This is the question that we ask our customers when they are interested in securing access to private applications. Today, many enterprises are using the network-centric technology that was built to connect users to networks as a way to now limit connectivity to applications. Ironic, right? As demand has increased with more applications and more users, so did the number of firewalls, “Next-gen” firewall appliances, load balancers, and VPN concentrators that piled up at each data center location. Replicating a stack of network appliances is expensive, creates a poor user experience, places users on the network (can you say lateral movement?), and is a never-ending process.
Even with the buzz around “zero trust,” introduced eight years ago, teams continue to tether application access to the network. (Pro-tip: Some analysts continue to tout network-centric access methods as a best practice, but they seem to lack an understanding of modern services. Be careful who you listen to.)
Why network access is the wrong approach for securing access to private apps
As private applications move to the cloud, there's a need for secure access across both data center and cloud environments. At the same time, remote users need to access applications from anywhere and from any device. Backhauling traffic through inbound gateways anchored in the data center just to access internal apps (many of which are now running in the cloud) is suboptimal—and completely unnecessary. Enterprises have been forced to decide between continuing to buy appliances and add to the size and complexity of the stack, or reduce the number of appliances and roll the dice on security.
There are four major issues with incumbent methods:
Too much trust – Legacy technology requires employees and third-party users to have network access just to access an app. This leads to lateral movement across the network. It also exposes IP addresses to the internet, increasing the chance of DDoS and other internet-based attacks.
Not enough granularity – Network segmentation is as good as it gets, making lateral movement across the net unavoidable. Creating a secure segment of one between an authorized user and a specific app is impossible.
Lack of visibility into user activity – Users are treated as IP addresses and ports, so it is impossible to determine which specific users accessed which apps. Viewing user data in real time is difficult and so is streaming data to a SIEM provider to minimize mean time to remediation.
Complex as h*ll – Managing ACLs, firewall policies, multiple appliances interfaces, and security groups is too manual. The issue only increases as more users, apps and soon IoT services place greater demands on infrastructure.
The good news is that cloud-hosted services allow for a third choice for enterprises and make the network irrelevant when accessing applications.
Redefining application access
Many enterprises have turned to what Gartner calls software-defined perimeter (SDP) services. These are managed services hosted in the cloud and built with an understanding that cloud adoption and mobility have created the need for user- and app-centric methods.
Google was the first to bring attention to this new technology set, using its BeyondCorp service in-house as an alternative to VPN for remote employees. Since then, many other companies have begun to do the same, decoupling application access from the network.
IT champions at National Oilwell Varco (NOV), one of the world’s largest oil and gas industry manufacturers, are using SDP to not only deliver secure access to over 7,500 internal apps for 10,000 users, but also to accelerate IT integration during M&A activities.
Perdue Farms, the world’s number one producer of organic chicken, uses an SDP to enable its remote workers to access SAP seamlessly and securely from their Chromebook devices.
MAN Energy Solutions, a subsidiary of VW Group and producer of large-bore marine diesel engines, uses SDP as a “darknet for the enterprise“ and secures access for thousands of users to the 7,000 internal apps on cargo ships floating off the sea of Copenhagen.
TRIMEDX, a leading healthcare technology provider, has embraced SDP as a way to retire its remote access VPNs and embrace a zero trust access approach to employees' desktop environments. You get the picture.
Your mission: decouple application access from network access
In many cases, it will be up to you to evoke the change required to embrace SDP. You’ll encounter those worried about changing the status quo, security teams that are naturally apprehensive of new technology, and individuals who have grown complacent with network-centric technologies.
In the end, your actions will define the future of application access within your organization. The only question now is, do you accept your mission?
- - - - - - - - - - - - - - - -
Christopher Hines is head of product marketing for Zscaler Private Access and Zscaler App