One of the biggest trends in IT modernization is the move of applications to the cloud - bringing elastic scale, resilience, and any time/anywhere/any device access. The first wave of migration, to software as a service (SaaS), enabled agencies to move common functions to public cloud platforms. Now, internal applications - those not suitable to be publicly exposed - are migrating to reliable, scalable infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments on leading cloud providers, such as Amazon Web Services (AWS).
As federal agencies work to secure this increasingly complex hybrid application environment, they are looking to deploy new approaches. One of them is zero trust network access (ZTNA), a modern, direct-to-cloud approach that allows agencies to eliminate unauthorized access to data and services while easily monitoring and controlling the IT environment.
On a recent webinar with John McKinnon, Worldwide Public Sector Partner Development and Global Telecom Alliances Manager at AWS, we discussed how agencies can leverage a zero trust architecture to modernize their infrastructure, what to consider when looking to adopt a zero trust architecture, and how zero trust-based solutions provide improved security and user experience to organizations. The new NIST Special Publication on zero trust architecture provides several helpful key design principles and is a good resource for evaluating ZTNA solutions.
As users migrate off-premises and applications migrate to the cloud, traditional network-centric security and access controls are not flexible enough to scale up or down to the agencies’ specific needs. Users should not have to determine whether they need to be on a virtual private network (VPN) or identify to which VPN gateway they need to connect to access private applications. Instead, a cloud-enabled zero trust solution provides seamless access across multiple environments, offering centralized configuration and monitoring with distributed, consistent, direct connectivity to applications in the data center as well as in cloud environments.
ZTNA provides full visibility and granular policies that follow the user, granting access only to authorized applications to eliminate lateral movement and reduce the risk of a breach. From a security standpoint, since user’s devices are never connected to the network, administrators have full visibility and control to continually ensure only authorized users have access. This reduces management overhead for configuration and troubleshooting, as well as time spent consolidating multiple logs. As agencies’ applications migrate from the data center to the cloud, ZTNA can offer an improved user experience to streamline IT modernization, and IT administrators can write security policies based on their agencies’ business policies.
ZTNA follows several fundamental tenets. First, all communication with private applications can be secured, regardless of user location; the network location itself does not imply trust. Second, access to individual resources is granted on a per-connection basis, and authentication to one resource will not inherently allow access to another resource. Third, access to data and computing service resources is granted based on context, starting with user identity/roles and device state and optionally extending to other elements, such as location or behavioral attributes. Finally, the ZTNA service ensures all traffic from users to applications is fully visible and monitored to ensure continued security.
Strive for simplicity
At the end of the day, it comes down to simplicity. Agencies need simple implementations that enable them to easily start new projects, migrate applications to the cloud, and provide secure connectivity for end users regardless of the application environment. Agencies have the ability to eliminate complex network-based segmentation and traffic backhaul, and users do not have to worry about how to connect to an app, where it is hosted, or whether it requires a VPN. ZTNA accelerates application migration and minimizes user impact.
Zscaler offers customers tools for identifying what applications are present in existing environments, which users are accessing what applications today, and what types of application access must be provided to users. That information can be used to inform the process of migrating from an open application access policy to granular access for sensitive resources. Another common concern is compatibility across disparate application environments; the simplest solution there is to leverage the tools provided by a cloud-based ZTNA service. First, think about the migration itself, and then consider the access to the migrated application.
Federal agencies use cloud services to improve citizen services, innovate more efficiently, and enable rapid prototyping/“fail faster” development models. McKinnon notes that some customers ask, “How do I fail faster if I have a situation where I want to try something new? [Customers] don’t want to have to pre-buy...and then hope that it works.” They need the flexibility to purchase incrementally and pay for what’s needed when it’s needed. Agencies have the opportunity to “be innovative in the cloud where they couldn't in their own internal infrastructure,” McKinnon added.
Zscaler Private Access (ZPA) is a cloud-enabled ZTNA solution that provides secure access to private applications across the data center and IaaS/PaaS environments, accelerating cloud migration, and enabling agencies to explore the zero trust security model incrementally, one use case at a time. ZPA’s full visibility, granular control, scalability, and resilience result in improved security, user experience, simplicity, and affordability.
To learn more about how you can accelerate the migration of your applications to the cloud with AWS and ZPA, check out the Zscaler/AWS webinar, “Secure Your Move to Cloud with Zero Trust Architecture.”
Lisa Lorenzin is the director of emerging technology solutions at Zscaler