Editor’s note: This is the first in a three-part series on popular use cases for zero trust transformations.
Zero trust adoption is not driven by new, cool technology – it’s driven by business use cases. For most businesses, the three biggest drivers for embracing zero trust architecture are improving business productivity and agility, reducing cyber risk (including data loss), and minimizing cost and complexity of various point products and the legacy network. Zero trust use cases can be broken down into three distinct categories:
Securing work from anywhere (WFA) means providing safe and fast access to applications from any location, on any device (managed or BYOD). This is necessary to protect employees, third parties/contractors, customers, and suppliers who are using various devices from countless locations.
There are several sub-use cases regarding secure work from anywhere:
- Securing internet access, protecting against both cyber threats and data loss
- Replacing traditional VPNs with zero trust application access
- Securing access to BYOD as a virtual desktop replacement
- Merger and acquisition (M&A) integration
- Zero trust for IoT/OT
Secure internet and SaaS access
Zero trust architecture protects access to the internet and SaaS applications in several ways. Initiator traffic (users, things, or workloads) is not passed directly to a destination service. First, enterprise controls are applied. These controls are applied by nodes nearest to wherever the initiator is located, allowing for optimized consumption of the service. Most importantly, these controls protect the initiator and the enterprise, wherever they may be.
Every single access request is checked for its identity and the context of the destination. Once connected, the content and behavior of the session is assessed through AI/ML (using decryption for encrypted traffic) to discover and block malware and data exfiltration.
The goal of this process is to ensure that the enterprise is protected against bad things “coming in” and good things “going out,” thus delivering security and granular protection for each service. Granular protection may include serving only a pixelated version of the application using browser isolation. This granular policy follows the initiator, so that the same protection is provided uniformly.
Zero trust architecture not only provides superior cyber protection, but also allows the replacement of various hardware appliances, including secure web gateways, proxies, and certain firewalls.
The same controls used to protect against cyber threats are then used to protect enterprise data from being lost. ZTA performs both inline and out-of-band data protection, allowing the inspection and control of data in motion and files at rest. Its ability to read encrypted traffic allows it to find and block sensitive data in transit, and perform other advanced DLP functions.
Inline prevention controls leverage isolation techniques to block sensitive data being downloaded to BYOD or managed devices by streaming the data as pixels. Endpoint data loss prevention goes further, protecting the data on devices from being downloaded to a USB drive, for example. Out-of-band data protection technology protects data living in the cloud by preventing oversharing and exposure as well as identifying misconfiguration with popular cloud platforms where sensitive data may reside.
Both of these techniques utilize advanced ways to classify data, including AI/ML, optical character recognition, and integration with Microsoft information protection standards.
Secure private application access
Zero trust architecture is also deployed for secure access to private apps hosted in the IaaS/PaaS cloud or in a data center. By allowing authorized initiators app-level access to destinations, it fundamentally removes the need for legacy network-based access, like VPNs.
By never exposing services to unauthorized users, IT leaders eliminate much of an organization’s attack surface (exposed destinations and services). Removing legacy routable networks simplifies the technology estate and allows IT leaders to deliver services to any initiators that require access to internal resources. This can be extended to on-premises users with what is commonly known as Universal ZTNA.
This granular element of ZTA delivers the app-level segmentation that has historically been difficult to achieve at the network level, allowing the creation of three types of segmentations based on business policy:
- User-to-application segmentation
- Workload segmentation in hybrid and multi-cloud environments
- Identity-based micro segmentation for apps/processes
Secure BYOD access and VDI replacement
Every IT leader battles with the need to allow external, third parties access to their internal resources. This coupled with the rise of bring your own device (BYOD), even among employees, has left few options for uniformly securing access paths from initiators to destinations.
Whereas historically virtual desktop infrastructure (VDI) instances were the only option to secure these users, ZTA threat and data protection can be extended to BYOD using cloud browser isolation. This renders content in an air-gapped browser, and streams pixels to the user rather than loading the full HTML. For example, partners could view the contents of an inventory app but not download, copy or print anything.
For internal employees accessing sensitive applications, a company’s policy can use browser isolation for granting view-only access to untrusted devices. Virtual desktops hosted in on-prem server farms were often the only way to achieve this secure access, but browser isolation (integrated as part of ZTA hosted in the cloud) offers a powerful alternative.
Many enterprise leaders deal with the demands of M&A and divestitures. Managing the complexities of the users, processes, resources, and infrastructure involved has historically been costly and challenging. ZTA inherently delivers seamless integration between two entities by solving the underlying challenges of segmentation.
Zero trust architecture doesn’t require two heterogeneous networks to be merged. Company A and Company B can provide standardized internet/SaaS security and secure access to apps in the data center or the public cloud by determining which users can access which destinations. Users at both companies connect to the zero trust architecture, which coordinates connections, manages access policies, and provides consistent protection.
Zero trust eliminates the need to integrate networks of two companies or the use of remote access VPN. Each entity simply needs access to the internet.
Zero trust for IoT/OT
Secure remote access for IoT/OT systems is a service that takes a user- and application-centric approach to security. Whether a user is an employee, contractor, or third-party partner, the ZTA ensures only authorized users have access to specific IoT/OT systems or applications. This granular segmentation eliminates visibility of the network and prevents lateral movement.
ZTA does not rely on physical or virtual appliances. Instead, it uses lightweight, infrastructure-agnostic software like Docker containers or virtual machines, paired with browser access capabilities, to seamlessly connect all types of users to IoT/OT systems and applications, via inside-out connections.
In addition, third-party partners and users gain secure access to IoT/ OT systems without the need for a client agent. The zero trust cloud architecture provides policy-enforced, third-party connectivity to IoT/OT systems from any device, any location, at any time.
At the start of the pandemic, organizations scrambled to secure users working remotely during lockdown. Today, hybrid work is the norm in many industries, and companies still face the same need. Risks and limitations with VPNs led many companies to explore zero trust for the first time. As an unintended consequence, many enterprises came to see moving away from legacy networks as a route to alleviating additional pain points including:
- Secure access for third-party contractors
- Accelerating M&A transactions
- Locking down IoT/OT devices
- Inspecting encrypted traffic
- Optimizing security spend by retiring antiquated devices and obsolete security layers.
In the next installment of this series, we will explore zero trust as a WAN transformation enabler.
What to read next