Today’s work-from-anywhere environment demands a modern approach to protecting an organization’s “crown jewel” applications and reducing overall risk. Securing essential, private business applications – and securely granting third-party partners access to those apps – calls for different techniques than a half-decade ago.
At a recent webinar presented by Information Security Media Group, “Key Strategies to Secure Access for Private Apps,” Zscaler VP and CISO Brad Moldenhauer and Field CTO Pam Kubiatowski explored the benefits of cloud-delivered security. They explained how transitioning away from network-based access is a necessary step enterprises should take sooner rather than later.
We know today that VPN access introduces unnecessary risks in bringing users and applications together. As routable devices, VPNs extend their organization's attack surface significantly. This is especially problematic as teams of vendors release their versions replete with inherent security flaws and zero-day exploits waiting to be discovered.
Using a VPN is a lot like having your phone number published in the white pages and not having caller ID on your phone. Robocallers constantly barrage you and have to answer the phone every time to find out who is on the line. With zero trust, your number is not in the white pages, and whoever calls must be explicitly okayed before being patched through. So, from a security perspective, you have cut off that public attack surface – a fundamental difference between Zscaler and a network-based technology.
With a zero trust platform, users connect directly to cloud-based applications according to the principles of least privilege only after verifying identity and authorization criteria, and continuously re-evaluating that access authorization, which moves away from the static, binary access model of a VPN. Zero trust is based on the premise that nobody can access vital company applications and data without proper credentials and other, dynamically evaluated contextual attributes. And, as the new office environment necessitates a departure from the past VPN-centric approach, so does the need for zero trust increase because anyone online could pretend to be someone else.
“With zero trust solutions, we don't have that issue. We can maintain a level of ubiquitous connectivity for anyone, regardless of where they are. And then the other piece is minimizing lateral movement risk,” said Moldenhauer.
Providing users application access while reducing the attack surface
One of the ways zero trust challenges intruders is by ensuring that only users with permissions are granted access. Users are connected only to resources they can access – not entire networks.
“Zero trust architecture is built on a dynamic, multi-tier trust model that exercises more fine-grained control over identity and access, including access to specific resources. What that means for an individual user is that the level of access provided may vary dynamically over time depending upon a variety of factors. For example, a user may be accessing an application from an untrusted device, so we need to allow that access if they're authorized to do so with certain limitations or mitigations,” said Moldenhauer.
This dexterity in applying and enforcing access based on the context surrounding the request is another significant differentiator between zero trust and legacy security practices. What’s more, inside-out connectivity links applications to users, instead of the user to the application. These outbound permissions allow users to access job-critical apps without exposing assets unnecessarily. This minimizes the attack surface and prevents lateral movement by threat actors.
“Allowing a user to only see the applications to which they have been granted access to see is very different than a network. An intruder cannot attack what they cannot see,” said Kubiatowski.
Tricking intruders with decoys
Deception is another promising method for securing private applications, and one that is gaining traction among practitioners, is deception, a feature that allows bad actors to be spotted when they try to access decoy files.
“If someone were to steal [Pam’s] identity,” Moldenhauer explained, “they could easily access her files. But some of her files in the cloud are decoys – and the intruder has no way of knowing that. When the intruder touches the decoy files, a high-fidelity alert is generated so that a full-blown attack can be averted before it even begins.”
“Access means you are still vulnerable when you have a VPN, and you don't know who's in your network,” said Kubiatowski. “Deception technology allows you to protect your crown jewels in a way where it will notify you if something unusual is happening.”
A unique approach to segmentation
Not only are your users limited to various levels of access, they are also assigned a specific level of application control.
“You're only allowing them to connect to that which you're going to allow them to see. You now create a different form of segmentation. And I think organizations have to think about segmentation very differently. It's not about creating network segmentation; it's about creating user-to-application or application-to-application segmentation as opposed to traditional segmentation,” said Kubiatowski.
This new type of segmentation gives security teams a comprehensive picture of who is using data and how. The information is collected and analyzed, preventing exploitation. This can also streamline certain segments for specific departments within the organization.
“When you connect a user to an application or an application to an application, it's not about looking at a network. Rather, it's about looking at…the user connecting to the application and looking through the logs of the application connector sitting in front of a private application that's hidden to anyone because it's private. You can look through the logs and determine where there’s a problem and see that it has to do with identity for example,” Kubiatowski said.
Preventative security: Employ automation early in the process
Remediating an attack that has already occurred is a business disruption, so it makes sense to use automation early and as a preventative.
“We've added a lot of automation to many of the segmentation efforts that we've known were important for a long time, but have just not been technologically feasible. And I think those are the two biggest impacts we've had on our cyber defenses,” said Moldenhauer about the Zscaler zero trust solution and how it relates to private application connectivity.
As former customers, Moldenhauer and Kubiatowski know what it’s like to be daunted by the prospect of engaging in network segmentation and taking the plunge anyway. Both have experience implementing zero trust transformations at their former companies.
“You will find things that your organization has done that may have been the best decisions at the time but don’t work for you any longer. If you find the right technology partner and the right technology, you will be able to unwind the complexities of the past very simply and move forward tactically,” said Kubiatowski.
What to read next
Zero trust and private app visibility: a new ray of light for digital experience [podcast]
Exploring the history of enterprise app connectivity to prepare for what’s next