Tailoring Your Zero Trust Transformation to Your Pain Points
Originally published by CXO REvolutionaries.
Written by Gary Parker, Field CTO - AMS, Zscaler.
Zero trust is often likened to a journey. And, as the proverb says, even a journey of a thousand miles begins with a single step.
But where to start? For better or for worse, there’s no single embarkation point for every zero trust transformation. In some organizations, it’s only the destination that’s clear – to become “zero trust” or to “secure the business.” But, rather than leaping for some ideal end-state from the outset, I urge the people I talk with to ask why they’re setting out to begin with.
Are you looking to reduce your exposure to attacks by shrinking your attack surface? Is there a network performance issue driving your digital transformation? Maybe you believe that your infrastructure overhead could be brought under control if there were only a better way to connect users with the assets they need to be productive.
By starting with a pain point, CXOs develop a better understanding of the initial steps in their transition to zero trust. From there, the path ahead becomes clearer with every incremental improvement.
So, in the spirit of addressing business obstacles with zero trust network architecture (ZTNA), start here if:
Users are suffering from a difficult remote work experience
Experienced CXOs know how quickly users will work around security solutions that negatively impact their online experience. So, when a user discovers that Microsoft 365 isn’t quite so slow to load when off the corporate VPN, you risk having entire groups discard the solution that was supposed to provide security in favor of a better experience.
Instead of using a VPN to route traffic from remote workers back to your corporate headquarters only to return it to Microsoft’s servers, consider addressing this situation with ZTNA. Connecting your applications direct to Microsoft 365 improves the user experience and, with zero trust, can be done securely via a cloud-based proxy. Many companies embraced VPNs during the COVID-19 pandemic as a means for remote-work enablement. But today they too often hamper workers’ productivity, either causing dissatisfaction or preventing their use.
You’re shopping for a suitable VPN replacement
Not only are VPNs prone to negatively affecting the user experience, they also require hardware that's expensive to buy and maintain. It only makes sense to spend potentially millions of dollars on VPN concentrator appliances to funnel traffic through a central location if there’s no viable alternative.
But ZTNA is that viable alternative. And it doesn’t rely on backhauling all network traffic through the corporate data center. Through a single lightweight agent on the device, ZTNA allows internet, SaaS, and other cloud-bound traffic to connect directly to the source based on policies configured by the organization, with no expensive infrastructure required.
You’re looking to replace a proxy
Again, funneling application traffic back through the data center before sending it on to the open internet both makes for a poor user experience and taxes infrastructure. Traffic growth may require that hardware be scaled up or replaced periodically to keep up. Either can be an expensive undertaking – and one that can be completely avoided by embracing ZTNA.
With ZTNA, policies created to govern on-network users follow them wherever they go, without the need for backhauling traffic. Edge gateways are capable of acting as a proxy for traffic both on and off the corporate network, and policies can be tailored to each user, IoT/OT device, and workload as appropriate.
You need to protect business-critical applications
If they’re not yet, categorizing and securing mission-critical assets is an ideal early-stage use case for ZTNA. A mission-critical asset can be defined as one that, if it were to stop working, your business would also stop working. Obviously, these require greater attention. Chances are your organization has only a handful of applications warranting this status, and they should be relatively easy to identify.
What about securing them? ZTNA again makes this comparatively straightforward. With ZTNA, you can:
- Place these assets behind secure web gateways where they can be closely monitored, including by data loss prevention (DLP) tools that can prevent the exfiltration of sensitive information like intellectual property
- Ensure these apps are invisible to the open internet by allowing only inside-out connections originating from cloud-based zero trust architecture
- Design strict access controls to enforce the principle of least privilege based on who needs access to what
Many organizations choose to begin their zero trust transformations with app segmentation since the need is pressing and the practice makes for a good foundation for additional steps toward zero trust.
You want to secure cloud-native applications
With legacy network architecture, cloud instances are assigned an IP address that is discoverable from the open internet. As a result, malicious actors can probe those instances for vulnerabilities, make use of stolen credentials, or execute DDoS attacks.
Edge gateways designed for popular public clouds like AWS and Azure allow organizations to isolate workloads and applications to limit who can access them. Connectivity can be allowed on a per-policy basis, and assets are effectively invisible to the open internet. This keeps cybercriminals from using any single application or workload as a beachhead from which to move laterally throughout a network.
Take your single step
In summary, if you’re unsure of where to start on your zero trust journey, start with the rock in your shoe – that issue that causes you pain every step of the way – and keep going from there. By focussing on this initial step, you’ll be overcoming business hurdles from the outset rather than selling some abstract notion of transformation to peers and superiors. After solving the most immediate problem, move on to the next until the transformation is complete.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.