Zero Trust, Microsegmentation, and Cloud Security

The benefits of the cloud are seemingly endless. You can access it from anywhere, scalability is infinite, and any changes that you make are applied everywhere, instantaneously. But migrating to the cloud presents challenges with legacy architectures, particularly security appliances protecting application-to-application traffic. 

Applications can be hosted in the data center, in the cloud, or both. Regardless of where they live, they communicate with one another. This opens up a large attack surface because they’re constantly chatting with one another. In a traditional network-based security system (as opposed to a cloud-native, zero trust platform, such as Zscaler), if an attacker gains access to any part of the network, he or she can easily access the entire network.

Here’s how it works. Imagine a castle and a moat. The castle holds all the applications, the users, and the data. The moat is the perimeter of security appliances that protect the castle. If an attacker is able to break through the perimeter, it’s pretty easy to move stealthily within the castle, tipping over suits of armor, setting off cannons, and having sword fights.

Don’t trust anyone

Gartner identified the need to reduce the attack surface and change your environment to cope with the new landscape, calling it zero trust network access (ZTNA).

True ZTNA keeps users entirely off the corporate network and defines application access based on business policies. ZTNA eliminates the problem of excessive trust, which essentially allows a user to move across the network once access is granted. Instead, ZTNA is based on conditional access, which means that trust is constantly reassessed with changes in the user’s device and location or the application or data being requested. 

Think about it this way: You go into a bar, order a drink, and take a sip. Then you step away to go talk to a friend who just walked in. When you come back 10 minutes later, your drink looks the same, smells the same, and is in the exact same position. But you don’t drink it. Why? That is zero trust thinking—it's an instinct inside of all of us. We don’t automatically trust things just because we trusted them earlier. So why should your network? 

Separate checks, please

Another tool Gartner identified as necessary to protect the network is microsegmentation. What is that? Well, micro means small and segmentation means to divide. So, basically, you separate the castle into mini-castles and require authentication before one mini-castle can talk with another. Microsegmentation significantly shrinks your attack surface, because if an attacker is able to break in, the only thing accessible will be that one small piece of the network—not the entire network. 

Industry leaders agree that microsegmentation is critical to achieving the toughest security architecture. Unfortunately for enterprises, most microsegmentation tools are expensive, time-consuming, and a headache to deploy. Why? Because IT teams have to define hundreds, if not thousands, of access permissions to tell the software what’s permitted and what isn’t. This process can take months! 

Often, enterprises will allow application communication based on trusted IP addresses, ports, and protocols. They’ll make a list of things that are “safe” and allow that traffic to continue without inspection, making it an easy target for piggybacking malware to infect an environment. 

All too often, microsegmentation tools are left disabled—too expensive, too complicated, and too much of a headache. Sadly, the knights in shining armor are left to rust in the corner.

Keeps getting better

The team that built Zscaler Workload Segmentation recognized the importance of microsegmentation and saw a need for a simpler, more scalable solution. Zscaler Workload Segmentation limits malicious application-to-application movement in your network by using a cloud-delivered, automated microsegmentation solution. 

This solution learns your environment, recommends segments, and creates policies using artificial intelligence (AI), so IT teams don’t have to develop policies manually. It verifies the identity of all communicating software every time it tries to communicate. 

Permission is granted based on software identity instead of firewall rules, so nothing is assumed to be safe. If it can’t be verified, it can’t communicate with anything else. 

The Zscaler Workload Segmentation solution simplifies a process that usually takes months and reduces it to a matter of clicks. Finally, for the first time, zero trust is built into a microsegmentation solution. 

Zscaler Workload Segmentation strengthens the Zscaler ZTNA portfolio by offering customers a cloud-delivered, ZTNA security service for application-to-application traffic. In addition to securing user-to-application and user-to-internet traffic, Zscaler can now offer customers zero trust application-to-application access.

ZTNA all the time

When you picture microsegmentation and ZTNA working in tandem, you begin to see what a modern, multifaceted security solution looks like—infinitely scalable and flexible, with identical enforcement anywhere your workforce goes. 

After so much time working remotely from our micro-castles, many people are gazing fondly at the castle, wondering, when can we go back? Who knows? But, regardless of what happens, it’s best to future-proof your architecture with Zscaler.

Whitney Perry is a sales development representative at Zscaler.