Prisma Access Dynamic Privilege Access White Paper

Prisma Access Dynamic Privilege Access Whitepaper

Authors:

Uttam Ramesh - Product Manager

Terry Zhang - Technical Marketing Engineer

This topic provides a high-level overview of the features and benefits of Prisma Access Dynamic Privilege Access. 

Introduction

With rapid changes in digital transformation, organizations require agile and secure access and management solutions for their private applications. Additionally, there is a growing need to integrate Secure Service Edge (SSE) solutions to access customer and partner data centers for various projects.

Palo Alto Networks Prisma Access offers Dynamic Privilege Access (DPA), an advanced approach that addresses these evolving demands. DPA provides secure, project-specific, and dynamic privilege access controls that are both flexible and compliant. This white paper delves into how DPA resolves the challenges faced by ITES organizations and large enterprises in securing their networks and enhancing operational efficiency when deploying Dynamic Privilege Access.

Why Dynamic Privilege Access?

Large enterprises and IT Enabled Services (ITES) organizations face unique challenges due to the coexistence of traditional, legacy IP-based access control and modern identity-based access enforcement. These challenges include:

1. Legacy IP-Based Access Control: Many enterprises, including large consulting companies, require IP-based network Access Control Lists (ACLs) to fulfill compliance obligations when connecting data centers to customer networks. These controls form the basis for user access, often falling short of context with newer identity-based policies.
2. Conditional Access Requirements: Organizations require the ability to apply conditional access policies, customized network configurations (e.g., DNS, split tunnel per project), and segment users and networks based on projects. This makes transitioning from traditional VPNs to Secure Access Service Edge (SASE) models difficult for many organizations.
3. Compliance and Unique Networking Demands: Regional regulations and PII laws restrict only local access as a requirement before establishing any connectivity. Dynamic Privilege Access allows organizations to maintain compliance while ensuring unique networking configurations for every project.
4. Overlapped Subnets across Different Projects: When accessing projects, customers' and partners' data centers may have similar networking setups and overlapping IP subnets. This results in networking implementation blockers and takes weeks to months to resolve, impacting the project timeline.

Features of Dynamic Privilege Access

1. Project-Based Network and User Segmentation: DPA provides dynamic access based on selected projects, using a combination of user identity and per-project IP pool managed by Prisma Access. This allows organizations to manage segmentation without compromising on compliance or security, addressing the requirements of ITES organizations with complex client portfolios.
2. Conditional Access and Networking Configurations: The solution includes customized DNS, split tunnel per project, and location-based policies. These settings provide the flexibility to handle unique networking configurations across different projects, ensuring zero trust network access so that only authorized users can access specific data and applications of a project.
3. Modern Identity Integration with Legacy Controls: Prisma Access integrates with Cloud Identity Engine, which provides modern user identity-based security enforcement with existing legacy IP-based controls, allowing a seamless coexistence between traditional and modern access models. This enables a smooth migration to SASE without sacrificing the security or compliance required by existing projects.
4. Steering Traffic to comply with Data Privacy/Security Frameworks: Steer Internet-bound and private application traffic from specific projects using Service Connections to remain compliant with local data privacy regulations [Ex: India, All traffic including internet, private, and SaaS bound must egress via admin specified customer sites in the special economic zones (SEZ)]
5. Prisma Access Agent: The unified agent for all SASE use cases, also natively built with project awareness.

Dynamic Privilege Access High-Level Architecture

Benefits of Dynamic Privilege Access

1. Enhanced Security and Conditional Access: By allowing conditional access controls and project-based network isolation, DPA ensures that users have only the privileges necessary for their current tasks. This granular control minimizes the risk of unauthorized access.
2. Time to Value: The ZTNA Connector is taking the center court as it provides a secure way to connect users to each project, even for those with overlapped IP addresses. It automatically sets up and manages IPSec tunnels to Prisma Access for each project, ensuring optimal performance and reliability; therefore enabling enterprises to swiftly launch projects, they can direct their energy towards delivering impactful project outcomes instead of getting bogged down by connectivity setup.
3. Simplified Operations and Compliance: DPA simplifies the operations needed to secure infrastructure. By combining identity-based access with legacy IP-based controls, it meets regulatory requirements and improves ease of management, providing both simplicity and compliance. Customers can meet industry standards without the added complexity of maintaining separate systems.
4. Flexible Migration Path to SASE: Dynamic Privilege Access addresses the limitations of existing SASE solutions by integrating traditional and modern access models. This allows organizations to gradually adopt SASE without significant disruptions or security compromises.

Conclusion

Dynamic Privilege Access offers an advanced, secure, and flexible solution for managing access in complex enterprise environments. Its project-based segmentation capabilities, combined with both identity-based and IP-based controls, address key compliance and operational challenges faced by ITES organizations and large enterprises. With Prisma Access, adopting DPA makes a seamless transition to SASE possible, providing a unique blend of security, flexibility, and operational efficiency that is crucial for modern enterprises.

Dynamic Privilege Access provides what traditional SASE solutions lack—flexibility in enforcing both modern identity and traditional IP-based controls—making it an essential component for organizations looking to secure segmented access in today's diverse and dynamic networking environments.