3.3 Zscaler Integration with Zero Trust Part 1 - ZN
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 17 minutes
Hello and welcome back. We've got some learning objectives to go over with the next section,
and we're gonna continue the discussion around fundamentals for zero trust picking up at fundamental number three.
And we will discuss how location or zones on the network shouldn't matter when dealing with trust.
We'll also look at ze scaler and how they integrate zero trust in their product.
Z scaler, Private access. Stay tuned. Much more to come.
Hello and welcome back. Thank you for staying with me.
We pick up at fundamental number three. Network locality is not sufficient for deciding trust in the network.
Now, many of us have ordered food right from our smartphones through APS.
Now, these acts can alert when the driver has entered your neighborhood. Right? But I dare to say that you don't open the door when you know the person's in the neighborhood.
But rather you wait until that person knocks on your door or rings your doorbell.
Then you look to the people
to see the individual. Before you actually greet them
and received your order.
You probably wouldn't open the door if the person didn't have a bag in their hand.
now it's not enough that they are standing at your front door. Other attributes must be met before the transaction
can be complete
and location shouldn't matter.
So with traditional network security, you have different zones
with different levels of trust, and security can become relaxed as you move away from the edge of the perimeter
into the exit in the D. M Z, for example,
traffic maybe tightly monitored and controlled. But the trusted zone may not have the same amount of monitoring and controls
When networks are broken into zones but don't contain fire all rules to allow or deny traffic.
That network is considered a flat network.
This means that once on the network, you can access any host on any sub net, no matter what zone they belong to or what zone you resided.
Also, oftentimes, when rules are created, their only governed by source and destination I p addresses. So we don't have a lot of visibility,
and we can see on the slide that the traditional network security model places sensitive information in the innermost part of the network.
But security controls may not be a stringent,
you know. Oftentimes, leadership will be nervous about placing too much security in these areas due to the risk of reducing availability to important people who need that access.
You know, the traditional network security architecture can resemble
how security is reduced while move
through a stand alone home.
Let's say that the Internet is the street
that the house is built on in the garage is the D M Z.
And keep in mind the house is the network is your domain, right? So the garage is the D M Z.
The garage has bud lights, cameras, maybe a security sign close by toe warning deter entrance.
As we move into the trusted zone, we find ourselves in the kitchen or the living room where access becomes a little bit easier. Correct.
Now the privilege zone can be seen as our master bedroom,
and most of us keep our PC I or payment card industry data
and hip A data in this room. Correct?
No, What I mean by that is your wallet is in your bedroom. Your medical records might be in a fireproof box under your bed,
but we have no real security in our most trusted areas of our home and our networks. sometimes feel and look the same.
But how do we change our security inside her home?
If we allowed Amazon or Walmart to enter our homes to put away groceries,
you know things would be much different, right? And just like how networks have changed and service's have changed
in our real life, and not just our logical life
when it comes to networks are users use devices on the network to access and retrieve information from the Internet, so we must secure the network they reside on differently.
So this leads me to Z scaler and how they integrated zero trust into there.
So these killer is a company that
has bought into zero trust.
They have fully embraced that concept,
and what you see here is a bake off between the scales, private access and traditional VPN.
Now, traditional VPN, as many of you have experience, can be slow
after connecting. You have to go through your organization's network and security stack and then back around before the application on file is made available to you.
And a lot of you have heard the term traversing the network,
right? So traditional VPN
it also places are remote users on the network, which can lead to breaches. We talked about it earlier with Home Depot and Target.
Traditional VPN also allows for inbound connections that could cause issues on the network, such as a distributed denial of service attack.
Now, with the scale of zero trust approach that ever placed their users on the network. Know inbound connections were made
and the agent placed on the device. Request access to the APS and the request goes to the Z Scaler Enforcement note
to check against policies to allow the user device applications
to broker a secure connection.
Connections from the user's devices. Never inbound as the connectors, which we can consider a part of the data plane. They simply listen for request to ANAP and publish at based on the control plane policies
in the Z's Kayla Enforcement note for that user and the device.
Aziz Scales private access solution isn't always on remote access solution that allows multi factor authentication device posture to limit the scope of what devices can access internal APS and give greater visibility to its operation operators or administrators
for granular details for troubleshooting issues and security concerns.
Z Scaler allows operators to create applications segments.
It's only allow certain users access a subset of APS.
This is a least privilege approach that could have helped in the case of Target or Home Depot when dealing with the third party vendors.
What makes these killer private access very different from traditional or legacy,
is the speed at which a user can access
outlook. For example,
while on the road are working from home.
They don't have to type in credentials. They don't have to go through the extra step that we see with traditional VPN.
Z scaler is private Access doesn't have a concept of log in in the way traditional VP agents do.
It provides you with an always on remote access experience.
Now these girls probably access Solution doesn't provide your laptop or mobile device and i p address that belongs to your organization.
So you're not placed on the corporate network even though you have the ability to access internal applications like Outlook or a Skype, for example,
very able to reduce
on Attackers ability to pivot on your network.
So by not placing the user's device in the corporate network,
were reduced in the spread of risk.
However, If you're using traditional VPN,
you are inherently trust in that device, which goes against the zero trust model.
If the device lets a laptop with Windows tennis compromised while using traditional VPN and after connected and gets a corporate I p address, it's placed on the network, right? And if that and if someone wants it to a port scan,
that attacker can compromise
another machine. Doing a simple i p con fate right, we can enumerates information. We could find out what sub net were placed on
and then perform reports can for that sub net
an attempt to launch other attacks. So the scales private access is using zero trust approach.
Now, if a compromise Windows 10 laptop using ze scale private access,
um, is trying to be used to enumerate information
on a network
that port scan that I be convict,
it's never gonna give that adversary or hacker pertinent information that could lead to additional compromise.
Talk about better security while delivering a faster and much better user experience.
Z scaler with zero trust allows us to do that
and replace traditional VPN