Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Products & Solutions

Charting the Path to Zero Trust

image

Digital transformation is a journey, and much like any adventure, a bit of preparation can go a long way in ensuring a successful outcome. Getting ready for any adventure must include determining where you want to go, the best path to get there, and gathering or acquiring the equipment, services, and supplies you need to support you along the way. 

An IT transformation journey typically begins with application transformation, where organizations move applications out of the data center and into the cloud. Network transformation becomes necessary to enable users to access the applications that are now widely dispersed–moving from a hub-and-spoke network architecture to a direct connectivity approach. This in turn drives a need for security transformation, where organizations shift from a castle-and-moat security approach to a zero trust architecture. While the order mentioned above is typical, it is certainly not the only way. You can begin your zero trust journey wherever you feel most comfortable or prepared. If beginning with security transformation before app transformation makes more sense for your organization, you can start from there.

 

Assessing your equipment

Castle-and-moat security architectures–that leveraged firewalls, VPNs, and centralized stacks of security appliances–worked well when applications lived in the data center and users worked from the office. It was the right equipment for the job at the time. But today, your workforce works from everywhere, and your applications have moved out of the data center and into public clouds, SaaS, and the internet. Those firewalls, VPNs, and legacy security hardware stacks have served out their useful lives, but are not designed to meet the needs of today’s highly distributed business. 

To access applications, VPNs and firewalls must connect users to the network, essentially extending the network to all your remote users, devices, and locations. This puts your organization at greater risk by providing attackers more opportunities to compromise users, devices, and workloads, and move laterally to reach high-value assets, extract sensitive data, and inflict damage on your business. Protecting your highly distributed users, data, and applications requires a new approach.

 

Mapping out the best route

When it comes to security transformation, innovative leaders are turning to zero trust. Unlike perimeter-based security approaches that rely on firewalls and implicit trust and provide broad access once trust is established, zero trust is a holistic approach to security based upon the principle of least-privileged access and the idea that no user, device, or workload should be inherently trusted. It begins with the assumption that everything is hostile, and grants access only after identity and context are verified and policy checks are enforced.

Achieving true zero trust requires more than pushing firewalls to the cloud. It requires a new architecture, born in the cloud - and delivered natively through the cloud, to securely connect users, devices, and workloads to applications without connecting to the network. Forward-thinking organizations are turning to the Zscaler Zero Trust Exchange to guide them on their path to true zero trust. 

 

Embarking on your zero trust journey: 7 essential elements to consider before you depart

As with any significant journey, it is helpful to break your journey to zero trust into various legs that clearly define the path, while keeping the ultimate destination in mind. The unique approach of the Zero Trust Exchange uses seven essential elements to dynamically and continuously assess risk and securely broker communications over any network, from any location. 

Using these seven elements, your organization can implement true zero trust to eliminate your attack surface, prevent the lateral movement of threats, and protect your business against compromise and data loss. 

The seven elements can be grouped into three sections:

  • Verify identity and context
  • Control content and access
  • Enforce policy

Let’s take a closer look. 

Image

 

Verify identity and context

The adventure begins when a connection is requested. The zero trust architecture will begin by terminating the connection and verifying identity and context. It looks at the who, what, and where of the requested connection. 

1. Who is connecting? – The first essential element is to verify the user/device, IoT/OT device, or workload identity. This is achieved through integrations with third-party identity providers (IdPs) as part of an enterprise identity access management (IAM) provider.   

2. What is the access context? – Next, the solution must validate the context of the connection requester by looking into details such as the role, responsibility, time of day, location, device type, and circumstances of the request. 

3. Where is the connection going? – The Zero Trust Exchange confirms that the identity owner has the rights and meets the required context to access the application or resource based on entity-to-resource segmentation rules–the cornerstone of zero trust.

 

Control content and access

After verifying identity and context, the zero trust architecture evaluates the risk associated with the requested connection and inspects traffic to protect against cyberthreats and the loss of sensitive data.

4. Assess risk - The Zero Trust Exchange leverages AI to dynamically compute a risk score. Factors including device posture, threats, destination, behavior, and policy are continually evaluated throughout the life of the connection to ensure the risk score remains up to date.

5. Prevent compromise – To identify and block malicious content and prevent compromise, the Zero Trust Exchange decrypts traffic inline and leverages deep content inspection of entity-to-resource traffic at scale.  

6. Prevent data loss – Outbound traffic is decrypted and inspected to identify sensitive data and prevent its exfiltration using inline controls or by isolating access within a controlled environment.

 

Enforce policy

Before reaching the end of the journey and ultimately establishing a connection to the requested internal or external application, one final element must be implemented–enforcing policy. 

7. Enforce policy - Using the outputs of the previous elements, this element determines what action to take regarding the requested connection. The end goal is not a simple pass/not pass decision. Instead, the Zero Trust Exchange constantly and uniformly applies policy on a per session basis—regardless of location or enforcement point—to provide granular controls that ultimately result in a conditional allow or conditional block decision.

Once an allow decision is reached, the Zero Trust Exchange establishes a secure connection to the internet, SaaS app, or internal application.

 

Securely reaching your destination

Navigating your journey to zero trust can be a perilous task if you are attempting to do so using legacy equipment that is not designed for the journey you are currently undertaking. While finding a solution that enables true zero trust may at first seem daunting, begin where it makes the most sense for your organization, and let the seven elements outlined above serve as your guide. Only a true cloud-native zero trust platform, like The Zscaler Zero Trust Exchange, can uniquely apply these seven elements to eliminate your attack surface, prevent the lateral movement of threats, and prevent cyberthreats and data loss, while securely connecting users, devices, and workloads to applications - on any network, from any location. 

To explore more about each of the seven elements and to understand the technologies, requirements, and architectural considerations, download our complimentary ebook, The Seven Elements of Highly Successful Zero Trust Architecture” and visit our Seven Elements of Zero Trust webpage today. 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.