Select Page

Feb 7, 2024

How Zero Trust and Privileged Access Work Together in the Cloud


Zero trust network access (ZTNA) and privileged access management (PAM) are two approaches to securing an IT environment by limiting access to data without the proper permissions and credentials. Although they are often seen as two sides of the same coin, ZTNA and PAM work together to maximize cloud security.

We invite you to learn more about how Hillstone Networks implements ZTNA and PAM in the cloud. In the meantime, it might be beneficial to discuss how the two strategies work and how they can be combined for a more secure cloud.

PAM Is Perimeter-Based

PAM is considered a perimeter-based security strategy. That makes it a more traditional approach to controlling access. It is built on the assumption that all trusted users within a particular environment start out with unrestricted access to data and resources.

By assigning security levels to data and resources within that perimeter, security personnel can then restrict access by linking privileges to the security levels. Accounts are assigned privileges based on each user’s need to access a particular set of data or resources. More extensive privileges tend to be granted commensurate with the importance of an individual’s role.

PAM is effective enough within a given perimeter. But its main weakness is immediate vulnerability should a threat actor gain access to a privileged account. Once in, a hacker has unfettered access to whatever the compromised account allows.

ZTNA Is Verification-Based

In a ZTNA environment, absolutely no one is trusted forever. All users and devices require continuous verification as they move throughout a space. Most importantly, ZTNA still applies to the most privileged accounts in a network environment. Users with elevated privileges must still verify their identities in order to gain access.

The biggest advantage of ZTNA is its granular access control. By default, ZTNA promotes the least privilege necessary to complete tasks and access data, even for the most privileged users. An added bonus is the ability to continuously monitor user behavior as a means of detecting suspicious activity.

PAM and ZTNA Working Together

Hillstone Networks promotes combining PAM and ZTNA in cloud environments. It is all about reducing attack surfaces. Each strategy can act separately to reduce an attack surface. Combining them is much more effective. By reducing the attack surface within a given perimeter and requiring least privilege, threats are minimized.

The nice thing about PAM is that it seamlessly integrates with ZTNA principles. PAM is already a least privilege strategy. Add multi-factor authentication and session monitoring and PAM makes ZTNA even stronger.

In the other direction, ZTNA makes PAM more effective at the granular level. Combining ZTNA with PAM reduces the risk of compromised credentials and misused privileges through continuous verification. At the very least, it slows down threat actors who would otherwise have unfettered access by way of a compromised account.

Not One or the Other

Hillstone Networks takes the position that choosing one over the other does not make sense. Organizations should not use PAM while ignoring ZTNA, and vice-versa. As long as an organization is putting time and effort into one, it might just as well integrate the other and enhance the capabilities of both.

There are a few things to remember, including the fact that proper implementation requires significant planning and a knowledge of ZTNA integration. Combining the two creates a layered defense against both external and internal attacks, but only if those layers interact properly.

Hillstone Networks can help your organization deploy integrated PAM and ZTNA together. Doing so will make for a more secure cloud environment less prone to lateral attacks.