Post Content
Without question, zero trust is rapidly capturing the attention of organizations and public bodies around the world–and for good reason. For the past 30+ years, the focus for security has been on the inherently open nature of computer networks by deploying firewalls and other security products. VPNs are prevalent to this day, providing a secure tunnel between sites and between remote workers and their applications.
Unfortunately, this approach has run its course and is no longer sufficient to protect against the ever-growing threat of cyberattacks and associated ransom demands. Every security breach you read about affects a company using firewalls and VPNs. It only takes one breach, either through misconfiguration or social engineering, to allow an attacker into the network, where they can then roam, inflict damage, and steal data.
It’s just too risky. Enter the zero trust approach, which is based on the rule that you never trust, always verify, and connect only what is permitted on a session-by-session basis. With a zero trust architecture in place, organizations can confidently move ahead with their hybrid worker, cloud app migration, and IoT/OT projects while also working with business partners or acquisitions.
The first question we encounter when starting a conversation on zero trust is where to start. With so much time and money invested in a network-centric security solution–still the vast majority of what’s deployed today–it can look overwhelming, disruptive even, and so inertia inevitably creeps in. And who can blame the IT department? They’re charged with the responsibility of providing an always-on network as well as securing company crown jewels.
The good news is that migrating to zero trust is a journey like any other, starting with simple steps that can be implemented over the top of existing infrastructure. One of the most common places to start that journey is with a Security Service Edge (SSE) rollout. There has been a lot of buzz around SASE, which includes additional networking capabilities, but today more companies are starting with SSE, given the relative ease of deploying on top of existing infrastructure to gain immediate security advantages.
The core elements of SSE are:
Zero Trust Network Architecture (ZTNA)
This alone can get you started on your zero trust journey. ZTNA focuses on connecting users to private company apps and resources, but only after a user’s identity and posture has been verified, and after policy has been checked. At Zscaler we call this Zscaler Private Access (ZPA).
Cloud Access Security Broker (CASB)
We all access public applications that sit on cloud services accessed over the internet, typically known as SaaS applications. The email application you’re using today is almost certainly using such a service. But when an employee is outside a controlled environment, working from home for example, how does the IT team control what public services can be accessed? The risk of misuse–using file sharing services, for example–is real and needs to be controlled. CASB applies an enforcement point to protect organizations from misuse of resources accessed over the internet.
Secure Web Gateway (SWG)
The secure web gateway sits between users and the internet, helping to protect them wherever they are, and by extension protects organizations from compromise of user devices. It’s protection that goes wherever the user and their device accesses the internet, providing a common experience and controls.
These solutions can be consumed separately, but combining them provides the advantage of reducing the number of point products and potential for configuration errors as well as ensuring a more consistent experience across an organization.
We were recently joined by Gartner’s Nat Smith, VP Analyst for Security for a joint presentation covering the journey to zero trust and SSE in particular. If you’re looking to get another perspective on the journey away from legacy network-centric architectures toward zero trust, this is an excellent, easy-to-follow overview.
Click here to listen to the on-demand recording