Zscaler Cloud Platform

How AI is Powering ZTNA to be the Most Reliable Way to Segment Applications

How AI is Powering ZTNA to be the Most Reliable Way to Segment Applications

At Zscaler, we believe artificial intelligence is more important than ever in combating rapidly-escalating cyberthreats and taming the complexity of enterprises’ digital footprints. We have been using machine learning in our cloud platform to analyze more than 240 billion transactions and 300 trillion signals every day - that’s 35 times the number of Google searches per day - to help our customers become more secure and productive. This week, we announced a new ML-powered segmentation feature in our next-gen zero trust network access (ZTNA) service, Zscaler Private Access, that taps into our AI expertise to help enterprises stay safe from attackers and get more done in the new hybrid work world. 

Today, many organizations struggle with making sense of the vast array of internal and private applications. Depending on the size of the organization, the number of applications can easily reach thousands. Furthermore, they struggle with incomplete user data. With this large number of applications—multiplied by thousands of users—implementing the controls and policies necessary to enforce least-privileged access at scale can be quite challenging. This is the exact problem space that our latest innovation can help address: augmenting human talent with AI-powered application segmentation to empower teams with the speed and agility to make security decisions more effectively.

Freeing up network and security teams to focus on what’s important  

Traditionally, companies have defended their perimeter using a castle-and-moat security architecture, which is a self-contained network designed to let friendly traffic into the corporate castle while keeping enemy traffic outside the castle moat. IT administrators deployed network firewalls to inspect external traffic at the boundary and secured internal traffic by manually segmenting their networks with VLANs, ACLs, and VRFs. But with the massive migration of applications to the cloud and workers outside the corporate perimeter, network traffic patterns have changed and legacy architecture anchored in the data center creates security issues

The castle-and-moat approach exposes internal applications to unrestricted lateral access, creating a massive internal attack surface that can be exploited by attackers to move freely through your environment. IT teams needed a simpler and more secure way to segment users from applications, one that didn’t require putting implicitly-trusted users on the company network.

With AI-powered application segmentation, Zscaler is making it easier for network and security teams to identify the right application segments, create the right zero trust access policies, and reduce the internal attack surface without the complexity associated with traditional network segmentation. Zscaler Private Access proactively recommends user-to-app segmentation policies that were previously difficult to implement with legacy castle-and-moat architectures.

Zscaler Private Access recommends application segments to reduce the internal attack surface

How ML is used in our next-generation ZTNA  

Our systems continuously learn from every discovered application and every user request. Clustering on these applications and users, leveraging FQDN, port, protocol, user department, job title, and other labeled data, combined with the model learning from application access patterns, it can begin to intelligently group applications to be used in least-privileged access policies. This is incredibly valuable as you take the problem space detailed earlier into account. Given thousands of applications and users without context, or an organization that is struggling to identify what users need access to what applications, our models allow those teams to make sense of how these applications should be grouped, and ultimately, who should access them. This, in turn, enables them to write better policies and accelerate their zero trust deployment. 

Working with our customers, many saw a significant reduction in the number of exposed internal applications by turning on ML-based segmentation and implementing the application segments recommended by Zscaler Private Access. For example, with one of our early design partners, our model quickly identified a group of finance and accounting applications. These applications were only used by a subset of employees, but were exposed to the entire company. By implementing the recommendations, they were quickly able to minimize the exposure of these key applications from 20,000 users to a group of 50. 

ML-based application segmentation minimizes the exposure of your internal business applications

Improving your security posture and the end user experience  

We’re excited about the use cases that will be possible with this innovation in our next-gen ZTNA. As hybrid work evolves, we’ll continue to deliver intelligent capabilities across Zscaler Private Access so that it’s easier for network and security teams to focus on what matters while delivering a great experience for users. 

For more on how Zscaler’s AI-powered segmentation capability can help you fast-track your zero trust journey, watch Zenith Live and check out the Zscaler for Users Innovation page.

Stay up to date with the latest digital transformation tips and news.