Application-Specific Access
Users access specific applications — not networks — based on identity, device state, and policy requirements.
Secure Access & Zero Trust
Replace VPN with Identity-Aware, Least-Privilege Access
Palo Alto Prisma Access delivers cloud-native ZTNA and secure access — combined with cloud-delivered NGFW inspection, secure web gateway, and CASB — from Palo Alto's global cloud infrastructure.
IVI deploys, configures, and operates Prisma Access as part of complete secure access transformation, not just VPN replacement.
Cloud-delivered ZTNA with application-specific access based on verified identity and device posture.
-1-1-1.png)
Zero Trust Network Access
Application-specific access based on verified identity and device posture
IVI approaches Prisma Access deployments as secure access transformations — not VPN replacements. ZTNA requires rethinking access policy, not just changing client software.
The Problem with VPN
VPN extends the network perimeter to remote users by granting network access after perimeter authentication. Once authenticated, users typically access broad network segments — creating operational risk when attackers compromise VPN credentials.
Network-level access creates lateral movement risk
Compromised VPN credentials become breach events
Broad network segments accessible after authentication
No application-specific access controls
Prisma Access ZTNA Approach
Zero Trust Network Access replaces network-level access with application-specific access based on verified identity and device posture.
Device Posture Enforcement
Access decisions based on OS version, patch level, disk encryption, and endpoint security agent status.
Per-Session Authorization
Access decisions made per session, not just at login, with full audit trail.
Implementation Process
Six-phase approach from assessment through steady-state operations.
1
Current State Assessment
Document existing remote access environment, user populations, and application access requirements.
2
Architecture Design
Design Prisma Access architecture including gateway configuration, identity integration, and device posture policies.
3
Environment Build & Migration
Configure Prisma Access, onboard applications, execute pilot and phased user migration, then decommission VPN.
Core Capabilities
Complete secure access transformation with operational ownership.
Prisma Access Architecture Design
Gateway placement, service connections, identity integration, and access policy model documentation.
Identity Provider Integration
Integration with Microsoft Entra ID, Okta, or Ping Identity using SAML and SCIM for user provisioning and MFA.
Application Onboarding & Migration
Systematic migration from VPN to ZTNA with application catalog and phased user migration.
Operational Outcomes
- Remote access converted from network-level VPN to application-level ZTNA
- Lateral movement risk from compromised credentials significantly reduced
- Device posture enforcement prevents unhealthy devices from accessing sensitive applications
- Complete access audit trail with user, device, and posture context
- VPN infrastructure retired — eliminating hardware, licensing, and operational costs
- Consistent secure access policy for remote users, branch users, and third-party vendors
Ideal Fit
- Organizations with legacy SSL VPN creating lateral movement risk
- Hybrid or remote-first workforce requiring consistent application access
- Compliance requirements (NIST CSF, CIS Controls, SOC 2) requiring least-privilege access
- Zero Trust security framework implementations needing access control layer
- Need to provide third-party vendor access without network-level privileges
Platform Comparison
Choose the right secure access approach for your environment
Different platforms serve different architectural requirements and organizational priorities.
Legacy VPN
Current State
Network access after authentication with broad segment visibility creating lateral movement risk.
Best Fit
Organizations not yet ready for Zero Trust transformation.
Tradeoffs
Compromised credentials become breach events. Performance degrades for cloud-bound traffic.
IVI Recommendation
Migrate to ZTNA for improved security posture.
Recommended
Prisma Access ZTNA
Recommended
Application-specific access with identity and device posture enforcement through Palo Alto's global infrastructure.
Best Fit
Organizations with existing Palo Alto investments or requiring purpose-built security capabilities.
Tradeoffs
Requires rethinking access policy and change management for users.
IVI Recommendation
Best choice for primarily remote user access with Palo Alto ecosystem alignment.
Cato Networks SASE
Alternative
Converged SD-WAN and security including ZTNA in single cloud-native platform.
Best Fit
Organizations converging branch and user access requirements.
Tradeoffs
May require replacing existing branch connectivity infrastructure.
IVI Recommendation
Consider for branch-and-user convergence scenarios.
Why IVI
Operational ownership for the environments we deploy
IVI maintains operational ownership for performance and security, not just day-one configuration.
Palo Alto Platform Expertise
Deep experience with Palo Alto environments and Prisma Access operational requirements.
Platform Integration
Existing PA-Series NGFWs and Panorama integrate with Prisma Access for unified policy management.
Proven Methodology
Application onboarding at scale with proven migration methodology, not just deployment guides.
Aegis Co-Managed Operations
Ongoing operational ownership through Aegis managed services practice.
Proactive Management
Health monitoring, policy change requests, and application onboarding as your environment evolves.
Incident Response
Security event alerting and coordinated response for Prisma Access environment.
Related Resources
Related Resources
Review related solution pages, supporting materials, and additional resources that help explain where this solution fits and how it can be applied.
FAQs
Frequently Asked Questions
Common questions about Palo Alto Prisma Access ZTNA implementation.
We already use Palo Alto firewalls. Does that make Prisma Access an easier deployment?
Yes. Existing Palo Alto infrastructure (PA-Series NGFWs, Panorama) integrates with Prisma Access for unified policy management and identity-based policy consistency. Organizations with existing Palo Alto deployments can leverage current security profiles, URL filtering categories, and threat prevention policies in the Prisma Access environment — reducing design and configuration effort.
How does Prisma Access handle users who access applications from both corporate and personal devices?
Device posture policy is the mechanism for this. We design policies that define the access level appropriate for each device type: fully managed corporate devices with full application access, personal BYOD devices with access to less sensitive applications and additional authentication requirements, and unmanaged devices restricted to specific web-based applications through the secure web gateway.
Does Prisma Access work for third-party vendor access to on-premises systems?
Yes. Prisma Access ZTNA can provide vendors with access to specific on-premises applications without granting them network-level access. Vendor access is isolated by policy — they see only the applications they need access to, with full session logging. This is significantly more secure than adding vendors to a VPN group or providing them a jump host.
How does the user experience compare to current VPN?
GlobalProtect (the Prisma Access client) operates transparently to users — it connects automatically and provides access to applications without requiring users to think about VPN state. For cloud applications, performance typically improves because Prisma Access routes users through the nearest PoP rather than backhauling through your data center. For on-premises applications, performance is comparable to VPN.
We have a mix of on-premises apps, SaaS, and cloud-hosted apps. Can Prisma Access handle all of them?
Yes. Prisma Access provides ZTNA for private applications (on-premises and private cloud), combined with a secure web gateway for internet and SaaS access. The same policy framework governs access to all application types — users get a consistent experience and IT gets unified visibility of all access from a single platform.
What's the difference between Prisma Access and Cato Networks for our secure access requirements?
Prisma Access is purpose-built for organizations with existing Palo Alto investments or requiring dedicated security capabilities for remote access. Cato Networks SASE converges both branch SD-WAN and user access into a single platform. Choose Prisma Access for primarily remote user scenarios with Palo Alto ecosystem alignment, or Cato for branch-and-user convergence requirements.