This blog is the third in a series examining how Zscaler supports the move to zero trust as defined by CISA.
In a zero trust model, the application is the focus of all security efforts. If you can secure the application you can, by proxy, secure the data it uses. Zero trust aims to secure application access, independent of the network. The Federal Zero Trust Strategy advises that “agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.” Enabling secure access to applications via the internet means that users may never need to access the network to get at the applications they need to complete their work, removing thousands of attack vectors from enterprise networks.
Using identity and policy to ensure that only authorized users can connect to authorized applications is only part of the zero trust solution. Zero trust means doing this in a way that eliminates the potential for lateral movement. Zscaler's combination of app-specific authorization and outbound-only connections provides an unprecedented level of invisibility to attackers while providing a new level of visibility for administrators.
Say goodbye to VPN
The Federal Zero Trust Strategy is pretty explicit in its direction to move away from the use of Virtual Private Networks (VPNs). While this is a huge shift for how users remotely access work systems, it is not an unwelcome one. VPNs are cumbersome for end users and administrators alike, and they inherently open up attack surfaces due to the exposed inbound listener required for remote endpoints to connect. Similarly, by allowing users onto the network to access even just one application, you are giving them visibility (and potentially access) to everything else on the network.
A zero trust approach limits the amount of information an attacker can collect. If an attacker cannot learn anything, you interrupt their mission at reconnaissance. Making private applications “dark” to unauthorized users means there is no ability to scan for resources beyond the application being accessed. Because access is enabled via outbound-only, the connectivity infrastructure, as well as the applications, are never exposed to the internet.
This approach to application delivery improves performance as well as security. The path for accessing applications is dynamically evaluated to deliver the best performance for each individual user-to-application connection.
Application segmentation, not network segmentation
Network segmentation is difficult. It generally involves a number of network and security controls coordinated across a broad and heterogenous environment, which leads to complexity and inconsistent protection.
Microsegmentation is focused on prevention of unauthorized lateral movement and application segmentation is focused on user access. With zero trust both of these needs can be addressed simultaneously. Utilizing Zscaler Private Access (ZPA), admins can have the granular control to decide who can access what, even down to the individual service level, without the complexity of network segmentation.
The principles of zero trust for user access also extend to workloads that need to communicate outside of the network or workloads in different clouds. Using dynamic, encrypted data-plane tunnels, these workloads can interact where they need to without exposing any other data or systems.
Application segmentation with zero trust allows for another layer of security with the addition of behavior context. For example, say there is a file server. An employee with rights to that server can access it freely when on an organization-managed device. That same employee coming in via their personal device may have read-only access, or no access at all. Administrators are the only people granted the ability to manage the file server itself. This user-to-application granularity is only possible when application access is controlled independent of the network.
Making app management more manageable
The type of granularity involved in zero trust makes it a very policy-heavy practice. Most organizations do not have the knowledge to build these policies. Zscaler helps organizations build a database of applications and user activity metadata, so you can review the actual traffic to inform policies. This is not scanning or probing; it is visibility into actual traffic, providing the context critical for aligning access policy with enterprise needs.
For admins, zero trust lightens the burdens of managing an ever-growing suite of applications needed by users. Zscaler's cloud-delivered zero trust security enables granular, consistent control of access to applications across disparate data center and cloud environments, by workloads as well as users.