A compromised machine can cause severe damage if it allows lateral movement inside an organization’s network. To prevent lateral propagation and reduce your attack surface, user-to-app segmentation—based on the premise that you can’t attack what you can’t see—is pivotal. At Zenith Live 2023, we announced several new features that make Intelligent App Segmentation even more effective.
Easy starting point with CMDB import
Most organizations start with a “wild card” app segment (e.g., *.internal.acme.com with all or almost all ports open), which helps discover applications being used across the organization. After application discovery, organizations need an intelligent way to group similar applications, and then provide least-privileged access to the right set of users.
Last year, we launched the AI/ML-powered Intelligent Application Segmentation feature, which generates app segment recommendations based on user access patterns to help organizations achieve user-to-app segmentation (see more details here). If you’re interested in enabling this feature for your ZPA, tenant please contact your account team or Zscaler support.
When adopting a zero trust solution like Zscaler Private Access (ZPA), application information you feed into the ZPA system translates to app segments, which consist of application details like FQDN, IP, TCP/UDP ports, and so on. Organizations often maintain CMDB databases used to store such information. Today, you can feed this information through API calls or by manually entering the details into the ZPA portal to create individual app segments.
We envision providing an option to import CMDB files into ZPA to help with configuring granular app segments, giving organizations an easy starting point to embark on the journey to zero trust. After importing the CMDB file, you would be able to view extensive details about app segments that can be configured right away, including granular information like which domains are receiving active traffic vs. those that are not.
We would go a step further to highlight the TCP/UDP ports on which we are observing traffic. With this information, you would be able to configure granular app segments to reduce your attack surface.
Visualize and reduce your attack surface with Intelligent App Segmentation
AI/ML generates app segment recommendations based on user access patterns, and we can now visualize the quantifiable attack surface reduction for each app segment recommendation to help with prioritization. In the following example, if accepted, the recommendation would result in about a 90% exposure reduction.
The final step in reducing the attack surface for each app segment is to create an access policy that ensures only the right users have access to the application segment. An organization’s Active Directory server may sometimes have stale user information (e.g., if a user was recently moved to a different department).
We can now look at the list of individual users in each department for every recommendation. This helps you in two ways, enabling you to:
- Validate that the right set of users are getting access to the application segment
- Take a list of users to your identity team and request a new AD group/department or directory info update
Make your segmentation configuration scalable and robust
As you start doing segmentation, app segment configuration is expected to grow. For example, if you have seven Active Directory servers today, you would have to define seven entries in the app segment with the individual FQDNs/IPs. On top of that, whenever you bring a new server online, you need to make sure the new FQDN/IP is updated in the app segment to prevent any service impact.
To make the configuration more scalable and robust, we envision introducing the ability to define patterns while configuring app segments. This will help optimize and future-proof the configuration, as it will enable you to easily bring new servers online without having to make any changes to the app segment.
Benefits
- Easy starting point: Begin your zero trust journey with ease with the ability to import CMDB files.
- Quantified attack surface reduction: Visualize attack surface reduction for each app segment recommendation.
- Granular, user-level detail: Drill down to find individual usernames to help you fix potential IDP grouping issues.
- Pattern definition for app segments: Define patterns in app segments to make configurations scaleable and future-proof.
Next steps and future direction
Zero trust is an increasingly popular model for secure user access to applications and resources. Moving away from traditional VPN-based network access is a critical element of zero trust, and Intelligent App Segmentation can help you get there. Zscaler is working tirelessly to innovate and introduce more exciting capabilities in this area.
Please reach out to your account teams to learn more, and to share your use case details and other feedback.
Top Recommendation: User to App Segmentation with ZPA
Visit Zscaler Academy to enroll and complete the User to App Segmentation with ZPA course. This 45-minute course will provide a clear overview of how ZPA helps you create flexible, granular app segments to reduce your attack surface.