Decreasing Attack Surface with a Zero Trust Framework

by Stuart Hardy, MD of zafrica

In the past few weeks we’ve seen a spate of DDoS attacks against prominent service providers and enterprise companies, bringing the awareness of unnecessary network exposure into the spotlight once again. Given these attacks can and will increase in time, limiting the attack surface for any organisation has now become a top priority. A zero trust security framework is designed to combat these threats. 
 
Now there is little doubt to the transformative benefits of utilising Cloud for business application delivery. But, while the strategy to drive application delivery to the Cloud is well underway, by doing so, a lot of companies are inadvertently increasing the attack surface of their network.
 
When connecting networks to private Cloud IaaS, it necessitates publishing IP addresses to expose the network and build network connections using IP Sec. Unfortunately by doing this; these addresses reveal the network to the world, creating easy targets for hackers who constantly look for vulnerabilities in networks, as is the recent case for the City of Joburg.
 
What is Zero Trust?
 
Essentially, zero trust centres on strong user identity, device health verification, validation of application health, and secure, least-privilege access to corporate resources and services. Read how Microsoft has implemented a Zero Trust security model.
 
There is at least one company delivering a zero trust application access framework that eliminates the attack surface for organisations - and that’s Zscaler. They do this by making all applications and network connections dark for DC and public/private cloud access utilising Zscaler Private Access (ZPA).
 
Basically, ZPA takes into consideration every requirement to deliver a secure network architecture related to modern challenges in growing mobility and cloud application delivery. Think of it as a modern-day version of an old age process (remote VPN, NNI).

What are the benefits of implementing ZPA’s zero trust network:
​

• ZPA establishes inside out connections from branches, users, DC’s and Cloud removing the attack surface, resulting in network and related applications becoming dark - you can’t attack what you can’t see.
• Users no longer connect to the network, instead they connect to ZPA’s policy broker, which determines user application access rights. Access is only stitched together when a user is verified, and user policy determined.
• Define granular policies based on specific users and applications. Global policies determine which users can connect to which applications. You are able to segment access by application without network segmentation resolving the need for third party access. Admin creates and manages access for users, user groups, applications and application groups.
• Application segmentation, not network segmentation. You can limit or eliminate lateral movement and manage third party and business-to-business access through policy enforcement.
• Strong identity verification. Supports dual factor authentication and delivers multi-factor authentication. Enroll devices (workstations, mobile smartphones). Verify device health. Supports multiple IDP for third party and business-to-business access.
• Connect DC to private Cloud and replace NNI. You can deliver policy-based and secure Internet connections between Cloud workloads and business-to-business connections. TLS provides stronger security and greater bandwidth scalability than IP Sec. 
• Increased visibility of user and application access. Discover unknown applications running in cloud, display user and app data by name, and view health of applications and servers. Have visibility into all devices connecting to applications and be able tp view past and real-time application access.
• Delivers fast performance. Provides a consistent user experience for DC and cloud applications whilst reducing network complexity and bottlenecks.

 
Zscaler Private Access (ZPA) makes redundant a wide range of network devices and solutions (remote VPN, IP Sec, NNI, B2B, and Partner access), while improving security, user and application visibility and performance.
 
For more information contact Stuart Hardy.