This post is the second in a series examining how Zscaler supports the move to zero trust as defined by CISA.
The federal zero trust strategy is making agencies rethink how networks are accessed and their overall role in the IT stack. The strategy states that agencies can “no longer depend on conventional perimeter-based defenses to protect critical systems and data.” It goes on to direct agencies to “make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” This transformational directive is critical for competing with near-peer adversaries who do not limit themselves to incremental improvements, but instead rapidly evolve their tactics and techniques, and only those “bold changes and significant investments” called for in the strategy have any hope of standing up against them.
These “bold changes” stem from the fundamental tenet of zero trust that all users, assets, and services are operating in an “assumed hostile” environment, no matter where they reside. To achieve this posture, it is vital to use strong identity/multi-factor authentication (MFA) techniques, to authorize and attribute all user/entity actions, limit those actions to the least amount of granted privileges and access required, and encrypt all traffic on both internal and external networks, starting with DNS and HTTP.
There is no perimeter
With the rapid adoption of cloud and SaaS applications across the federal government, the legacy “perimeter” has dramatically eroded. Applications, data, and users dynamically exist anywhere and everywhere. For example, when you load Gmail in your browser, the user interface you see is composed of a complex web of microservices and data stores hosted across a vast cloud architecture, each of which change and scale multiple times a day to meet the needs of users.
Securing such a distributed and dynamic architecture is daunting, and this example serves to illustrate the challenge facing the federal government as it strives to modernize applications to best serve its citizens. Zero trust tenets are foundational to achieving security in this modern reality, where security and access are not based on where an application lives, but rather what a user is allowed to access, and how the components of modern applications communicate with each other. Zscaler was designed with this reality in mind, to allow users to connect directly to applications no matter where they are, and without having to expose multi/hybrid cloud infrastructure externally. Zscaler is purpose-built to change the way networks work and aligns with the federal zero trust strategy.
Internet as the access point
The goal is clearly stated in the strategy: “in mature zero trust deployments, users strongly authenticate into applications, not into the underlying networks.” Zscaler directly addresses this zero trust and usability challenge by being a built-from-the-ground-up cloud-native, identity-centric, and multi-tenant platform which provides efficient and secure access to the internet, SaaS, and private applications from any location or any device. This approach decouples and abstracts security away from underlying infrastructure to ensure consistent and agile protection without impacting user experience or introducing friction/complexity.
Zscaler secures and segments user and workload-to-internet/SaaS traffic regardless of device or location, providing consistent policy enforcement and ubiquitous threat prevention, access control, data protection, and traffic obfuscation across the federal landscape.
Zscaler also fundamentally modernizes how users consume private applications, giving them seamless, secure, and direct access, rather than requiring VPNs for application access. From a user’s perspective, they access private applications exactly the same way as public applications, a fundamental tenet of the strategy which espouses “making applications internet-accessible in a safe manner, without relying on a virtual private network (VPN) or other network tunnel.” This approach aligns to the abstractions of multi/hybrid cloud architectures by decoupling remote access from underlying networks and architectures and brokering access at the application layer based on user identity and continuous device posture.
Trust no one, encrypt everything
Looking at zero trust from a traditional network security perspective, you could say it maps most closely to the core security concept of least-privileged access, but zero trust is much more than this. It requires a way to continuously authenticate and authorize the people and devices that are gaining access to applications, since identity is central to securing network and application connectivity in a zero trust model. Everything in the path between the user and the application must constantly inspect the traffic to ensure that activity is attributed to a user and policy is applied correctly.
However, when everything is encrypted, there is a natural loss of visibility, as acknowledged in the strategy, “it will be critical to balance the depth of their network monitoring against the risks of weak or compromised network inspection devices.” Zscaler addresses this balance head-on, by being both a cloud-scale, ubiquitous visibility/monitoring platform, and also being an enforcer of the fundamental tenets of zero trust for user and application network traffic. In fact, by continually authenticating and authorizing users and devices that are gaining access to applications, Zscaler drives identity to the core of monitoring, ensuring that all activity is attributable to the actor’s identity, whether they are on-prem or remote. Zscaler’s ability to decrypt traffic at cloud-scale in a FedRAMP/JAB-authorized SaaS platform is foundational to this visibility without expecting customers to be responsible for managing and securing network inspection appliances.
This is the innovation that Zscaler brings to achieving the goals of the strategy - reducing complexity, reducing management overhead, while also embodying and enforcing zero trust principles. Zscaler is purpose-built as a SaaS-delivered solution that is easily managed from a unified, consistent user interface and offers flexible deployment options to allow customers to rapidly adopt this capability, facilitating compliance with this important federal zero trust strategy.