In this Help Net Security interview, Jay Chaudhry, CEO at Zscaler, talks about connecting and securing remote employees and their devices to access organizational resources from any location. He discusses the potential risks of remote VPN access, the increasing reliance on personal devices, and transitioning to a cloud-first model.
We’ll examine the impact of the shifting role of data centers on network strategies, the implementation of a zero-trust security framework, and how 5G networks might further decentralize workplaces
How should CISOs manage the security concerns of employees working remotely and using personal devices to access organizational resources?
Historically businesses have relied on remote access VPNs to allow remote employees to access applications and services on their corporate network. VPNs put users on the corporate network. A user sitting at home or in Sydney, Australia, can access all applications or resources that they could access from their office.
This works well for employees, but if someone steals an employee’s VPN login credentials, they can get on the corporate network, move laterally to find high-value assets and launch a ransomware attack or exfiltrate data. The Colonial Pipeline attack happened this way (stolen VPN credential and then lateral threat movement).
The best way to manage security for remote users is to provide access through a zero trust exchange, which is like a sophisticated phone switchboard where the remote employee is not connected to the corporate network but only to specific applications. This eliminates any lateral threat movement, hence the spread of the attack.
An employee’s personal device or also known as BYOD can cause an even greater risk. The personal device may be infected, and once it is connected to the corporate network, it can move laterally and infect other devices or steal data.
To eliminate the risk created by BYOD, companies should not only do zero trust access to applications but also use a technology called browser isolation which makes BYOD like a VDI (virtual device). Since only pixels are streamed to and from the BYOD device, it eliminates the risk of compromise and data loss.
What steps can organizations take to prevent the exposure and theft of sensitive data in a cloud-first, hybrid workforce model?
In today’s hybrid world, your data is often sitting in public clouds like Azure and AWS, in SaaS applications, in data centers, factories, and on your endpoints. Companies need a holistic approach to securing sensitive data.
As all data leaks to the internet, all internet-bound communication must go thru a zero trust exchange that inspects traffic to identify sensitive data. Large amounts of data sit in SaaS like M365, Salesforce, etc.
Companies need to implement CASB solutions to protect data that may have misconfigurations causing oversharing of data. Companies must inspect SSL or TLS encrypted traffic to ensure that no sensitive data is hidden in the traffic. This requires a proxy architecture, as next-gen firewalls were not designed for it.
How is the shift from the data center being the central hub to merely a destination changing network strategies, and how does that impact security?
The shift away from the data center as the central hub relegates the network to the role of transport within an IT environment. Companies no longer need to build hub and spoke networks to connect branches to their data center.
Every location simply connects to the internet (just like you connect to the Internet from your house). They no longer need to build security gateways with firewalls and VPNs. They use a zero trust exchange to connect users to applications irrespective of where the apps are and where the users are.
How has implementing a zero-trust security framework facilitated the transition of businesses toward a digital work environment?
Companies embracing the cloud can build and deploy applications faster in any of the public clouds. With a zero trust architecture, you don’t need to create your own wide area network to connect branch offices and application locations. Each party simply connects to the internet. This saves tremendous time and money.
Users can securely access any application from anywhere via a globally distributed zero trust exchange. New offices or branches can be set up in days rather than weeks or months. Hence zero trust has made it simpler and more secure for businesses to undergo digital transformation.
How are CISOs transitioning from traditional on-premises security to a cloud-first, zero-trust approach in the banking sector?
They are migrating their application suite from on-premises to the cloud, enabling them to scale to meet the demands of the business.
Using zero trust security, they are sending Internet and application traffic direct from each office over the Internet rather than backhauling it through their data center, delivering a better user experience and lower cost. With zero trust, they are also reducing their attack surface as they are hiding their apps behind the zero trust exchange.
Given the potential of 5G networks to decentralize workplaces further, how should security teams prepare their security and networking infrastructure to handle this change?
5G will make high-speed access available to users everywhere. Its high throughput will make it easier to steal large amounts of data in a short amount of time. Companies that depend upon network security (means securing their network) using firewalls and VPNs will face higher risks with 5G.
Companies that implement zero trust architecture and phase out firewalls and VPNs will be in a good position. Zero trust architecture treats the network simply as plumbing, merely as the transport, as users are not connected to the network. Once you implement zero trust architecture, you don’t have to worry about the type of network – it may be 4G or 5G, or Starlink, and enterprises will be safe.