Partner POV: Zero Trust, Cloud-Based Anytime, Anywhere
In this partner contribution
This article was created and contributed by Zscaler.
Being connected to the internet 24/7/365 with high-speed communication networks is no longer a luxury—it's an expectation. Users expect to find the information we need, when we need it, with no interruption. But this begs a question: How do you enable users with the ability to access the data they need, when they need it without compromising your security?
You need a zero trust cloud solution, you need the Zscaler Cloud.
Zero trust architectures maintain strict access controls, trusting no one by default—even those already inside the network perimeter. That is why a cloud-based zero trust solution, such as the Zscaler Cloud, is the answer to giving users the security, mobility, access, and ease they need in the field.
The Zscaler Cloud provides users with secure access to the internet and internally managed applications. It is comprised of two services—Zscaler Private Access™ (ZPA™) and Zscaler Internet Access™ (ZIA™).
ZPA is a cloud service that provides zero trust, secure remote access to internal applications running in the cloud, or a private data center. With ZPA, applications are never exposed externally, making them completely stealth to unauthorized users. The service enables users to connect to critical applications via connections brokered in the Zscaler Cloud (or an on-premises extension) vs. extending the network to them.
Zero trust access is based on four key tenets:
- Application access no longer requires use of VPN or exposure of the backend network infrastructure.
- Inside-out connections ensure apps are stealth to unauthorized users.
- App segmentation, not network segmentation, connects users to a specific app and limits lateral movement.
- All traffic is secured via end-to-end encrypted TLS tunnels.
ZPA provides a simple, secure, and effective way to access internal applications. Access is hosted within the Zscaler Cloud and based on policies the IT admin creates within the ZPA Admin Portal. A piece of software called Client Connector is installed on each user device and helps validate the device's security posture.
Adjacent to an application running in the cloud, ZPA places a small piece of software called an App Connector, deployed as a virtual machine, which is used to extend a microtunnel out to the Zscaler cloud. The App Connector establishes an outbound connection to the cloud, and does not accept any inbound connection requests, thereby preventing DDoS attacks. Within the Zscaler cloud, a ZPA Public Service Edge approves access and stitches together the user-to-application connection. The Zscaler Cloud can also be extended within the theater via the ZPA Private Service Edge software component for efficient traffic engineering. ZPA has four key features that improve security while reducing cost and complexity and delivering a better user experience.
ZPA has four key features that improve security while reducing cost and complexity and delivering a better user experience.
- It is born in the cloud and is therefore highly scalable. For example, in response to the COVID-19 pandemic, the ZPA cloud expanded by more than 600 percent in a matter of weeks.
- It has the ability to operate for extended periods of time disconnected from the wide area network, thus supporting expeditionary missions in disadvantaged networking environments.
- It includes the capability to define granular application access based on identity without having to expose the backend infrastructure to end users. Applications are essentially invisible to any unauthorized user.
- It adheres to rigorous security, availability, and privacy standards, including but not limited to, ISO 27001, ISO 27018, ISO 27701, AICPA SOC 2, Type II, and FIPS 140-2. This means that Zscaler is meeting government requirements to provide a cloud-based security solution.
ZPA is 100-percent software-defined, so it requires no physical appliances and allows users to benefit from the cloud and mobility while maintaining the security of their applications.
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of it as a secure internet on-ramp—all you do is make Zscaler your next hop to the internet. This allows users to utilize any network to securely connect without being exposed to malicious threats.
ZIA sits between users and the internet, providing digital force protection and inspecting every byte of traffic inline—even traffic encrypted with SSL. It provides full protection from web and internet threats. With a cloud platform that supports cloud sandboxing, next-generation firewall, data loss prevention (DLP), and cloud application visibility and control, you can be assured that users won't be compromised by malicious content and sensitive information will not be exfiltrated.
This service is cloud-based and, as such, doesn't require any hardware to be deployed. Just point the internet connection to Zscaler and we will secure your communications while obfuscating your traffic's destination to the enemy.
This is important as it supports the ability for connectivity to be quickly established for an indefinite period of time and then be decommissioned and redeployed easily and securely.
Global cloud policies are critical for security because remote users are often outside the visibility and control of an enterprise.
One common byproduct of deploying, managing, and upgrading appliances for hundreds or thousands of remote users is unpredictable security capabilities. Often, remote sites have fewer controls. For example, they might not be able to scan all encrypted traffic or divert potential risks into a sandbox. As a result, security policies are applied unevenly.
A global cloud, such as Zscaler, eliminates all those variables and provides uniform security for all internet-bound traffic at all locations for all users. The cloud-based controls—a security stack in the cloud—means it's always available to inspect all traffic, as well as all ports and protocols. There is no difference in policy control on base or in the field. Consistent policies that are administered in the cloud improve security, regardless from where the user connects.
The ZIA global security cloud has a purpose-built architecture to enforce policies equally on all cloud traffic at all locations and for all users.
There is no need to worry about creating a new API to make other tools work. And Zscaler transcends operation systems. Out of the box, the Zscaler Cloud supports Microsoft, Apple, Android, and iOS endpoints, allowing access to everything you need.
That means seamless connectivity in any remote location. It also means the ability to have a standardized approach that makes sitting in any location accessing an application the same as if you were sitting back at headquarters.
They can be in a hybrid cloud, a public cloud, or their own private data center with cloud offerings, and Zscaler is the bridge that assists them moving back and forth.
Zscaler provides a robust and mature security as-a-service platform, but also leverages tight integration with industry partners to ensure that the service can be easily deployed and integrated. Zscaler performs some basic device posture checking as part of the ZPA service and takes that capability further through integration with endpoint detection and response (EDR) companies, such as CrowdStrike, Carbon Black, and SentinelOne.
By integrating with leading industry partners, Zscaler ensures that EDR capability is active on the endpoint before connecting a user to any resources.
ZIA and CrowdStrike also share threat intelligence between their clouds, meaning a threat signature that Zscaler detects anywhere around the world can be detected on an endpoint subscribed to the CrowdStrike Falcon service.
Zscaler also integrates with a variety of security information and event management (SIEM) vendors, such as Splunk, Elastic, ArcSight, and others, to make it easy for those solutions to ingest our real time streaming data.
GOVERNMENT CLOUD KEY BENEFITS
- Never place users on the network: Authorized users have access to specific private apps without the need to access the network, reducing the risk of lateral movement and the spread of ransomware.
- Segment by application, not network: Microtunnels enable network admins to segment by application with no need to segment networks or manage access control lists or firewall policies.
- Inside-out connectivity means apps are stealth: The service-initiated zero trust architecture ensures apps connect outbound to authorized users. IP addresses are never exposed, and DDoS is impossible.
- 100-percent cloud-delivered zero trust access service: Zero trust as a service allows for simple management, high availability, greater scale, and strong protection against DDoS attacks.
- Discover and secure shadow IT applications: Organizations gain visibility into previously undiscovered internal applications running in the data center or public cloud. Admins can set granular policies for discovered applications ensuring access is based on least-privilege.
The Zscaler Cloud platform provides a standardized way for everyone to securely access the compute resources they need. Users can access the information they need and are authorized to access without compromising the integrity of the underlying architecture's security itself. Regardless of whether the user is at headquarters, or out in the middle of the desert, they have a common methodology for accessing their information.