- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Success Stories Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Products & Solutions
- Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your OT and IoT Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems.
- Products Transform your organization with 100% cloud-native services
- Solutions Propel your business with zero trust solutions that secure and connect your resources
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet StartedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Platform
- Platform Overview Unified platform for transformation
- Capabilities Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead ReportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
- Customer Success Stories Hear first-hand transformation stories
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
- Zenith Ventures Strategic cybersecurity investments
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
Zero Trust Architecture
Prevent the Apache Log4j Java Library Vulnerability With a Zero Trust Architecture
Join us for a webinar on Wednesday, December 15th as Zscaler ThreatLabz experts provide guidance on any and all emerging details on the Apache CVE-2021-44228 vulnerability, as well as best practices for mitigating the impact of future vulnerabilities.
Recently, a zero-day vulnerability (CVE-2021-44228) was discovered in the popular Apache Log4j logging library, which could allow an attacker full remote code execution. There is evidence that this vulnerability is being exploited in the wild. This logging library is commonly used by enterprise apps and cloud services, with many enterprise deployments supporting private apps. Apache has since released a security update, and provided recommended configurations for earlier versions that mitigates the vulnerability's impact, and we strongly encourage all IT admins to update their software immediately if you haven’t already done so.
Zscaler has confirmed no impact to its services from the CVE-2021-44228 vulnerability. Please read the ThreatLabz threat advisory post if you’d like more technical details on this vulnerability. If you are concerned that you may have been impacted, run a complimentary internet attack surface analysis to see if you have any external attack surface using Apache.
Given the wide-scale enterprise adoption of Apache Struts and other related offerings, this vulnerability has the potential to echo for months and potentially years to come, with ransomware gangs and cybercrime actors leveraging it to cause untold damage. Unfortunately, this type of discovery is nothing new, and like Heartbleed and Shellshock before it, serves to highlight the inherent risk in our interconnected digital world.
What’s also clear to me is that if you are depending upon VPNs and firewalls to protect your enterprise, you are at much greater risk of damage than you would be using a true zero trust network architecture. First, let’s consider why firewalls and VPNs introduce significant risk when a vulnerable version of Apache is used on an internal app:
- Legacy network security solutions publish apps to the internet to allow access, enabling them to be identified by attackers using freely available tools like Shodan to target for exploitation.
- Firewalls and VPNs put every user onto the network for application access, allowing an attacker or compromised user to move laterally across an enterprise to deliver ransomware or steal data once an initial foothold has been established through a vulnerability. App access should never require network access.
- Much has been said about how the pandemic accelerated our collective move to a hybrid workforce, and I won’t repeat it except to say - not only do firewalls and VPNs introduce significant risk, they are slow, outdated, and complex for a remote workforce to access a private app. No one wants a risky solution with a poor user experience.
Given this, I’d ask: how many of you are still using firewalls and VPNs? Now is the time to develop a plan for the next 3, 6, or 9 months - as it can’t be done overnight, but it is one of the most significant steps you can take to minimize your business risk.
Four simple steps to reducing risk with a zero trust architecture:
Endless ink has been spilled describing zero trust and the inherent security benefits compared to legacy approaches, but let me summarize using the Apache vulnerability as a framework.
In this case, security researchers at Alibaba Cloud discovered a zero-day vulnerability, meaning without an emergency security update, every customer running a vulnerable version is at risk. Not only this, but the vulnerability allows full remote code execution, allowing full administrator access to the underlying Apache service and all data within it. In order to exploit this vulnerability, an attacker must first find the app itself. To stop attackers from doing so:
- Minimize your attack surface and make apps invisible: Adopting a zero trust architecture, like the Zscaler Zero Trust Exchange, and specifically Zscaler Private Access (ZPA), allows you to make all of your internal apps completely dark and invisible to the internet. When they are hidden behind the zero trust platform, attackers cannot find them and exploit them, safeguarding even vulnerable versions of Apache from this and future vulnerabilities, impossible with legacy VPNs and firewalls.
-
Ensure only authorized users can access apps: Cybersecurity is most effective when you can achieve a layered defense as part of an integrated platform. Beyond making vulnerable apps invisible, Zscaler only allows authorized users to access apps authorized in policy based on immutable identity from leading vendors like Azure AD, Okta, Duo, or Ping. If an attacker isn’t authorized to access a vulnerable app, they would be prevented from doing so.
Should an attacker successfully establish a foothold within an enterprise network, either through exploiting the Apache vulnerability or other means, they will inevitably progress their attack by attempting to move laterally to compromise additional systems, install ransomware, and exfiltrate data. Therefore, you should:
- Prevent lateral movement with user-to-app and app-to-app microsegmentation: ZPA decouples application access from network access by directly connecting users to resources through a reverse tunnel that never puts users on the network. When app access doesn’t require network access, any potential lateral spread of an infection is prevented, even if an initial foothold has been established. Furthermore, the Zero Trust Exchange extends the same zero trust policy to public cloud workloads through Zscaler Workload Segmentation, stopping lateral movement within a data center or cloud environment. In either case, the Zscaler platform prevents a single infected server from being used to compromise the entire enterprise.
- Inspect both inbound and outbound traffic. Visibility and monitoring are cornerstones of Zero Trust. By inspecting all traffic—both encrypted and unencrypted—you can block initial compromise as attackers attempt to access your environment from the internet, and can also stop post-exploitation activities, such as communicating with command-and-control servers or exfiltrating data. Zero Trust Zscaler Internet Access (ZIA) does both. ZIA Advanced Threat Protection inspects both internet-to-server and server-to-internet traffic for indicators of compromise associated with known exploits in the wild, helping to block, detect, and mitigate attacks.
If you want to protect your enterprise from zero-day vulnerabilities, retire your firewalls and VPNs and embrace a true zero trust architecture with the Zscaler Zero Trust Exchange.
Request a custom zero trust exchange demo today to get started on your journey.
Run a complimentary internet attack surface analysis to see if you have any external attack surface using Apache.
Join our webinar on Wednesday, December 15th for more details and expert guidance on the Apache vulnerability.
Get the latest Zscaler blog updates in your inbox
Subscription confirmed. More of the latest from Zscaler, coming your way soon!
By submitting the form, you are agreeing to our privacy policy.