What is Zero Trust? Although Zero Trust offers a host of benefits for enterprises, many companies struggle to figure out where and how to start. For the uninitiated, Zero Trust can be overwhelming. Cyber Protection Magazine spoke with Nathan Howe, Vice President of Emerging Technologies at Zscaler, about Zero Trust. In this conversation, he runs down the basics of Zero Trust on-premises and how to navigate the early implementation stages.
Cyberprotection Magazine: Zero Trust starts with the architecture – what does that mean?
Nathan Howe: Architecture is key for the success of any digital transformation project. More precisely, the architectural set-up has to be built out properly before application or security transformation can take place. Companies must recognize that they should not treat application transformation to the cloud in isolation, and the same holds true for transforming security to a Zero Trust model.
Companies should consider the four pillars: user, applications, networks and processes for any transformation project. If apps are moved to the cloud, but the user is not happy with the experience accessing these applications, something went wrong. Taking shortcuts by only transforming a siloed part of the picture won’t lead to the desired result in most cases. Therefore, considering a cloud-first approach to connectivity and security is an enabler of transformation, and this is where Zero Trust becomes relevant.
What are your recommendations for starting a Zero Trust journey?
Nathan Howe: With Zero Trust solutions the sticking point is understanding how to correctly categorize what we call the ‘least privileged access of users’. Essentially, where is my user authorized to have access? IT departments have to start from scratch evaluating the applications, where a specific user needs access permission and where those applications are located in order to establish a secure connection.
They also need to have clarity on the source of the connection and what the destination of a connection is in multi-cloud scenarios to be able to stich both ends together via a secure tunnel.
As both destinations have identities, this is the foundation of the decision, whether a connection can be established or not. This may sound complicated, but organizations can benefit from the current working from home situation, as their existing identity solutions will already provide much of this information.
Can IT teams take advantage of the pandemic when modernizing their infrastructures?
Nathan Howe: To decide about allowed sources to destination connections, one needs to have categorization at both ends. The best place to start is with the users, and then differentiate applications to group them together as workloads. Based on categorization enterprises can address different layers of Zero Trust.
However, the IT team must start somewhere to establish these categories. When getting clarity on used applications, the reality is, that a majority of users is working remotely and no longer on the network, what is actually a benefit. This presents a good opportunity to figure out which parts of the infrastructure are not being used, and conversely, which parts of the infrastructure are vital.
Automation can help with Zero Trust. How can your ecosystem of partners facilitate the job?
Nathan Howe: Automation and machine learning can really smooth the path of entry into the Zero Trust space. This is where machine learning comes into play. To give a few examples, there can be policies for newly discovered services or for revoking user access based on time settings. Machine learning enhancements also enable auto-segmentation of application workloads.
These innovations reduce the time it takes to set policies and simplify micro-segmentation – freeing up time for IT teams to focus on other projects. A key requirement for any Zero Trust project is to have full visibility into what’s happening on your network, and automation is part of the puzzle to overcome the initial complexity. Machine learning comes in handy to facilitate the orchestration layer that enables companies to set the criteria where to start.
Zero Trust was originally positioned as a way for secure remote access. How do you now facilitate Zero Trust on-premises?
Nathan Howe: Before Covid-19, the biggest challenge for enterprises was understanding the requirements of the ‘work from anywhere user’, such as how many people the IT department needs to consider for VPN-solutions.
Only when everybody was forced into a working from home scenario did the specialists quickly realize that all their capacity calculations for bandwidth and VPN licenses were obsolete, and even if applications had moved to the cloud, the connectivity to access these apps via traditional networks was the bottleneck.
This explains the increased popularity of Zero Trust based models over the last year. By a direct connection from the user to his applications without relying on the network, performance and security issues could be tackled concurrently.
Although Zero Trust was largely adopted as a solution for remote work, it doesn’t cease to be relevant once employees start heading back into the office. Enterprises have the opportunity to provide users the same frictionless and secure access to applications, whether they’re in the office or anywhere else.
Any parting words of advice on Zero Trust?
Nathan Howe: I’ll just repeat my starting message: It may look like a huge project to transform security, but it shouldn‘t be looked at in isolation. Rather, it must be part of a larger transformation strategy. Companies have to start somewhere and one place to start is our Zero Trust Exchange Platform, which helps businesses to kickstart and then accelerate their transformation journeys.