Mark Reyero

What is Zero Trust Network Access (ZTNA) 2.0
June 9, 2022 - 6-8pm PST
Speaker: Mark Reyero, Palo Alto Networks
Location: University of San Diego, BEC 118

About the speaker:

Mark Reyero
Federal SASE Systems Engineering Manager
Palo Alto Networks

Mark Reyero is the Federal SASE Systems Engineering Manager for Palo Alto Networks, with 20+ years of industry experience, primarily supporting US Federal clients. In his current role, Mark leads a team of SASE Architects that assist US Federal Departments, Agencies, and Systems Integrators with the design of their SASE and ZTNA 2.0 architectures. Prior to joining Palo Alto Networks, he held engineering and leadership roles with InfoBlox and World Wide Technology, LLC. Mark earned a BA from Washington College (Chestertown, MD) and a MS from the University of Maryland, University College (College Park, MD), and is also a CCIE Emeritus (#12932). Before making the long overdue decision to relocate to San Diego in April 2021, Mark spent three years in Manhattan (including one long year during the pandemic lockdown), and prior to that, 24 years in Annapolis, MD.

What is Zero Trust Network Access (ZTNA) 2.0

Today, work is no longer a place we go, but an activity we perform. At the height of the pandemic, many businesses focused on trying to scale their VPN infrastructure. Zero Trust Network Access (ZTNA) approaches emerged to address the challenges caused by legacy VPN. However, the first generation of products (which we call ZTNA 1.0) have proven more dangerous than helpful because of several critical limitations:
  • Too Much Access is Not Zero Trust – Supports only coarse-grained access controls while classifying applications based on L3/L4 network constructs, such as IP address and port numbers. Thus, ZTNA 1.0 provides way too much access, especially for apps that use dynamic ports or IP addresses.
  • Allow and Ignore – Once access to an app is granted, that communication is then trusted forever. ZTNA 1.0 assumes that the user and the app will always behave in a trustworthy manner, which is a recipe for disaster.
  • Too Little Security – Only supports a subset of private apps while unable to properly secure microservice-based, cloud-native apps – apps that use dynamic ports like voice and video apps, or server-initiated apps like Helpdesk and patching systems. Moreover, legacy ZTNA approaches completely ignore SaaS apps and have little to no visibility or control over data.

ZTNA 1.0 falls short on the promise of replacing legacy VPN. We need a different approach.

ZTNA 2.0 solves the shortcomings of ZTNA 1.0 by delivering the following:

  • Least Privilege Access – Achieved by identifying applications at layer 7, enabling precise access control at the app and sub-app levels, independent of network constructs like IP and port numbers.
  • Continuous Trust Verification – Once access to an app is granted, trust is continually assessed based on changes in device posture, user behavior and app behavior.
  • Continuous Security Inspection – Providing deep and ongoing inspection of all traffic, even for allowed connections, to prevent all threats including zero-day threats.
  • Protection of All Data – Providing consistent control of data across all apps used in the enterprise including private apps and SaaS, with a single DLP policy.
  • Security for All Apps – Safeguarding all applications used across the enterprise, including modern cloud-native apps, legacy private apps and SaaS apps. This includes apps that use dynamic ports and apps that leverage server-initiated connections.


We welcome all members, professionals, students, faculty, staff, alumni, and all guests to join us in our mission to
Connect | Educate | Inspire | Secure

Please invite others interested in cyber security to the no cost meetings.