Our Zero Trust Story
Nalin Narayanam, CISO at Intarcia Therapeutics, shares his thoughts on zero trust and the company’s motivations for adopting Zscaler Private Access
Intarcia Therapeutics is a rapidly emerging biopharmaceutical company that develops innovative therapies with the potential to transform the prevention and management of serious chronic diseases. Our IT strategy is focused on implementing groundbreaking solutions that deliver real value for the business. Since early 2016, Intarcia Therapeutics has leveraged Zscaler for securing access to internet and private applications.
At Intarcia Therapeutics, file systems and RDP servers have been among the most commonly accessed applications. In the past, when our users were not on the corporate network, they were required to first set up a VPN to access private applications.
The problems our remote users encountered are common to those of any VPN deployment.
For the fastest possible connections to applications, users had to connect to specific VPN gateways, which required them to be aware of the physical location of their applications. In addition, since VPN is designed to connect users to networks, it always presented the possibility of undesired access. The only way we had to control access was to define policies specific to users and their list of allowed applications. Policy management was complex, because the configuration around each VPN instance needed to be updated every time we added a new application. Even with policies in place, the public IPs of our internal apps were exposed on the internet, which created a broad DDoS surface that could impact our business.
While the business was striving to create next-generation therapies, our ambitions relied on outdated and vulnerable VPN technology. Our decision to host some apps on AWS and other public clouds escalated the need to adopt a more secure and user-centric remote access solution.
As a CISO, I was keenly aware of the threat landscape, with highly publicized breaches serving as a rude reminder that credentials don’t mean much. The term ‘“authorized user” was becoming less meaningful in my world, and I needed a sophisticated way to authenticate and authorize users. While I was contemplating these challenges, I realized that I had a unique opportunity to achieve my goal of zero trust and at the same time free my team from manual, repetitive tasks so they could explore ways to generate value for the business.
We found our answer in Zscaler Private Access (ZPA), a remote access solution based on zero trust. With ZPA, only authorized users from an authorized device are allowed access to internal applications. The ZPA architecture then stitches outbound connections from a user’s device and the data center into a single encrypted connection.
The benefit of this architecture is twofold: users can access internal applications without connecting to the network and internal applications are never exposed to internet.
The Zscaler Difference
A streamlined user experience
Users at Intarcia Therapeutics connect to Zscaler services from their devices using Zscaler App (Z App). Transparent to the user, Z App redirects internet-bound traffic through the Zscaler Internet Access (ZIA) service, and data center-bound traffic through Zscaler Private Access (ZPA), so it eliminates the need to manage those complicated split-tunnel configurations. Z App dynamically sets up connections to ZPA and provides a seamless experience as users move between trusted and untrusted locations.
ZPA’s large service footprint automatically connects Intarcia users to the closest instance of an application. This has made it really easy to migrate applications to public clouds without impacting end users. ZPA has eliminated the need for expensive site-to-site tunnels, and users now bypass the on-premises data center when accessing applications on public cloud.
Now, we can base remote access on micro-segmentation
One of my top considerations for adopting ZPA was its ability to create micro-segments that restrict application visibility to authorized users; for unauthorized users, the application is completely invisible, as if it does not even exist. In addition, ZPA sets up the connection at the application layer, which means that users can only access authorized applications, eliminating the possibility of lateral movement in the data center.
A key requirement of our security policy is to disallow access to internal applications if a user’s device is not compliant with policy. ZPA’s policy framework incorporates device posture as a criteria, which has allowed us to define stringent criteria for accessing sensitive applications.
Visibility and reporting
ZPA’s application discovery capability has been a game changer for us. We now have visibility into our application landscape and can better manage requirements from our business groups. ZPA’s log streaming service provides a real-time feed to our SIEM, allowing us to take action when needed.
Policy configuration and enforcement is centralized, and we have noticed that updates are instantaneous. This is of paramount importance, as we have employees who travel across the globe and connect to different data centers.
Our focus is innovation
When I first started reading about zero trust, I thought it was an idea with a lot of promise. But I didn’t see how we could make it work at Intarcia. Our architecture—like all traditional networks—was built on a certain level of trust. We had no choice but to open it up to remote users with adequate credentials. But that had evolved into demanding too much trust from us.
Now, with zero trust, we have more precision and better security. Once a user’s device and identity are authenticated, we can connect that exact user to an identified app—nothing else is accessible or visible. There is no potential for lateral movement. And, because users are never on the network, a compromised device has no ability to infect the network.
Our company is focused on developing transformative therapies. Now, through zero trust enabled by network and application transformation, our IT team is furthering the company’s ability to innovate.
To learn more about Zscaler Private Access, visit zscaler.com/products/zscaler-private-access
To experience an interactive demo of Zscaler Private Access, go to: zscaler.com/zpa-interactive