Security modernization is top of mind for most organizations, especially with increasingly complex hybrid environments and the need to support a remote workforce. At the same time, IT budgets are shrinking in many organizations, and the cost to maintain aging legacy infrastructure continues to grow.
To combat rising costs, organizations, including those in the public sector, are turning to cloud-based services with the goal of enabling posture-driven, conditional access and zero-day threat sharing. Large enterprises need to simplify the security environment with cross-platform automation that provides secure access to applications and data.
While there is no one tool to provide all of these capabilities, a zero trust network access (ZTNA) model provides ubiquitous policies based on identity—meaning that users will have the same experience anywhere they connect. This provides consistency within organizations, giving users the ability to seamlessly access applications and data in cloud environments and data centers, while IT administrators balance security and control.
There are six core capabilities of zero trust that organization can adopt to modernize their security environments:
Zero trust gives users direct access to external (internet or SaaS) and internal (data center, IaaS, PaaS) applications and data, remotely and securely. Rather than backhauling traffic through virtual private networks (VPNs), the zero trust model reduces traffic and latency, while ultimately improving the user experience. As remote work continues to expand, users need the ability to connect to data in data centers and clouds from their homes.
Access policies should correlate between user, device, application, and other aspects of the environment. As organizations build policies for context-aware access to data and information, they should include vendors, architects, users, privacy teams, and compliance teams in the conversation. It is important to have representation from all the teams involved to form a symbiotic relationship and a united organization.
Users should only be given access to resources and applications necessary for their job functions. By adopting a zero trust security model, only authenticated users will be granted access to applications they are specifically authorized to use. As attack surfaces grow with more distributed environments, zero trust can further limit east-west traffic on the network so that users cannot reach applications they were not intended to reach.
A cloud-based zero trust service can provide a scalable environment without placing a significant burden on the IT team. Organizations need different policy requirements that allow for flexibility of deployment to be able to deploy these tools as quickly as possible. It should be seamless to scale capabilities up or down, without having to deploy new on-premises hardware or additional licensing.
Deployment can be simple— many organizations already have aspects of zero trust in their infrastructure, including endpoint management, continuous diagnostics and mitigation, software-defined networking, micro-segmentation, and cloud monitoring.
To get started, teams should identify their most significant pain point and define a zero trust use case that addresses that issue. Then, they can implement multiple use cases for a solution that spans multiple scenarios and user communities.
It is important to focus on the user experience and make the security and access as transparent as possible, especially when accessing critical agency applications and key collaboration tools. Legacy VPNs backhaul traffic through the security stack, creating a poor user experience and significant latency—especially with the rise in remote work. Instead, zero trust connections provide direct, secure access to applications in any location.
Zero trust provides IT administrators with a centralized view to manage, administer, and log users in one place. With full visibility and control into the distributed environment, zero trust technologies improve administrators’ visibility and troubleshooting to enhance the user experience and promote efficiency within the agency.
By using cloud-based security and compliance tools as part of a zero trust security model, organizations can protect data and applications without having to go through frequent updates. This can free up time for teams to focus on more critical needs and on improving policies, instead of patching security holes.
As technology evolves, cloud and mobility are disrupting and accelerating digital transformation. Remote work requires a modern approach to security, and cloud-delivered security access service edge (SASE) models transition security from network-centric controls and to user-centric and application-centric security, designed to support highly distributed teams working beyond the traditional network perimeter. This “new normal” allows IT to become digital business enablers by adopting new security tools and technologies in the cloud to deliver on the organization’s objectives and promote digital transformation.
Stan Lowe is the Zscaler Global Chief Information Security Officer