Quest for real least-privileged access starts with

Editor’s note: The following contribution is from Dhawal Sharma, SVP, Product Management, Zscaler

Achieving least-privileged access, a core principle of zero trust architecture, challenges even the most ardent adopters. But every step you take to refine logical user groups, application clusters, and user-to-app maps reduces your attack surface and limits lateral spread if an attacker were to get into your environment. You’ll be far ahead of those still spinning their wheels in the old world of network segmentation and associated headaches.

Last month, in Amsterdam, I presented zero trust segmentation to executives at one of our CXO Exchange events. (Describing segmentation this way helps refer to many overlapping descriptors: intelligent segmentation, app segmentation, micro-segmentation, and user-to-app segmentation.)

I explained that most, if not all, organizations do not have a readily available and comprehensive catalog of every private application being used across their organization, making least-privileged access the basis for segmentation a non-starter, or a slow one. The solution is to start with a wildcard application segment.

With wildcards, you create an application segment that will essentially allow access to all applications for all your users. From this baseline, you can begin scrutinizing your user groups and better understand which are allowed to access which applications across your IT infrastructure. Like a sound engineer filtering frequencies through a 16-band equalizer, you too can fine-tune user and device access controls to unneeded or banned applications. A wildcard segment can then provide reporting about which users are accessing which applications, arming you with the information you need to create detailed segments.

In Zscaler Private Access (ZPA) these actions are called application discovery. Based on the user traffic across a wide range of applications, ZPA generates a discovered applications list that can be combined with user activity logging to gather granular context. This list is a non-intrusive collection with no scanning or active mechanisms; it’s simply a passive observation of user requests and destination applications.

Once you have your discovered apps, you can collaborate with the application owners to create granular application segment definitions and gradually phase out wildcard application segments.

Ready to take it a step further? Now layer in intelligence policies and AI recommendations.

User-to-app segmentation does away with large flat lists while enabling higher-quality data-driven decisions

When you know how many users were provisioned to get access to an app segment and can see how many were actually using it, you can make more accurate decisions. User access patterns can give you clarity on where you may be inadvertently overly permissive on certain app segments. You’ll know down to the individual username which app they should or should not be granted.

Under the hood, the AI/ML model logs, analyzes traffic patterns, and factors in SCIM attributes to discover or recommend new user-to-app segments depending on application similarity and/or user behavior. Once carried out in aggregate, enterprise-wide, you’ll see a reduction in the number of users in your policies, which means a net decrease in your attack surface and least-privileged access actualized.

There are many paths to a zero trust architecture. ZPA is a great way to help you move from network-based segmentation to a zero-trust approach using intelligent application segments and access policies.

Lastly, with our intent to acquire Airgap Networks, we’ve added yet another segmentation method. Its agentless segmentation technology covers east-west traffic on LANs, including branches, campuses, factories, and data centers.