3.3 Zscaler Integration with Zero Trust Part 1 - ZN

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Zero Trust Networks

Course

Time

1 hour 17 minutes

Difficulty

Beginner

CEU/CPE

Video Transcription

00:00

Hello and welcome back. We've got some learning objectives to go over with the next section,

00:06

and we're gonna continue the discussion around fundamentals for zero trust picking up at fundamental number three.

00:15

And we will discuss how location or zones on the network shouldn't matter when dealing with trust.

00:22

We'll also look at ze scaler and how they integrate zero trust in their product.

00:27

Z scaler, Private access. Stay tuned. Much more to come.

00:33

Hello and welcome back. Thank you for staying with me.

00:37

We pick up at fundamental number three. Network locality is not sufficient for deciding trust in the network.

00:45

Now, many of us have ordered food right from our smartphones through APS.

00:50

Now, these acts can alert when the driver has entered your neighborhood. Right? But I dare to say that you don't open the door when you know the person's in the neighborhood.

01:00

But rather you wait until that person knocks on your door or rings your doorbell.

01:04

Then you look to the people

01:07

to see the individual. Before you actually greet them

01:11

and received your order.

01:12

You probably wouldn't open the door if the person didn't have a bag in their hand.

01:18

Would you

01:19

now it's not enough that they are standing at your front door. Other attributes must be met before the transaction

01:26

can be complete

01:33

and location shouldn't matter.

01:34

So with traditional network security, you have different zones

01:40

with different levels of trust, and security can become relaxed as you move away from the edge of the perimeter

01:48

into the exit in the D. M Z, for example,

01:51

traffic maybe tightly monitored and controlled. But the trusted zone may not have the same amount of monitoring and controls

01:59

When networks are broken into zones but don't contain fire all rules to allow or deny traffic.

02:05

That network is considered a flat network.

02:07

This means that once on the network, you can access any host on any sub net, no matter what zone they belong to or what zone you resided.

02:19

Also, oftentimes, when rules are created, their only governed by source and destination I p addresses. So we don't have a lot of visibility,

02:29

and we can see on the slide that the traditional network security model places sensitive information in the innermost part of the network.

02:37

But security controls may not be a stringent,

02:40

you know. Oftentimes, leadership will be nervous about placing too much security in these areas due to the risk of reducing availability to important people who need that access.

02:53

You know, the traditional network security architecture can resemble

02:57

how security is reduced while move

03:00

through a stand alone home.

03:02

Let's say that the Internet is the street

03:06

that the house is built on in the garage is the D M Z.

03:12

And keep in mind the house is the network is your domain, right? So the garage is the D M Z.

03:19

The garage has bud lights, cameras, maybe a security sign close by toe warning deter entrance.

03:27

As we move into the trusted zone, we find ourselves in the kitchen or the living room where access becomes a little bit easier. Correct.

03:36

Now the privilege zone can be seen as our master bedroom,

03:40

and most of us keep our PC I or payment card industry data

03:46

and hip A data in this room. Correct?

03:51

No, What I mean by that is your wallet is in your bedroom. Your medical records might be in a fireproof box under your bed,

03:59

but we have no real security in our most trusted areas of our home and our networks. sometimes feel and look the same.

04:09

But how do we change our security inside her home?

04:13

If we allowed Amazon or Walmart to enter our homes to put away groceries,

04:18

you know things would be much different, right? And just like how networks have changed and service's have changed

04:27

in our real life, and not just our logical life

04:30

when it comes to networks are users use devices on the network to access and retrieve information from the Internet, so we must secure the network they reside on differently.

04:46

So this leads me to Z scaler and how they integrated zero trust into there.

04:51

Their solution.

04:54

So these killer is a company that

04:56

has bought into zero trust.

04:59

They have fully embraced that concept,

05:01

and what you see here is a bake off between the scales, private access and traditional VPN.

05:10

Now, traditional VPN, as many of you have experience, can be slow

05:15

after connecting. You have to go through your organization's network and security stack and then back around before the application on file is made available to you.

05:25

And a lot of you have heard the term traversing the network,

05:28

right? So traditional VPN

05:30

it also places are remote users on the network, which can lead to breaches. We talked about it earlier with Home Depot and Target.

05:41

Traditional VPN also allows for inbound connections that could cause issues on the network, such as a distributed denial of service attack.

05:50

Now, with the scale of zero trust approach that ever placed their users on the network. Know inbound connections were made

05:59

and the agent placed on the device. Request access to the APS and the request goes to the Z Scaler Enforcement note

06:08

to check against policies to allow the user device applications

06:13

to broker a secure connection.

06:15

Connections from the user's devices. Never inbound as the connectors, which we can consider a part of the data plane. They simply listen for request to ANAP and publish at based on the control plane policies

06:30

in the Z's Kayla Enforcement note for that user and the device.

06:34

Aziz Scales private access solution isn't always on remote access solution that allows multi factor authentication device posture to limit the scope of what devices can access internal APS and give greater visibility to its operation operators or administrators

06:51

for granular details for troubleshooting issues and security concerns.

06:57

Z Scaler allows operators to create applications segments.

07:00

It's only allow certain users access a subset of APS.

07:05

This is a least privilege approach that could have helped in the case of Target or Home Depot when dealing with the third party vendors.

07:15

What makes these killer private access very different from traditional or legacy,

07:19

is the speed at which a user can access

07:23

outlook. For example,

07:25

while on the road are working from home.

07:28

They don't have to type in credentials. They don't have to go through the extra step that we see with traditional VPN.

07:35

Z scaler is private Access doesn't have a concept of log in in the way traditional VP agents do.

07:44

It provides you with an always on remote access experience.

07:48

Now these girls probably access Solution doesn't provide your laptop or mobile device and i p address that belongs to your organization.

07:57

So you're not placed on the corporate network even though you have the ability to access internal applications like Outlook or a Skype, for example,

08:07

very able to reduce

08:09

on Attackers ability to pivot on your network.

08:13

So by not placing the user's device in the corporate network,

08:16

were reduced in the spread of risk.

08:18

However, If you're using traditional VPN,

08:22

you are inherently trust in that device, which goes against the zero trust model.

08:28

If the device lets a laptop with Windows tennis compromised while using traditional VPN and after connected and gets a corporate I p address, it's placed on the network, right? And if that and if someone wants it to a port scan,

08:41

that attacker can compromise

08:43

another machine. Doing a simple i p con fate right, we can enumerates information. We could find out what sub net were placed on

08:54

and then perform reports can for that sub net

08:56

an attempt to launch other attacks. So the scales private access is using zero trust approach.

09:05

Now, if a compromise Windows 10 laptop using ze scale private access,

09:11

um, is trying to be used to enumerate information