Humans don’t often like the idea of change. So, when the business asks IT leaders to adopt cloud quickly, and reduce business risk while doing so, a natural fear arises. How do I adapt? Am I relevant in a world that is moving to cloud? are thoughts that often creep into the back of their minds.
The reality is that this transformation creates an opportunity for IT leaders to step up and drive the change that the business is requesting. The best leaders will embrace this opportunity and take on a new mindset to make it possible.
Part of this mindset change should be around zero trust. Adopting a zero trust strategy, which is often only connected with security, has a larger impact on the business than people realize. Security, yes, but avoiding costs, delivering a better user experience, accelerating the adoption of cloud are natural byproducts of the model, as well as being key to business success.
According to a survey by Cybersecurity Insiders, which asked more than 315 IT and cybersecurity professionals around the world about their thoughts on zero trust, 78 percent of security teams want to adopt zero trust.
Even so, 53 percent of teams believe that their legacy technology, which is appliance-based and places users on the network, is enough to enable zero trust.
While the confusion might be understandable, it is still a bit alarming. Teams must realize that hesitating to embrace new technologies and say goodbye to legacy approaches, will impede business transformation. If the goal is to allow users to work productively from anywhere, why force them to be routed through a stack of network appliances located in only a few locations? (Can you say “slow experience?”) If the goal is cost avoidance, why continue to invest in expensive appliances that can’t scale quickly? If the goal is to reduce business risk, why place users on the network and use VPN technologies that are currently being exploited by state-sponsored attacks? These are the questions IT leaders should ask themselves and their teams.
Technologies exist that can empower IT leaders to become business leaders. But choosing the right technologies, avoiding common challenges associated with them, and determining initial use cases is incredibly important. Below, I have outlined the best practices for teams to follow so they can take zero trust from a theory to actual practice.
Every job needs the right tool. Taking a user- and application-centric approach to connectivity, and using the cloud as the delivery mechanism, can directly support business goals. That’s why Gartner recommends zero trust network access (ZTNA) technologies that are delivered “as a service” when securing access to private applications. ZTNA delivers better availability, faster deployment, and better protection against DDoS attacks. And that has caught the attention of enterprises, as 59 percent of those surveyed plan to adopt these services within the next 12 months.
Let me be clear on one point. This isn’t VPN 2.0. It is a fundamentally different approach to application access. It provides security that is adaptive, delivered from anywhere, and supports any app and device type regardless of where it is running.
Anticipating and removing the potential obstacles that will impede transformation is critical. The greatest challenges that organizations face when it comes to the cloud and mobility are around identity management, minimizing the attack surface, and gaining greater visibility into user activity.
With the plethora of remote employees and the abundance of BYOD policies, identity management has become a pillar in establishing trust. ZTNA tools can integrate with multiple identity providers (simplifying their management) to ensure users are first authorized, then policies are enforced to provide a secure connection between user and app. These steps create an identity- and contextual-based logical boundary around an application.
Legacy technologies (VPNs) were designed to connect users to a network, which requires the network to make itself accessible, and this accessibility can be exploited by bad actors. ZTNA helps reduce the attack surface by only allowing authenticated users to access specific apps based on policies set by the organization.
Instead of focusing on just IP address and email (as with VPN), ZTNA provides increased visibility into actual user and app activity. IT can view every log and transaction in real time and with granular detail to understand who is accessing which applications, and can discover previously unknown applications (shadow IT). ZTNA also gives teams the ability to monitor the health of their environment to ensure apps and servers remain up—reliability and availability are other distinct benefits to the business.
When you look to implement a zero trust strategy, it is best to begin with the use case that provides the most immediate (positive) impact on your business. A good way to determine this is to answer two questions:
- Which applications are most critical for the business?
- Which users are accessing those applications?
Research shows that the most common zero trust use cases are around access for contractors; application access during a merger, acquisition or divestiture; as an alternative for VPN; or to support multi-cloud access.
The time has come
Organizations are recognizing that doing nothing in the face of digitalization, changing workflows, and user mobility is not an option. But at least now they have a strategy to handle it all—an unexpected one called zero trust.
Want to learn more? Check out this webinar in which you will discover how to implement a zero trust strategy that brings the greatest benefit to your organization.
Christopher Hines is the Head of Product Marketing for Zscaler Private Access and Z App.