Zero Trust is not something you purchase. Zero Trust is a security strategy you build out using the working assumption that there are no safe network zones, no perimeters, no safe users, and no safe devices. The Spectra Alliance helps enable a Zero Trust model across the scope of six elements including applications, data, networks, infrastructure, identities, and devices. When you consider the large scope of digital transformation, including the four key phases for networking, security, applications, and data, the full journey starts to align itself as it intersects with Zero Trust elements.
Focusing first on networking transformation may lead to a reduction in VPNs and using Zero Trust Network Access (ZTNA) for remote users to access private apps and resources. This is a step in the right direction using trusted identity services and it removes the issues of lateral movement and publicizing access. Considering how ransomware attacks continue to leverage remote access service entry points (e.g., RDP, SSH, VPNs) to a large degree, ZTNA, when properly applied, can help significantly reduce this exposure.
Moving on to security transformation, a cloud-hosted security service edge (SSE) provides key security capabilities close to remote workers and eliminates backhauling office traffic and hairpinning user traffic. This will not only help you gain a better user experience—both backhauling and hairpinning significantly degrades network performance—but it will also likely consolidate defenses, reduce complexity, and total cost of operations.
This is only part of the story. The traditional allow or deny controls of legacy proxy and firewall defenses can start to limit your Zero Trust strategy. Context is key for transforming apps and data, especially for Zero Trust to be successful. Public access to productivity apps such as Microsoft Office 365 and Google Workplace will either require “allow” access with network security defenses or a bypass around these inline defenses. But using an allow/deny defense model does not provide the context required for a successful application of Zero Trust to apps and data, and a bypass strategy means no visibility or context.
Context is everything. For example, consider a user is transferring files between their company OneDrive instance to their own OneDrive personal instance. Should they be allowed to do this? And if not, what defenses are there to stop them from exfiltrating this data? Or, consider an email sent to a user with a G-drive link from a personal instance of the sender. Should the user click on the link? Could the link lead to malware or a phishing attack? Both of these are prime examples of how data exfiltration and threat delivery are exploiting the gap in allow/deny defenses that lack any awareness of context for cloud apps, a problem that worsens for personal instances of managed SaaS and shadow IT apps.
Adopting a secure access service edge (SASE) model to cloud-host and consolidate both network and security services, you would think these issues would be resolved. Unfortunately, most security solutions still remain open, and you will see a strong focus on network and security transformation topics from vendors marketing “SASE” while avoiding the discussion that includes apps and data transformation, which are the keys to true success for Zero Trust.
Context is critical, and so are policies that can adapt based on context. Adaptive policies supporting your Zero Trust model should understand the data sensitivity, device posture, user risk profile, and other context variables to determine if a user can transfer files from a OneDrive company instance to the user’s OneDrive personal instance. Legacy web and email defenses will ignore SaaS apps, as they are unable to decode and inspect the content, opening the door for malware, phishing, or data exfiltration. Zero Trust and digital transformation need to align for success across the six key elements noted at the start of this blog.
The Spectra Alliance takes an integrated multi-vendor perspective on Zero Trust for customers to succeed in their journey with a focus on context for the six elements. Join our webcast discussion with ESG analysts about Zero Trust on August 12, 2021, or read our eBook “A Strategic Approach to Zero Trust Security” to learn more details today.