  
Link copied  
By [Jason Georgi](https://www.paloaltonetworks.com/blog/author/jason-georgi/?ts=markdown "Posts by Jason Georgi")  
Sep 09, 2021  
5 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Forrester](https://www.paloaltonetworks.com/blog/tag/forrester/?ts=markdown)  
[Prisma Access](https://www.paloaltonetworks.com/blog/tag/prisma-access/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)

*This is part 2 of a 3-part series where we take a closer look at the ZTNA-related strengths of Prisma Access as cited in the recent* [Forrester New Wave™: Zero Trust Network Access, Q3 2021](https://start.paloaltonetworks.com/ztna-new-wave-report) *report* *. Did you miss part 1?* [*Read it here*](https://www.paloaltonetworks.com/blog/2021/08/a-leader-in-the-forrester-ztna-new-wave/)*.*

With users, devices, applications, and data everywhere, gone are the days when encrypted remote access tunneling was sufficient to get users to the resources they need to do their jobs. The "crusade to kill the VPN" was a major driving force behind Forrester's recent[Forrester New Wave™: Zero Trust Network Access, Q3 2021](https://start.paloaltonetworks.com/ztna-new-wave-report) report. In this report, Forrester notes that "VPN performance issues, more than any other factor, drove enterprises to adopt ZTNA for secure remote access to keep their remote employees working."

This has certainly been our experience during the pandemic. Still, many organizations continue to overlook the critical importance of threat detection and prevention, enterprise data loss, and credential compromise and abuse as differentiators amongst ZTNA solutions.

[VPN compromise](https://www.paloaltonetworks.com/blog/2021/06/why-hackers-like-your-remote-access/), brute forcing of remote access tools like SSH and RDP, and 2FA bypass via social engineering are common tactics used in many recent breaches that have reached headlines. In fact, [according to one recent study](https://www.verizon.com/business/resources/reports/dbir/2021/masters-guide/summary-of-findings/) more than 80% of breaches involved compromised credentials.

Unsurprisingly, user credentials and personally identifiable information are consistently among the top pieces of data sought by attackers. Worse, credential and remote access compromise are consistently among the hardest attacks to detect and consistently the longest to persist, typically taking close to a year to identify and contain, according to IBM's annual C[ost of a Data Breach Report](https://www.ibm.com/security/data-breach).

With the [new reality of hybrid work](https://start.paloaltonetworks.com/state-of-hybrid-workforce-security-2021) and continued proliferation of external applications, organizations have become perimeterless. Many organizations recognize they need to address this shift while still containing technology and policy sprawl. Point products don't coordinate or orchestrate security policies, making automation difficult. And though Identity Providers are an obvious requisite, they only provide part of the solution.

You can use the following 5 questions to assess your own organization's security posture:

1. How quickly can we implement policy changes if a user's authorization changes?
2. How many security controls are still based on IP addresses and networks?
3. How quickly can we identify and respond to improper or spoofed access attempts?
4. Do we have means of providing adaptive access or triggering additional action, such as MFA, to resources based on device type, time, location?
5. Can we mitigate the insider threat of an employee having authorized access to critical resources and attempting malicious activity?

This is why identity-based access is crucial. It's about identifying and tracking users based on immutable characteristics, not IP addresses, and provisioning them with application-specific access and dynamically changing permissions as needed.

This is exactly what we've built with [Prisma Access](https://www.paloaltonetworks.com/sase/access). We integrate with multiple identity providers--including Okta, Google, and Microsoft--and multiple IDPs at the same time, providing customers a centralized way of managing role-based, granular access control for all users whether they are on managed or unmanaged devices.

## ZTNA Superpower 1: Threat Detection

Prisma Access uses single-pass inspection to identify and map user-based access controls to applications. This capability is unique to Prisma Access, and it inspects traffic for signs of zero-day malware with layer three through seven inspection.

Why is this capability so important? Because hackers and cyberattacks continually become more sophisticated.

For example, attackers today commonly use second stage malware implants to gain access to a single application and then compromise users with elevated privileges. This attack strategy defeats the logical segmentation that most ZTNA solutions provide. However, Prisma Access is not a typical ZTNA solution--- it can identify and block these attacks in real time, using [WildFire](https://www.paloaltonetworks.com/products/secure-the-network/wildfire) for behavior-based code analysis and signature-based malware and intrusion detection in a single pass. What's even better is that this is all done without negatively impacting user experience.

## ZTNA Superpower 2: Credential Theft Prevention

If credential theft is leveraged in the vast majority of breaches, we know that most of this theft is carried out through spear phishing: unsuspecting users entering passwords and usernames, many of which are reused across applications, into fake forms or replying to spoofed emails. Prisma Access detects and prevents credential phishing by blocking untrusted sites and scanning user credentials for corporate passwords and usernames as they're entered into websites.

## ZTNA Superpower 3: Continuous Trust Assessment

With dynamic user group monitoring, Prisma Access automatically adapts controls based on risk factors even before IDP or identity stores are updated. Both user and device are continuously assessed - looking at the posture and location of the connecting device. For example, did the user recently reconnect from a different device? Did they resume their session in a different location? If the user is connecting from public WiFi, this also increases their risk profile.

User and device trust is continuously and dynamically assessed, and all content is scanned for signs of credential compromise and data-loss. Prisma Access also implements policy-based MFA which challenges users to step up authentication as they access higher sensitivity applications or as their risk profile changes. We're also enforcing this at the first packet, which is critical for preventing attempted lateral movement.

Continuous verification is the bedrock of the Prisma Access policy and data path engines. Each access attempt and flow is assessed to ensure policy-based secure access from the user and device to the app while seamlessly preventing threats and data loss. We use purpose-built supervised and unsupervised models both "inline" on the data path and out-of-band, with Palo Alto Networks creating the world's first [ML-powered inline security products.](https://www.paloaltonetworks.com/products/new/pan-os-10-0)

In the next blog post we'll look at Prisma Access deployment flexibility and how we secure access to legacy on-premises and cloud based applications. In the meantime, you can download a copy of the Forrester report [here](https://start.paloaltonetworks.com/ztna-new-wave-report).

*** ** * ** ***

## Related Blogs

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Bringing Zero Trust SASE to Your Doorstep with SASE Private Location](https://www.paloaltonetworks.com.au/blog/sase/bringing-zero-trust-sase-to-your-doorstep-with-sase-private-location/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Achieve True Zero Trust and Peak Performance with Prisma Access 6.1](https://www.paloaltonetworks.com.au/blog/sase/achieve-true-zero-trust-and-peak-performance-with-prisma-access-6-1/)

### [Cloud-delivered Security](https://www.paloaltonetworks.com/blog/sase/category/cloud-delivered-security/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown)

[#### Securing Campus Networks with Prisma Access and Nile](https://www.paloaltonetworks.com.au/blog/sase/securing-campus-networks-with-prisma-access-and-nile/)

### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Forrester Study Reveals SASE-related Impact on Data Security](https://www.paloaltonetworks.com.au/blog/sase/forrester-study-reveals-sase-related-impact-on-data-security/)

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### ML-powered Threat Protection in Prisma Access Secures Hybrid Workforce](https://www.paloaltonetworks.com.au/blog/sase/ml-powered-threat-protection-in-prisma-access-secures-hybrid-workforce/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Extending Our SASE Leadership with Next-Gen CASB Innovations](https://www.paloaltonetworks.com.au/blog/2022/08/sase-leadership-with-next-gen-casb-innovations/)

### Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language