The following is a guest contribution from Dhawal Sharma, SVP, Product Management at Zscaler.
Even organizations well into their digital transformation journeys are besieged by sophisticated cyber threats. Among the most insidious are ransomware attacks.
Typically, attackers gain access by exploiting VPN or firewall vulnerabilities. Next, threat actors move laterally until they can locate something of high value – the so-called "crown jewels." An effective segmentation strategy can help mitigate these risks, but many organizations still rely on outdated, network-centric approaches that do not scale well and leave networks exposed.
As organizations move from data centers to the cloud, too often they try to apply the same perimeter-based, trusted vs. untrusted thinking that has proved problematic in the past. Firewalls are lifted-and-shifted to the cloud, hyperscalers provision VPN access, IT teams continue backhauling through centralized gateways – all of which creates attack surface and inefficiencies.
At Zscaler Zenith Live ‘24, my colleague Joby Menon and I discussed the importance of adopting a zero trust-based segmentation approach. This method protects employees wherever they work, as well as their workloads and OT/IoT infrastructure.
Here are some insights from that session that address ways in which organizations can implement effective zero trust segmentation strategies as they modernize their IT infrastructure.
The shift from network-based segmentation to zero trust segmentation
Traditional network segmentation relies on complex tools and techniques that create scalability and management challenges. These approaches focus on protecting the network itself, using firewalls and VPNs to create trusted and untrusted zones. However, as organizations move to the cloud and adopt hybrid work models, perimeter-based security becomes increasingly inadequate. Moreover, legacy tools’ complexity often leads to misconfigurations that expose routable networks to attackers.
Zscaler approaches segmentation from a different angle. We believe access should be granted on a per-request basis. By applying policies derived from business logic and identity-driven context, we reduce the attack surface and minimize the potential for lateral movement. This shift from a network-centric to a zero trust approach involves rethinking how organizations define and enforce access controls.
Application segmentation with ZPA
Zscaler Private Access™ (ZPA™) allows organizations to cluster and segment their crown jewel applications manually, creating granular access policies. This approach ensures that only authorized users can access specific applications, reducing the risk of lateral movement.
For example, using ZPA, applications can be segmented using machine learning (ML) to understand behavioral patterns and provide meaningful policy recommendations. This level of visibility helps security teams understand where traffic is going and ensure that segmentation policies are effective and scalable. By monitoring user access patterns, ZPA can identify anomalous behavior that may indicate a potential threat, allowing for proactive security measures.
Extending zero trust beyond users
While traditional segmentation methods primarily focus on in-office users, our zero trust approach extends to mobile workers, third-party contractors, B2B use cases, and even non-user traffic like workloads. By implementing zero trust principles across all traffic – whether from data centers, cloud environments, or critical infrastructure – we can create a comprehensive and consistent security posture.
For instance, as organizations migrate applications to the cloud, they often face challenges in deploying infrastructure and managing security vulnerabilities. Our goal is to enable easy egress of traffic from customer environments, reducing the attack surface by eliminating the need for outbound and inbound DMZs. This not only simplifies network architecture, but also enhances security by ensuring that all traffic is subject to the same rigorous access controls.
Continuous attack surface monitoring
We have also introduced continuous attack surface monitoring for enhanced security. This provides organizations with real-time insights into vulnerabilities and exposures. By continuously analyzing traffic patterns and recommending new user-to-application segments, we help organizations maintain a least-privileged access model.
Continuous monitoring allows organizations to detect and respond to threats more quickly. For example, if an unusual spike in traffic is detected from a particular user or application, the system can automatically trigger an investigation or block the suspicious activity. This proactive approach significantly reduces the window of opportunity for attackers, enhancing overall security posture.
This is especially important in light of ongoing cloud migrations, where misconfigurations threaten to leave workloads exposed. With integrations with AWS and Google, Zscaler can automatically deploy app connectors to flag risk. Macro segmentation is often a logical place to start in these instances, for example by stipulating that pre-production and testing environments are exposed only to production ones.
Real-world applications and success stories
Since releasing ZPA, we have seen significant success in reducing attack surfaces, in some cases by thousands of devices for single customers. By continuously refining user groups, application clusters, and user-to-application maps, customers take charge of creating a more secure and manageable environment.
Application discovery is another key aspect of our strategy. Organizations that don’t have application inventories can passively observe user requests and destination applications by using wildcards to create initial application segments. This unobtrusive method allows for the gradual phasing out of wildcard segments in favor of segments based on actual user behavior. AI and ML can help here by creating automated recommendations for application segmentation, enabling IT leaders to quickly shrink the attack surface.
One Zscaler customer, a large financial institution, was able to substantially reduce its risk of data breaches with ZPA. By segmenting applications and enforcing strict access controls, the organization minimizes the potential for lateral movement through its network. This not only improved its security posture, but also ensured compliance with industry regulations, providing peace of mind to stakeholders.
The importance of user behavior analytics
User behavior analytics (UBA) are another critical component of effective zero trust segmentation. By monitoring and analyzing user activities, UBA can detect anomalies that may indicate malicious behavior. For instance, if an employee who typically accesses only financial applications suddenly starts accessing engineering resources, this could be a sign of compromised credentials.
UBA works by establishing a baseline of normal behavior for each user and then identifies deviations from this baseline. These deviations are flagged for further investigation, allowing security teams to quickly address potential threats. Integrating UBA with zero trust segmentation ensures that, even if attackers gain access to the network, their movements are quickly detected and restricted.
Leveraging AI and machine learning
AI/ML play a pivotal role in enhancing zero trust segmentation. These technologies can process vast amounts of data to identify patterns and trends that may not be apparent to human analysts. For example, ML algorithms can analyze network traffic to identify unusual patterns that may indicate a sophisticated attack.
In addition, AI and ML can help organizations visualize the attack surface by determining how many users are accessing a given application and making recommendations based on departments, application similarity, protocol heuristics (“rules of thumb”), and other factors. This simplifies matters for security teams, enabling them to cluster access privileges into one segment with overarching policies.
By leveraging AI and ML, organizations can automate many aspects of their security operations, reducing the burden on human analysts and increasing the speed and accuracy of threat detection. This is particularly important in today's fast-paced digital environment, where new threats are constantly emerging.
Future directions and innovations
As we continue to refine and expand our zero trust segmentation capabilities, we are exploring new technologies and approaches to enhance security. For instance, we are investigating the use of blockchain for secure, tamperproof logging of access controls and transactions that may provide an additional layer of security.
Our recent Airgap acquisition means we will be providing agentless segmentation to protect east-west traffic in branch offices, campuses, factories and plants with critical operational technology (OT) infrastructure. This will simplify network operations, eliminating the need for east-west firewalls, network access control (NAC) solutions and other traditional microsegmentation processes.
We are also looking into integrating zero trust segmentation with other security frameworks, such as secure access service edge (SASE) and extended detection and response (XDR). By combining the strengths of these frameworks, we can provide a comprehensive security solution that addresses the full spectrum of modern cybersecurity challenges.
What to Read Next:
The Six Business Benefits of Zero Trust Segmentation