by Chris Hines, Head of Product Marketing - Zscaler Private Access and Z App
Gartner predicts that by 2023, 60% of enterprises will phase out most of their remote access Virtual Private Networks (VPNs) in favour of Zero Trust Network Access (ZTNA) solutions. The Gartner team further predicts that 40% will have adopted ZTNA for uses besides VPN replacement, such as enabling third-party access, multi-cloud access, and activities around mergers and acquisitions or divestitures.
ZTNA, often referred to as Software-Defined Perimeter (SDP) services, provides seamless and secure connectivity to private applications without ever placing users on the network or exposing apps to the internet. As the name implies, the technology is driven by the need for organizations to embrace a zero trust security model built for mobility and a cloud-first world. A model that delivers security based on the user and applications - not IP address - regardless of location and device.
IP addresses were built for connectivity, not security, and are thus inherently weak security identifiers (shocker, I know). Even so, they continue to be used as a means of network connectivity. Using IP addresses is problematic because their inherent default “allow” posture leads to implicit trust, which can then be abused by nefarious actors. As organizations realized that they needed a demarcation point where their corporate network could connect to the internet, they began to deploy firewalls, which led to massive firewall adoption over the last 30 years.Why any of this matters to youZTNA technologies shine a light on the reason why the concept of “trusted” and “untrusted” is flawed and they, furthermore, render all those inbound gateway firewalls obsolete. This is because the idea of zero trust nullifies the concept of “trusted” altogether. Additionally, treating external systems as “untrusted” and blocking them by default worked well enough in the early days, but now forces organizations to use remote access VPNs and DMZs to allow external users to connect to apps on the network. Think about this for a second. VPNs tunnel holes past firewalls and allow for connections to the internal network. DMZs make private apps accessible to not only the good guys but expose them to the bad actors as well. WAFs can’t secure against this either. Oops.
As the number of private apps that run in multi-cloud or hybrid environments increases, along with the number of employees and third-parties connecting from devices located outside the classic perimeter, security will become increasingly difficult if attempted with legacy technologies. More appliances will be required to keep up with demand, leading to more exposed IP addresses. User experience will suffer as a result of backhauling and unnecessary hops. ZTNA provides an opportunity for enterprise teams to solve both challenges.
Like all new technologies, ZTNA looks to one-up these legacy approaches, not by simply making them better or “always-on,” but by bucking the concept altogether. ZTNA frees organizations from the grip of legacy VPN inbound gateway stacks and FW appliances. Instead of allowing access based on IP address, ZTNA uses simple policies hosted in the cloud that are globally distributed but enforced locally. They provide visibility and grant access to private apps only to the specific users authorized to view them, and never to the internal network. All access is contextual. ZTNA effectively makes the internet the new corporate network, creating end-to-end encrypted micro-tunnels that create a secure segment of one between a user and an application (aka micro-segmentation). Admins can even discover previously unknown applications and set granular access controls for them.
ZTNA technologies are generating a lot of buzz, but not all solutions are created equal. Which begs the question of what should enterprises consider as they look to adopt ZTNA. To be objective, I will defer to Gartner on this.Eight considerations for ZTNAIn Gartner’s recent Market Guide on Zero Trust Network Access, Steve Riley, Neil MacDonald, and Lawrence Orans outline several things to think about when choosing a ZTNA solution. Below, I list those I think enterprises should prioritize:
by Amit Sinha, CTO and Executive Vice President of Engineering and Cloud Operations at Zscaler
In the last few years, we have witnessed a renaissance in machine learning (ML) and artificial intelligence (AI). AI broadly refers to the ability of machines to "think" like humans and perform tasks considered "smart," without explicitly being programmed to do so. ML is a subset of AI. ML algorithms build a mathematical model based on training data, and they leverage the model to make predictions when new data is provided. For example, a computer-vision ML model can be trained with millions of sample images that have been labeled by humans so that it can automatically classify objects in a new image.
AI and ML principles have been around for decades. AI's recent surge in popularity is a direct result of two factors. First, AI/ML algorithms are computationally intensive. The availability of cloud computing has made it feasible to run these algorithms practically. Second, training AI/ML models requires massive amounts of data. The availability of big data platforms and digital data have improved the effectiveness of AI/ML, making them better in many applications than humans.
Cybersecurity is a promising area for AI/ML. In theory, if a machine has access to everything you currently know is bad, and everything you currently know is good, you can train it to find new malware and anomalies when they surface. In practice, there are three fundamental requirements for this to work. First, you need access to data -- lots of it. The more malware and benign samples you have, the better your model will be. Second, you need data scientists and data engineers to be able to build a pipeline to process the samples continuously and design models that will be effective. Third, you need security domain experts to be able to classify what is good and what is bad and be able to provide insights into why that is the case. In my opinion, many companies touting AI/ML-powered security solutions lack one or more of these pillars.
A core principle of security is defense in depth. Defense in depth refers to having multiple layers of security and not relying on just one technology (like AI/ML). There is hype around the ability of new AI/ML-powered security endpoints that claim to “do it all.” But if you want to protect a user from cyber threats, you need to make sure all content the user accesses is scanned, and you have to keep the user’s system patched and up to date. Scanning all files before allowing download requires the ability to intercept SSL-encrypted communications between the user’s client and the destination server. Otherwise, the scanner will be blind to it. Scanning all files takes time and can introduce latency, resulting in user experience issues. As such, quickly blocking the obviously bad stuff and immediately allowing already-white-listed stuff is a good way to balance security with user experience.
Once known threat intelligence has been applied and no verdict is available, we enter the realm of unknown threats, also known as zero-day threats. Zero-day threats don’t have known, recognizable signatures. Sandboxing is used to analyze such unknown threats. Sandboxing involves installing a suspicious file in a virtual machine sandbox that mimics the end user’s computer and then determining if the file is good or bad based on its observed behavior. This process – during which the user’s file is quarantined – can take several minutes. Users love instant gratification, and they hate waiting. A properly-trained AI/ML model can deliver a good or bad verdict for such files in milliseconds. New attacks often use exploit kits, and they may borrow delivery and exfiltration techniques from previous attacks. AI/ML models can be trained to detect these polymorphic variants.
An important consideration when using AI/ML for malware detection is the ability to provide a reasonable explanation as to why a sample was classified as malicious. When a customer asks why a file was blocked, the answer cannot be “because our AI/ML said so.” Having security domain experts who understand what attributes or behaviors got triggered and who are able to analyze false positives/negatives is important — not just for understanding why a certain prediction was made, but to iteratively improve model prediction accuracy.
When it comes to training AI/ML models, a popular debate is whether “supervised” or “unsupervised” learning should be used. Supervised learning is based on labeled data and features extracted to derive a prediction model. For malware, this means human experts classify each sample in the data set as good or bad, and feature-engineering is performed to determine what attributes of the malware are relevant to the prediction model prior to training. Unsupervised learning gleans patterns and determines structure from data that is not labeled or categorized. Unsupervised learning proponents claim that it is not limited by the boundaries of human classification and remains free from feature-selection bias. However, the effectiveness of fully unsupervised learning in security still needs to be proven at scale. With unsupervised models, it can also be hard to explain why something was marked good or bad.
Some classes of security challenges are better suited for AI/ML than others. Phishing detection, for example, has a significant visual component. An adversary will use logos, images and other “look-and-feel” elements to make a fake website look like its legitimate counterpart. Significant advances in AI/ML vision algorithms have resulted in the ability to apply techniques to detect fake websites designed to trick unsuspecting users. AI/ML algorithms can also be used for detecting anomalous user behavior, learning a baseline of what a user normally does and flagging when there is a significant departure from the norm.
When trained properly by experts with data science and cybersecurity expertise, AI/ML can be an important addition to the cybersecurity defense-in-depth arsenal. However, we are still far away from naming AI/ML the panacea for preventing all cyber threats.