Choose zero trust for security and spend – a conversation on business enablement
Jun 21, 2022
Providing customers the chance to access and interface with Zscaler senior leadership is one of the core benefits of Zenith Live. This is true for Zscaler and myself as much, if not more, than it is for our customers. It’s why I so look forward to interactive panels and the chance to field questions and engage in real dialogue with attendees.
To Security and Beyond: Zero Trust as a Business Enabler was one such opportunity. I was joined on stage by two brilliant tech minds and leaders, Zscaler President Amit Sinha, PhD, and Dhawal Sharma VP & GM, Product Management.
Together we were able to share a dialogue about what we consider the key benefits zero trust offers businesses, and how it may be able to contribute to their success in a world of advanced threats and budgetary pressures.
Here are some of the topics we covered.
Segmentation is hard. Don’t let that stop you.
Zscaler founder and CEO Jay Chaudhry has an analogy for what can be a tricky exercise. In the world of segmentation, he says, there are kindergarten, middle school, high school, and PhD levels. The mistake many organizations make, says Sinha, is to assume they must start with fully fleshed-out identity-based segmentation across users, IoT/OT devices, and workloads.
In practice, that’s jumping right into coursework at the PhD level. Instead, he advised, start with user-to-workload segmentation. Most organizations know their finance department needs access to bookkeeping apps, for example, but it’s unlikely to rely heavily on its Marketo instance. Similar examples for each department are a good place to start with segmentation.
Macro segmentation of VPC instances could be a second step, making sure workloads in one VPC are segmented from those in another, for example. By the time you’re ready to defend a thesis, you’ve arrived at the microsegmentation step of the process. The point is to start small and, with each step, reduce your attack surface.
Of course, choosing to adopt zero trust architecture should precede it all, Sharma pointed out. Compared to the all-or-nothing access offered by a VPN, all applications go dark with a solution like the Zscaler Zero Trust Exchange before segmentation work even begins.
App discovery is also difficult. And also essential.
Among audience members, only one individual reported having developed an exhaustive list of applications in use by his application. Our panel thought that was a high number. One of the biggest challenges enterprises face is establishing a complete application inventory, keeping up to date, and understanding what it means for the business. That’s mostly because enterprises tend to have tens of thousands of applications in use at any time, many of which are shadowy to some degree.
The app discovery process, difficult as it may be, is a crucial step in securing organizations according to zero trust best practices. Inevitably, during his experience with this process, Sharma said, customers would report app inventories four to five times smaller than they actually were. Decades-old server instances spun up by a long-gone developer would come to light during the process. Following discovery, admins could begin applying patches and policies, enhancing the organization’s overall security posture.
(As a bonus, Sinha added, newly announced AI/ML application discovery capabilities from Zscaler will make this process easier on customers by providing policy recommendations based on observed behavior.)
Distilling zero trust down to its business value
Fundamentally, says Sinha, zero trust is about identity. It starts with knowing who is asking for what – whether that be a user, workload, or IoT/OT device. This identity verification includes critical context surrounding the user such as the posture of their device (is it running an AV or not), geolocation information (are they logging in from an unusual location), and policies applicable to the user (are they allowed access to the resource they’re requesting).
Device history, location, and anomalous behavior "all become context," said Sharma. "Access should be tied to that." By examining these factors, organizations take a significant step toward protecting themselves from compromise.
The second key element of zero trust that limits an organization’s exposure to attack is the decoupling of applications from the network. With zero trust fully deployed, says Sinha, "the only thing that's exposed is your public internet domain...that's a massive attack surface reduction." It’s easy to imagine all the businesses that could have avoided making headlines for embarrassing high-profile breaches from misconfigured, publicly discoverable server instances had they only adhered to this approach.
Third and finally, zero trust requires committing to a fully proxy-based architecture. The ability to perform dynamic risk assessments in the time between when access to a resource is requested and when that access is granted is essential. This is not a one-and-done process, either, as it might be with a castle-and-moat, network firewall approach. It should happen with every single request from every single user, including the inspection of any encrypted traffic. In the case of Zscaler, says Sinah, it happens as many as 250 billion times per day.
But what about cost?
If these improvements to IT security and operations aren’t moving the needle for executives and boards, one audience member asked, what about cost? With a contracting global economy, this question is again top-of-mind for leadership.
In response, panelists outlined three core “buckets” where implementing zero trust can help cut costs:
1. By eliminating the network
“Well, step one is eliminating the network,” answered Sinha. Instead of using MPLS to backhaul traffic from branches and satellite offices, we can take a key learning of COVID – that the internet is a pretty good network – and apply it to cutting expensive switches and bloated security stacks from the IT operations at headquarters. He cited Siemens as an example of a company that saved 70% by simplifying the way its 400,000 employees connect.
2. By cutting operating costs
There are also significant savings to be had in terms of operational costs. The personnel required to manage a lineup of point products – with their associated consoles, alerts, and policies – are driving up security spends for many organizations. Staffing SOCs is expensive, and hardening IT security at the infrastructure level can help ease the burden on these teams.
Zero trust solutions that monitor digital experience also help reduce support calls, leading to further savings. If users default to contacts their help desk any time there’s a problem with Microsoft Teams or Zoom, organizations will have to scale up support resources. If, instead, they proactively monitor and report on application availability, they will have less taxed IT teams.
3. By reducing reliance on data centers
The more heavily reliant organizations are on routing their traffic through data centers, the more investment they must make in infrastructure for those data centers. More traffic requires bigger switches, bigger firewalls, and bigger load balancers to handle it all. By moving applications from the data center to the cloud wherever possible, IT teams reduce the need for spending more on appliances.
This transition is already underway with the growth of the public cloud. Zero trust accelerates it. With zero trust architecture, only traffic that’s headed to the data center is sent there, eliminating the need for costly upgrades.
In its entirety, zero trust often acts as permission for organizations to step back and reevaluate the entirety of the way they do business – beyond networks, infrastructure, and other purely IT elements.
What to read next