The New World of Hybrid Work Starts with Zero Trust
Deepen Desai serves as Chief Information Security Officer & VP of Security Research & Operations at Zscaler, where he is responsible for global security research operations and ensuring the Zscaler Zero Trust Exchange platform and services are secure. With over 15 years as a cybersecurity, Desai holds a B.E. from South Gujarat University and an M.S. from San Jose State University.
Over the past decade, the way we operate enterprises has undergone a seismic shift employees have become highly mobile in the way they work and live, applications are rapidly moving to the cloud(SaaS), and even our internal application workloads have migrated to public cloud infrastructures.
Worldwide, leading enterprises realized the need to modernize traditional security architecture to support the emerging cloud first world, while many others retained their antiquated perimeter based firewall architectures as they executed their cloud transformation journey.
When pandemic instantly forced organizations to support nearly 100 percent of their workforces remotely, their legacy castle and moat architecture failed miserably, resulting in considerable security gaps and significant application performance challenges. At such organizations, IT and InfoSec teams struggled to enforce consistent security to all the remote employees and provide secure access to internal applications.
Zero trust answers the call
Realizing their trajectory was unsustainable, organizations have started fast-tracking their digital transformation journey towards implementing a cloud-native proxy-based zero trust architecture to secure their user devices and provide secure access to business applications, no matter where they reside.
In fact, most industry leaders agree that cloud-based zero trust security solutions provide the best combination of security and sustainability. Essentially, zero trust means trusting nothing, even known users and devices, while inspecting and authenticating everything, including encrypted data.
Applying zero trust effectively requires devising and implementing a strategy that aligns with the cyber attack chain. This typically involves three distinct stages.
Stage 1: Attackers compromise an endpoint or asset that is exposed to the internet, no matter whether the endpoint is corporate issued (managed) or personal(unmanaged) BYOD devices.
Stage 2:Attackers propagate laterally across your network and underlying systems, performing reconnaissance and establishing a foothold.
Stage 3: Attackers take action to achieve their objectives, which often involve data exfiltration. A good example is ransomware attacks, where stealing data and then threatening to publish it is the common extortion technique.
Align your defenses
Your zero trust strategy will likely incorporate multiple components, including technology solutions that provide controls for each of the stages. Let’s review the three pillars you need for aligning your controls to holistically reduce business risk:
Prevent compromise. Protect your users, servers, workloads, cloud environments, IoT/IIoT devices, and Operational Technology (OT) systems by minimizing your external attack surfaces, wherever they reside in your infrastructure, and inspecting all traffic to and from those systems with SSL inspection. The goal here is to stop malicious traffic, including zero day exploits, from targeting your environment.
Prevent lateral movement. Stop attackers that do compromise a system from moving within your environment by implementing user-to-app and app-to-app segmentation. A true zero trust architecture will ensure that you are not bringing users on the same network as your critical applications. Instead, it will use context to authenticate a user and provide direct access to the authorized application. This eliminates lateral propagation from a compromised endpoint, a common entry location, leading to large scale breaches in organizations with legacy VPN solutions.
Prevent data theft. Most attackers are after your data. Once they’ve established a foothold in your environment, attackers will attempt to exfiltrate sensitive data over an encrypted (HTTPS) channel. Prevent such theft by using an inline data loss prevention solution that is capable of applying custom dictionaries, exact data match, and content and contextual controls to inspect all internet bound traffic, including encrypted traffic.
Leveraging zero trust access for hybrid work
In the context of hybrid work, a vital component of any zero trust environment is a technology solution for providing secure application access. The most advanced solutions reduce exposure points and commonly known attack surfaces in the first place and include capabilities such as AI-powered sandboxing, to identify and quarantine patient zero attacks in realtime and microsegmentation, to prevent lateral threat movement should a device be compromised. Of course, inspecting encrypted traffic is also critical, including the protocols HTTPS, SSL and TLS.
You’ll need a zero trust solution that protects internet-only and private application traffic while giving your IT team insights into user experiences to ensure your hybrid workers can be productive. Like the prevention pillars, all three are critical for optimizing hybrid work.
Protection for SaaS application and internet access with a platform that connects users and devices to your SaaS applications, rather than to the network, preventing lateral movement of infections while making users and applications invisible to external threats.
Protection for private application access that operates with all the same features as the SaaS and internet solution, but protects access to applications that run in your data center or on public clouds. Most importantly, a private access solution should be VPN-free, which not only eliminates attack surfaces and lateral threat movement but also significantly reduces IT department overhead.
The best private access solutions share a lightweight agent with your public (SaaS) solution. This speeds deployment and reduces infrastructure complexity while boosting security and device performance.
Advanced tools for addressing user experiences that provide granular, realtime information about performance from a user perspective. This includes insights into application, network and endpoint device health to determine the true origin of an issue such as identifying a specific setting on a user’s home internet connection as the culprit rather than implying the issue is with your network.
Regardless which specific zero trust solutions you select for enabling hybrid work, the key is ensuring they holistically address the three attack stages. Other pluses include tightly integrating with your cloud platforms and SaaS applications, as well as providing global points of presence to reduce latency caused by distant connections. Keeping all of these factors in mind will help you get solutions that keep your data secure, your users productive, and your IT overhead low.
Over the past decade, the way we operate enterprises has undergone a seismic shift employees have become highly mobile in the way they work and live, applications are rapidly moving to the cloud(SaaS), and even our internal application workloads have migrated to public cloud infrastructures.
Worldwide, leading enterprises realized the need to modernize traditional security architecture to support the emerging cloud first world, while many others retained their antiquated perimeter based firewall architectures as they executed their cloud transformation journey.
When pandemic instantly forced organizations to support nearly 100 percent of their workforces remotely, their legacy castle and moat architecture failed miserably, resulting in considerable security gaps and significant application performance challenges. At such organizations, IT and InfoSec teams struggled to enforce consistent security to all the remote employees and provide secure access to internal applications.
Your zero trust strategy will likely incorporate multiple components, including technology solutions that provide controls for each of the stages
Zero trust answers the call
Realizing their trajectory was unsustainable, organizations have started fast-tracking their digital transformation journey towards implementing a cloud-native proxy-based zero trust architecture to secure their user devices and provide secure access to business applications, no matter where they reside.
In fact, most industry leaders agree that cloud-based zero trust security solutions provide the best combination of security and sustainability. Essentially, zero trust means trusting nothing, even known users and devices, while inspecting and authenticating everything, including encrypted data.
Applying zero trust effectively requires devising and implementing a strategy that aligns with the cyber attack chain. This typically involves three distinct stages.
Stage 1: Attackers compromise an endpoint or asset that is exposed to the internet, no matter whether the endpoint is corporate issued (managed) or personal(unmanaged) BYOD devices.
Stage 2:Attackers propagate laterally across your network and underlying systems, performing reconnaissance and establishing a foothold.
Stage 3: Attackers take action to achieve their objectives, which often involve data exfiltration. A good example is ransomware attacks, where stealing data and then threatening to publish it is the common extortion technique.
Align your defenses
Your zero trust strategy will likely incorporate multiple components, including technology solutions that provide controls for each of the stages. Let’s review the three pillars you need for aligning your controls to holistically reduce business risk:
Prevent compromise. Protect your users, servers, workloads, cloud environments, IoT/IIoT devices, and Operational Technology (OT) systems by minimizing your external attack surfaces, wherever they reside in your infrastructure, and inspecting all traffic to and from those systems with SSL inspection. The goal here is to stop malicious traffic, including zero day exploits, from targeting your environment.
Prevent lateral movement. Stop attackers that do compromise a system from moving within your environment by implementing user-to-app and app-to-app segmentation. A true zero trust architecture will ensure that you are not bringing users on the same network as your critical applications. Instead, it will use context to authenticate a user and provide direct access to the authorized application. This eliminates lateral propagation from a compromised endpoint, a common entry location, leading to large scale breaches in organizations with legacy VPN solutions.
Prevent data theft. Most attackers are after your data. Once they’ve established a foothold in your environment, attackers will attempt to exfiltrate sensitive data over an encrypted (HTTPS) channel. Prevent such theft by using an inline data loss prevention solution that is capable of applying custom dictionaries, exact data match, and content and contextual controls to inspect all internet bound traffic, including encrypted traffic.
Leveraging zero trust access for hybrid work
In the context of hybrid work, a vital component of any zero trust environment is a technology solution for providing secure application access. The most advanced solutions reduce exposure points and commonly known attack surfaces in the first place and include capabilities such as AI-powered sandboxing, to identify and quarantine patient zero attacks in realtime and microsegmentation, to prevent lateral threat movement should a device be compromised. Of course, inspecting encrypted traffic is also critical, including the protocols HTTPS, SSL and TLS.
You’ll need a zero trust solution that protects internet-only and private application traffic while giving your IT team insights into user experiences to ensure your hybrid workers can be productive. Like the prevention pillars, all three are critical for optimizing hybrid work.
Protection for SaaS application and internet access with a platform that connects users and devices to your SaaS applications, rather than to the network, preventing lateral movement of infections while making users and applications invisible to external threats.
Protection for private application access that operates with all the same features as the SaaS and internet solution, but protects access to applications that run in your data center or on public clouds. Most importantly, a private access solution should be VPN-free, which not only eliminates attack surfaces and lateral threat movement but also significantly reduces IT department overhead.
The best private access solutions share a lightweight agent with your public (SaaS) solution. This speeds deployment and reduces infrastructure complexity while boosting security and device performance.
Advanced tools for addressing user experiences that provide granular, realtime information about performance from a user perspective. This includes insights into application, network and endpoint device health to determine the true origin of an issue such as identifying a specific setting on a user’s home internet connection as the culprit rather than implying the issue is with your network.
Regardless which specific zero trust solutions you select for enabling hybrid work, the key is ensuring they holistically address the three attack stages. Other pluses include tightly integrating with your cloud platforms and SaaS applications, as well as providing global points of presence to reduce latency caused by distant connections. Keeping all of these factors in mind will help you get solutions that keep your data secure, your users productive, and your IT overhead low.