CrowdStrike and Palo Alto Networks are two of the big names in cybersecurity for business. The companies each have their specialty products with CrowdStrike growing from an endpoint protection system and Palo Alto starting firewall products. These businesses are now extending their expertise into the field of Zero Trust Access (ZTA).
Both CrowdStrike and Palo Alto Networks offer an XDR system, a vulnerability scanner, and firewall management. CrowdStrike is weak in the field of firewalls, which is Palo Alto’s specialty. Palo Alto Networks offers a full range of firewall services, which includes on-site firewalls that are delivered as physical and virtual appliances. It also has a Firewall-as-a-Service (FWaaS) product.
CrowdStrike’s only firewall product is a coordinator for third-party on-site firewalls. The ability to deliver a firewall from the cloud and other “edge services” is an important stepping stone in the creation of ZTA technology.
What is Zero Trust Access?
All cybersecurity businesses are piling in on the field of Zero Trust Access at the moment. This is the key field in corporate security systems and will probably come to dominate the entire cybersecurity industry as the most sought-after product.
ZTA addresses recent changes in corporate working practices. The three historic changes in network security that need to be accounted for are:
- Work from home Telecommuting was given a boost during the Covid pandemic. Businesses discovered that this working model was efficient and workers found it improved their work-life balance.
- Cloud services Increasingly, business software is delivered from the cloud. This includes productivity suites, such as Microsoft Office, which is now the SaaS package, Microsoft 365.
- IoT devices Businesses are increasingly reliant on smart devices from security cameras to retail technology.
The results of these three changes mean that system administrators are no longer presented with the task of managing access by employees and customers to software hosted on in-house servers that are connected to the office network. Instead, workers access SaaS packages from their homes, saving documents to cloud storage, and reference off-network IoT devices. Managing system security is no longer about protecting on-premises assets.
ZTA addresses the issues related to access by people and things, located off-site, to cloud services that are hosted somewhere else. The business premises are no longer a hub, so instead, they need to act like an authentication service.
ZTA is concerned with checking who or what is allowed access to the business network, which should now be considered a virtual system. These access routes need to automatically identify who has access to what and at what permission level. This philosophy also extends to permitting BYOD to join the system.
BYOD use to refer to the mobile devices that employees and visitors bring into the office. Now, however, the office is virtual and the network is global. Those user-owned devices that need to connect to the business system are out on the street or in the homes of telecommuting workers.
IoT devices should be treated in the same ways as BYOD. Complicating this issue is that IoT devices don’t have users. They are known as “headless devices”.
Zero Trust Access and Zero Trust Network Access
You might see the term ZTNA on cybersecurity websites. This is a subset of ZTA and it stands for Zero Trust Network Access. The “Network” part of that name is a bit misleading because the field defines strategies for managing access to SaaS applications.
As you probably would use ZTA to let your workforce get access to cloud-based tools, then you will always be involved with ZTNA as part of your ZTA strategy. The only part of ZTA that isn’t also ZTNA is the issue of protecting often badly secured IoT devices and allowing endpoints within the network to communicate with them without risking opening a channel for viruses to get in.
SD-WAN, SASE, and ZTA
An SD-WAN is a software-defined wide-area network. It enables a network administrator to join together the networks of different sites, using the internet as trunk connections between the LANs. The SD-WAN server uses VPN connections to link each site to itself and channels all traffic back and forth between sites.
Secure Access Service Edge (SASE) is an SD-WAN with a firewall on the front of it – a cloud-hosted firewall. If you already use an FWaaS, you already have a mini-SASE. With SASE, site-to-site traffic is protected by VPNs and all other traffic, which is going out to the internet, is scanned for things like data theft. Incoming traffic goes to the SASE server in the cloud, gets scanned, and then forwarded down the VPN tunnel to the relevant site.
If you have remote workers, you let them into your site over a VPN. The worker’s computer has a VPN client on it. That client requires them to log in with credentials before it will activate the VPN tunnel to your site, so you know that only people who have a username and password for your site can use that VPN client. Call that VPN client interface a “user portal”, add on an access rights manager (ARM) that implements a single sign-on (SSO)environment with access to SaaS systems and you have a ZTA system.
The progression from VPN to FWaaS to SD-WAN to SASE to ZTA means that businesses that are very good at providing FWaaS are well placed to provide ZTA.
About CrowdStrike
CrowdStrike started up as a cybersecurity consultancy in 2011. The consultancy was called in to analyze the Sony Pictures data hack in 2015 and the Democratic Party email hacks of 2015 and 2016. The company produced its cybersecurity tools in 2013, and its sales took off thanks to the constant reference to the CrowdStrike name during those two major hacking events.
CrowdStrike Holdings, Inc. was listed on NASDAQ in 2019 and reported revenue of $1.45 billion for 2021. The company has 3,394 employees and in December 2021, it moved its headquarters from Sunnyvale, California to Austin, Texas.
CrowdStrike’s systems run on a cloud platform, called Falcon. Its core product is an endpoint-protecting system called Falcon Prevent. This is installed on endpoints, like a traditional AV. All the other packages in the Falcon suite are cloud-based and use the Prevent software as a local agent. The company still offers consultancy services and it uses its two divisions to create managed security services.
CrowdStrike isn’t well placed for ZTA technology, so it acquired that expertise with the purchase of Preempt Security in September 2020 and Secure Circle in November 2021. CrowdStrike developed its ZTA package without the Falcon name – the platform is called CrowdStrike Security Cloud.
About Palo Alto Networks
The founder of Palo Alto Networks, Nir Zuk, is credited with creating the first stateful firewall while working for Check Point. He started Palo Alto Networks in 2005 with headquarters in Santa Clara, California and the business now has a total of 11,098 employees. The company floated on the New York Stock Exchange in July 2012 and moved its listing to NASDAQ in October 2021. The business’s revenue was $4.256 billion for the year 2021.
Palo Alto Networks is well-placed to lead the market in ZTA. It delivers its products from the cloud and has an excellent FWaaS. Its products include an SD-WAN service and a SASE. It offers a range of ZTA options.
CrowdStrike Security Cloud
CrowdStrike Security Cloud is a complete ZTA solution – you aren’t expected to combine it with any other CrowdStrike products to get a ZTA system. The tool employs integrations and orchestration to interact with other security products, which could be provided by other companies. It also uses your existing access rights manager, which can be located on-premises or in the cloud.
The Security Cloud acts as an authorization hub between users and applications. Users log into the Security Cloud portal and the single sign-on system behind the CrowdStrike System lets them through to each application. The tool provides authentication checks at each access event without pestering the user to re-login.
The CrowdStrike system can also be used to allow access to IoT devices. It performs security scanning for each device, be it a regular business computer, BYOD, or IoT. The tool uses fingerprinting to identify repeat users, which certainly includes owned IoT devices. An introduced infection or configuration weakness will block access to a previously allowed device. In short, each device is checked each time it wants to access the network.
One shortfall of the CrowdSrike system is that it doesn’t include a firewall. It allows that function to be provided by third-party tools.
Palo Alto Prisma Access
Palo Alto Networks offers several options that will provide tailored solutions for different ZTA purposes. The company envisions three areas that would require a Zero Trust architecture. These areas cover users, applications, and infrastructure. Curiously, it isn’t necessary to take the whole bundle of tools in ogre to achieve ZTA. For example, Palo Alto proposes including Cortex XDR in the package, which is the company’s endpoint protection service but that is not part of the core ZTA system.
Prisma Access provides all of the functions you need to implement ZTA. This is a cloud-based system. It doesn’t include identity and access management, but it will integrate with your existing user and device management tool and extend it out to a single sign-on environment that includes SaaS accounts.
Prisma Access is a SASE service but it will also create a ZTA system. You can add on Cortex XDR for endpoint protection, but Prisma Access will handle connection security for remote workers without it. Features delivered by Prisma Access include:
- Authorization and connection security for access by individual users
- Inter-site connection security with an SD-WAN
- Data loss prevention and incoming traffic scanning with an FWaaS
- Risk assessment and secure connections for BYOD devices
- Containerization to protect IoT devices
- A cloud access security broker (CASB) to control user access to SaaS applications
CrowdStrike vs Palo Alto: Head-to-head
CrowdStrike and Palo Alto Networks are two well-known cybersecurity brands and both are in the race to lead the ZTA market. CrowdStrike’s strong brand gets its media attention, giving it a marketing advantage. However, Palo Alto Networks has progressed through firewalls to edge services and SASE, giving it all of the key expertise to provide a strong ZTA service.
Unlike other providers in the ZTA field, neither CrowdStrike nor Palo Alto bothered to create their own identity and access management system. This was an efficient plan because business systems administrators are already comfortable with solutions such as Active Directory and have already created SSO environments. Existing access rights management is just one step away from the management of accounts in SaaS platforms and the CASB elements in both Security Cloud and Prisma Access provide just the right amount of extra service to complete the requirements for ZTA.
CrowdStrike and Palo Alto ZTA solutions pricing
CrowdStrike and Palo Alto Network choose to not publish their prices but invite contact with their sales teams. CrowdStrike offers a demo of the Security Cloud platform. Palo Alto Prisma Access is also available for a demo.
CrowdStrike vs Palo Alto: The verdict
The decision over whether to opt for CrowdStrike Security Cloud or Prisma Access will come down to whether you want to keep the cybersecurity facilities that you already have in place. The CrowdStrike solution is intentionally incomplete because it connects through to your existing firewall systems and other on-site security.
The logic behind CrowdStrike’s approach is that operating businesses already have sufficient cover for their endpoints and networks, they just need a cloud-based extension to their current ARM to get ZTA working for them.
Palo Alto provides all of the key elements of a ZTA network, except for the IAM. The company gives you a SASE that can provide an SSO environment that includes your SaaS accounts.
Both CrowdStrike Security Cloud and Palo Alto Prisma Access are worth trialing.
