The walls of the corporate workplace will become fluid for enterprises over this decade. This will be a movement driven by the way you want to work and the birth of the fully internet-driven workplace; put another way, it’s the death of the legacy corporate network which naturally means the death of traditional network security. It’s a dramatic improvement that will reshape the way we all connect, rewrite how IT leaders help you access work, and reshape entire technology markets where legacy infrastructure companies will struggle.
This movement will drive jobs closer to workers’ lives as part of a monumental reckoning with connectivity, mobility, cloud, and the way we all want to work. Mobility, BYOD, or whatever you may call it may be commonplace in Silicon Valley, large cosmopolitan cities, and some verticals like high tech, but outside of these fairly early adopters, it is not mainstream. We do already see this happening, though, in pockets. In fact, Zscaler succeeds thanks to forward-thinking business leaders who are helping users securely work where they want, when they want. However, the 5G era is going to dramatically speed the adoption of this new way of working, and that will in turn speed the demise of the traditional corporate network.
The fallout from this change in the way we work will be extreme. Here are four of my predictions for the 2020 decade.
Any time you connect to the internet, there is an IP address to connect you, often through a firewall. A firewall is like a door that protects a house or a castle. Every firewall with an internet-facing IP address is an attack surface that creates significant business risk. New approaches and technologies will evolve this decade to mitigate this risk.
As more applications sit in the public cloud and more offices use the internet to connect to the cloud or SaaS applications, the attack surface is drastically increasing. As you connect 100x more applications, data, devices, and people to the internet, what happens to the attack surface? It increases 100 fold.
Think of it this way. If you want 100 friends to be able to reach you, you can publish your phone number on a website. Now they can call you, but so can robocallers. This is precisely what happens when you publish applications on a public cloud and use the internet to reach them. Your users can access them but so can a million hackers who can discover vulnerabilities or launch a DDoS attack.
How do you solve it? Suppose you hired a phone operator and gave him the names of your 100 friends. Your friends would be able to quickly reach you when they call the operator, but a robocaller that tries to connect to you would be denied by the operator and wouldn’t be able to bother you. A similar approach works for protecting your enterprise and starts by preventing exposure of your enterprises’ user/branch traffic or applications/servers to the internet. This approach replaces the castle-and-moat legacy model with a digital exchange, somewhat like a sophisticated phone switchboard. Your applications remain invisible behind the exchange. Users connect to the exchange which then connects them to their applications. In this model, the user, the offices, and the applications are never exposed to the internet. This approach for secure access to applications will become widely used in the coming decade.
Internet connectivity improved so much in the past decade that enterprises started to dump their private, expensive wide area networks (WANs) that connected various offices to the data center. Frederik Janssen, head of global infrastructure at Siemens, is a pioneer and a thought leader who coined the phrase “The internet is the new corporate network” several years ago. What he meant was that Siemens’ business was being done everywhere—the office, coffee shops, airports, hotels—and the internet had become the de facto transport for all traffic.
With the widespread use of 5G in the 2020s, local area networks (LANs) will also disappear. Today, while sitting in our office, we look for Wi-Fi to access the internet, which securely connects us through routers or firewalls sitting at the company’s perimeter. But when every PC or mobile phone is equipped with ultrafast 5G, would you ever connect to Wi-Fi in your office? No way—you will use direct 5G connections and bypass traditional routers and firewalls. And, if there is no WAN or LAN in your control, then there is no use case for firewalls. The traffic from your 5G devices will connect the right people to the right applications—through a digital services exchange—and this will deliver faster, more secure, and more reliable access to apps and services.
There are countless stories about VPNs being the launch pad for devastating malware/ransomware attacks, and another high-profile VPN attack hit the news just this week. This is happening because firewalls and VPNs were built for the network-centric world, where apps resided solely in the data center and a security perimeter around the “castle” was all you needed. With so many organizations moving toward a “perimeter-less” model, traditional network security based on the castle-and-moat approach, which is how firewalls fundamentally protect, is no longer relevant. They give enterprises a false sense of security. New approaches are being developed that use business policy engines to act like the previously mentioned digital services exchange to enforce security and provide better enterprise security.
Today, to provide a user access to applications, she is connected to the so-called trusted corporate network. Once on the network, the user can see more than she should. This was acceptable when you controlled the network, but with the internet being the corporate network, putting users on a network to access applications is dangerous. If a user machine becomes infected, the malware can laterally traverse the network and infect all the servers on the network. Maersk, a massive shipping company, faced that issue about 18 months ago, highlighting the danger of putting users and applications on the same network. A better approach to this problem is badly needed.
Many CISOs also manage physical security, so I like using an office metaphor to illustrate zero trust. If I am visiting an office, I get stopped at reception, which checks my ID, confirms my appointment, and issues me a badge. They could direct me to the elevators and tell me to head up to the sixth floor for my appointment. But this rarely happens anymore because I could simply wander around the company to do whatever I want, wherever I want. In contrast, a zero trust approach would have someone escort me directly to the conference room and take me back to the front desk after my meeting.
Gartner’s ground-breaking research note on zero trust network access (ZTNA) states how enterprises should provide users access to the specific applications they need; instead of granting access to a network, ZTNA provides access only to those applications a user is authorized to use. This approach provides security for the world of cloud that’s far better than trying to create lots of network segments to create application segmentation.
At a high level, think of ZTNA like this: It starts with an assumption that you trust nobody; you can establish a level of trust based on authentication, device posture, and other factors, but you’ll still only trust users with the application(s) they are specifically authorized to use. Any other activity would be highly suspicious.
These are not simple incremental changes; these megashifts will bring tons of opportunities and challenges to businesses. Technologies such as cloud, mobility, IoT, and machine learning are upending many large global brands while giving rise to new businesses at a pace never seen before. They are also disrupting large, incumbent technology providers while creating new giants. Many of the big names in IT like Google, Amazon, Salesforce, ServiceNow, and Workday were almost all born in the last decade or two.
I would love to hear your perspectives on my thoughts and those of my team whose ideas about the coming decade are captured in the blogs linked below. Thank you so much for all the thoughtful discussions we've had over the past 10 years. I look forward to continuing our discussions in this new decade.
Read other blogs in the "2020s" series:
The 5G Frontier by Patrick Foxhoven, Zscaler Chief Information Officer and Vice President of Emerging Technologies
Big, New Threats and a New Kind of Identity Politics by Stan Lowe, Zscaler Global CISO
AI and Machine Learning Offer Hope for the Future by Howie Xu, Zscaler VP of Machine Learning and AI
An IoT Bonanza by Deepen Desai, Zscaler Vice President of Security Research