The magic of zero trust without the change costs

If we put aside late-night infomercials and assume most new technology does what it claims, why do organizations still hesitate to adopt it?

In my years as a Gartner analyst, I found that it came down to cost for many clients – but not the cost you might think. New technology may or may not be expensive, but the cost of change is why many organizations fail to adopt new technology. Operational and cultural change is like the iceberg's mass under the surface. It can make all the difference in either successfully adopting a new technology or seeing it fail. While this cost is not typically measured monetarily, CXOs must recognize and manage it.

Consider data loss prevention (DLP) as an example. The technology and market have been around for decades, but few organizations – even government organizations where document classification is part of the culture – have successfully adopted and maintained an active and organization-wide system. It is only with the advent of AI that organizations see practical value, as live traffic is now scanned and automatically categorized rather than relying on static watermarks and tags. 

Zero trust is certainly not immune to change costs, but like DLP, we have turned the corner and there is a reliable way to boost speed to value. 

Microsegmentation, now with a low cost of adoption

As workers return to the office, the zero trust benefits of technology like zero trust network access (ZTNA) are often thrown out as workers use flat and open office networks. IT teams want to segment or isolate hosts to get that same zero trust posture they have through ZTNA for remote workers. Traditional microsegmentation approaches include heavy re-engineering of the LAN or placing agents on every possible host. The change cost, or even the implementation effort, has crashed most of these projects until recently. The benefits of zero trust are very compelling, but the cost of implementing and keeping policies current makes this almost unattainable for most organizations. 

That is, until Airgap Networks, a company Zscaler acquired last April, came up with a better approach–a simpler approach. Without the need for network re-engineering or installing yet another agent everywhere. It all but eliminates change cost and makes one of the most difficult techniques easy.

Today, devices and workloads come on and go off the network all day long. Almost all organizations use DHCP to manage this, which does not cause problems for modern enterprise services. Airgap takes advantage of DHCP prevalence and, as hosts come on to the network and receive an IP address assignment, intercepts the assignment and modifies the subnet mask so the IP address becomes a /32 address. 

That means each host knows how to communicate with itself and with a network gateway, which Airgap assumes the role of. That is it. No agents. No new hardware or other changes to the network infrastructure. No manipulation or hacking of accepted protocols. Everything follows the rules.

How does it easily solve for microsegmentation? The onsite Airgap gateway is now in the middle of all LAN communications. The gateway decides which flows to let pass and which flows to drop, all according to existing zero trust policies. The gateway also becomes a massive source of LAN intelligence, just like an SSE proxy is a massive source of WAN intelligence. 

As an analyst hearing about this for the first time well before Zscaler acquired Airgap Networks, it sounded too good to be true. I worried that something so simple must have a fatal flaw. In discussions with Airgap, the founders challenged me to propose a use case where their method would fail. My proposal was to put a rogue device on the LAN that was specifically programmed not to follow IP protocol and rules. After receiving a /32 IP address, it would ignore the rules and scan the network at will. The founders smiled and agreed that could happen, and Airgap could not prevent a rogue device from being placed on the network as I described. But they were still smiling, and I felt like I was being set up. 

So I asked, “What’s the problem?” My rogue device could destroy your plans and scan the network. Still smiling, they agreed that the rogue device could send out PINGs or other scanning requests, but then they asked me, how would the target host respond? 

It hit me: the target device would follow IP protocol rules and, not knowing where to respond to the request, it would respond through the Airgap gateway. They would see malicious activity and drop the response before the host was compromised and even before the rogue device knew of its existence. Simplicity has its benefits.

A proof-of-concept from close to home

In theory, Airgap technology removes most of the cost of change, making zero trust isolation of hosts on the LAN a practical reality. But it still seems too good to be true, and prudent organizations would want proof that it works as described. 

Let me offer Zscaler itself as a reference. Most CIOs agree that some of the most difficult end users to satisfy are developers and engineers because they often require exceptions to corporate IT policies and protocols. Well, more than half of the end users at Zscaler headquarters in San Jose, CA are engineers. Not only do they have the typical enterprise developers’ extreme needs, they actually build many of the security services that are put in place to protect the organization. 

From an IT perspective, these are dangerous end users (though, on a personal level, they tend to be excellent people). For more than a year before Zscaler acquired Airgap networks, Zscaler had implemented this zero trust control at its headquarters. And no one knew. No complaints or comments from even the most demanding engineering end-users. Absolutely zero tickets back to Airgap during this time. It just worked as designed. 

When the acquisition was announced internally and it was shared that our office had been using Airgap for more than a year, most of us were shocked. Like many others, I quickly checked my IP configuration and there it was: 255.255.255.255 (subnet mask proof of /32 IP address).

Working as designed and without end-user awareness it is the gold standard for low change costs. Airgap is built for success, and this may just be the right time for your organization to improve its zero trust posture.