This post originally appeared on LinkedIn on May 7, 2020.
Is your corporate network slow? Or difficult to manage? Are you finding your legacy castle-and-moat security complex and expensive (and, let’s face it, sometimes not particularly secure)? Are you spending all your time putting out fires instead of helping address company business goals? Then you’re singing the legacy network blues! It’s a sad tune, but a common one as well.
Most companies must find a balance between responding to operational emergencies and planning for better business outcomes. Overloaded networks, bad application performance, and strained IT budgets get in the way of business-oriented projects like technical advancement to improve online services for both customers and employees. The result can be constant firefighting and band-aiding using tactical—rather than strategic—solutions.
Traditional hub-and-spoke networks centralize traffic, operations, and security in the data center. This model worked well in a world where companies hosted all their own applications. But it doesn’t adapt well to disruptive technologies like public-cloud-hosted software-as-a-service (SaaS) applications. A traditional hub-and-spoke network, with castle-and-moat security, routes all traffic back through the corporate data center and through complex security stacks—even traffic bound for SaaS products on the internet. The result? Poor performance. Meanwhile, IT backhauls traffic, overloads network circuits, and expands threat surfaces.
Want to sing a happier tune? Digitally transform your network! But, how do you start network transformation? First, consider these questions:
- Can internal users connect to cloud applications directly without backhauling traffic through a data center?
- Can remote users access cloud applications directly without connecting and backhauling traffic through a data center?
- Is a remote user’s experience the same as an on-prem user’s experience?
- Is your network segmented to limit east/west traffic movement?
- Does your VPN allow policies that limit applications to specific users or groups?
- Do you have visibility into user traffic?
- Do you have sufficient bandwidth (keeping in mind that a good rule of thumb is that 40% to 50% should be available for changes in business operations)?
If you answered “NO” to any of these questions, your network may not be serving the needs of your business, and you should start transforming your network NOW. Zero trust architectures can start you happily humming.
Zero trust is a modern tune
The shift away from legacy castle-and-moat security architectures to zero trust architectures may seem daunting for IT leaders. But you need to change: enterprises are embracing digital transformation technologies, and legacy networks aren’t built to support the changes. A Zero Trust architecture lets you answer YES to the questions above. Zero trust provides a seamless user experience and enhances your total security posture by securing the connection between the user and the application, wherever either resides.
With a zero trust architecture, you can stop backhauling internet-bound traffic over expensive MPLS circuits and use direct internet circuits instead. This immediately frees up data center bandwidth and reduces backhauling costs. If you run a large enterprise network with many remote locations in multiple countries, you might think the solution requires a software-defined wide area network (SD-WAN). Not necessarily! You can typically use your existing router and create a GRE tunnel to your zero trust partner, and or deploy a cloud firewall.
Zero trust architectures can also help you shape your internal traffic. Traffic-shaping lets you send all your internet-destined traffic to local breakouts (which can include user devices, systems, and guest Wi-Fi). All traffic left on your MPLS network should be user-to-system or system-to-system connections.
Zero trust architectures also provide better (and inherent) security. With legacy security architectures, remote employees using company devices for both personal and professional use can create security problems. For instance, company policy may allow employees to use laptops for personal time. They might post on social media or engage with gaming sites. This activity doesn’t require VPN protection. But if they access these sites, then connect to the corporate network, it could open a pathway for malicious traffic to enter corporate systems.
Remote users shouldn’t care whether an application sits in the corporate data center or in a cloud. They shouldn’t worry about whether or not to use security software. Security should just be ON, and your users sent along the fastest route to the needed application in order to reduce latency and improve their experience.
Zero trust technology protects the connection between a device and a corporate application even if the device is used for other non-corporate activities, and wherever the application sits—without involving the user making decisions.
Finally, a zero trust solution provides IT operations complete visibility into network traffic: what you don’t know WILL hurt you. IT must see who is connecting to what and from where. IT needs to see what's coming at the environment (e.g., malware), see bandwidth usage, traffic patterns, traffic destinations, and detect network bottlenecks as quickly as possible. As operations teams digitally transform the network, visibility is key to understanding where resources are needed and how users are connecting with applications. Zero trust connections give IT teams visibility into who is connecting to what, and where.
Zero trust hits the right notes
Zero trust enhances your security posture so that users can access the applications they need from anywhere, wherever those applications live. Transformation requires changes in legacy castle-and-moat network architectures. As companies embrace applications that live outside the network perimeter, and users access those applications from anywhere, large stacks of centralized security devices won’t scale to handle the increase of internet-bound traffic.
Zero trust architectures allow any organization to answer YES to the questions above and move forward in increments. By embracing the change that enterprises need—digital transformation powered by the cloud and other technologies—internal champions for better, higher-performing, more-secure networks can get their organizations singing the praises of zero trust architectures.
Pamela Kubiatowski is Sr. Director of Transformation Strategy (Consultant) at Zscaler.