View all on-demand sessions from the Intelligent Security Summit here.
Presented by Zscaler
For the past three decades, organizations have built and optimized complex, wide-area, hub-and-spoke networks, connecting users and branches to the data center through private networks. To access an application, users had to be on the trusted network. These hub-and-spoke networks were secured with stacks of devices, such as VPNs and firewalls, in a “castle and moat” security architecture. This served organizations well when their applications resided in their data centers, but today users are more mobile than ever and securing them can be a challenge.
Organizations are driving digital transformation – embracing cloud, mobility, AI, IoT and OT technologies to become more agile and competitive. Users are everywhere and data and applications are no longer in data centers. For fast and productive collaboration, they want instant access to apps anytime, anywhere. Therefore, it no longer makes sense to route traffic back to the data center to securely reach these applications in the cloud.
All this is why organizations are moving away from hub-and-spoke networks in favor of direct connectivity to the cloud, using the Internet as the new network.
Intelligent Security Summit on demand
Learn the critical role of AI and ML in cybersecurity and industry-specific case studies. Check out on-demand sessions today.
Traditional hub-and-spoke networks place everything in the network – users, applications, and devices – on a single plane. While this gives your users easy access to applications, it gives the same easy access to any infected machine. Unfortunately, as cyberattacks become more sophisticated and users work from anywhere, perimeter-based security using VPNs and firewalls cannot secure the network or provide a good user experience.
As a result, cyber attackers can penetrate organizations and cause significant damage in four steps:
Step 1: They find your attack surface. Any Internet-facing firewall — whether in a data center, cloud, or branch office — is an attack surface that can be discovered and exploited.
Step 2: They compromise you. Attackers bypass conventional detection and enter the network through the attack surface (e.g. VPN, firewall) or by tricking users with malicious content.
Step 3: They move sideways. Once inside, attackers move laterally through the network, locating valuable targets for ransomware and other attacks.
Step 4: They steal your data. After exploiting valuable assets, they leverage trusted SaaS, IaaS, and PaaS solutions to build backchannels and exfiltrate the data.
Introducing zero trust architecture
Legacy network and security architectures pose some pervasive, long-standing challenges that force us to rethink how connectivity is delivered in our modern world. To realize the vision of a secure hybrid workplace, organizations must move away from castle-and-moat security to a zero-trust architecture that ensures fast, instant access to applications anytime, anywhere.
Zero trust starts with the assumption that everything on the network is hostile or compromised, and access to an application is not granted until user identity, device health, business context are verified, and policy checks are performed. In this model, all traffic must be logged and inspected, requiring a level of visibility that traditional security controls cannot provide.
A zero trust architecture is expressly designed to minimize the attack surface, prevent lateral movement of threats, and reduce the risk of breaches. It is best implemented with a proxy-based architecture that connects users directly to applications rather than the network, so that additional checks can be applied before allowing or blocking connections.
To ensure that implicit trust is never granted, a successful zero trust architecture puts each connection through a series of checks before a connection is established. This is a three step process:
- Verify identity and context. Once the user, workload, or device requests a connection, the zero trust architecture first terminates the connection and then determines who connects, what the context is, and where they go.
- Control risk. The zero trust architecture then evaluates the risk of the connection request and inspects the traffic for cyberthreats and sensitive data.
- Enforce policy. Finally, the policy is enforced on a per-session basis to determine what action to take regarding the requested connection.
The Zscaler Zero Trust Exchange: The one and only zero trust platform
Zscaler is a pioneer in zero trust security, helping organizations worldwide secure their digital transformation with the Zscaler Zero Trust Exchange. This integrated services platform provides comprehensive cyber threat protection and connectivity capabilities that enable organizations of all sizes to achieve a fast, reliable, and easy-to-manage zero trust architecture while avoiding the cost and complexity of individual products.
Become a zero trust expert
Learn about the core principles of zero trust and grow your career with the Zscaler Zero Trust Certified Architect program. ZTCA is the industry’s first comprehensive zero trust certification, designed to help network and security professionals establish and implement a zero trust strategy in their organizations.
Join Get Zero Trust Certified today.
Amit Chaudhry is Senior Director, Product and Portfolio at Zscaler.
Sponsored Articles are content produced by a company that pays for the post or has a business relationship with VentureBeat, and they are always clearly marked. For more information, please contact firstname.lastname@example.org.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.