Presented by Zscaler

For the past three decades, organizations have been building and optimizing complex, wide-area,  hub-and-spoke networks, connecting users and branches to the data center over private networks. To access an application, users had to be on the trusted network. These hub-and-spoke networks were secured with stacks of appliances, such as VPNs and firewalls, in a “castle and moat” security architecture. This served organizations well when their applications resided in their data centers, but today, users are more mobile than ever, and securing them can be a challenge.

Organizations are driving digital transformation — embracing cloud, mobility, AI, IoT and OT technologies to become more agile and competitive. Users are everywhere, and data and applications no longer sit in data centers. For fast and productive collaboration, they want direct access to apps from anywhere at any time. Given this, it doesn’t make sense anymore to route traffic back to the data center to securely reach these applications in the cloud.

All this is why organizations are moving away from hub-and-spoke networks in favor of direct connectivity to the cloud, using the internet as the new network.

Perimeter-based security has failed to address the needs of modern business

Traditional hub-and-spoke networks put everything in the network — users, applications, and devices — onto one flat plane. While this allows your users to access applications easily, it gives that same easy access to any infected machine. Unfortunately, as cyberattacks become more sophisticated and users work from everywhere, perimeter-based security using VPNs and firewalls fails to secure the network or deliver a good user experience.

As a result, cyberattackers can breach organizations and inflict substantial harm in four steps:

Step 1: They find your attack surface. Every internet-facing firewall — whether in a data center, cloud or branch — is an attack surface that can be discovered and exploited.

Step 2: They compromise you. Attackers bypass conventional detection and enter the network through the attack surface (e.g., VPN, firewall) or by enticing users with malicious content.

Step 3: They move laterally. Once inside, attackers move laterally throughout the network, locating high-value targets for ransomware and other attacks.

Step 4: They steal your data. After exploiting high-value assets, they leverage trusted SaaS, IaaS, and PaaS solutions to set up backchannels and exfiltrate the data.

Introducing zero trust architecture

Legacy network and security architectures pose some pervasive, long-standing challenges that require us to rethink how connectivity is granted in our modern world. To realize the vision of a secure hybrid workplace, organizations need to move away from castle-and-moat security and toward a zero trust architecture that secures fast, direct access to applications anywhere, at any time.

Zero trust begins with the assumption that everything on the network is hostile or compromised, and access to an application is only granted after user identity, device posture and business context have been verified and policy checks enforced. In this model, all traffic must be logged and inspected –requiring a degree of visibility that traditional security controls cannot offer.

A zero trust architecture is expressly designed to minimize the attack surface, prevent lateral movement of threats and lower breach risks. It’s best implemented with a proxy-based architecture that connects users directly to applications instead of the network, so that additional controls can be applied before connections are permitted or blocked.

To ensure no implicit trust is ever granted, a successful zero trust architecture subjects every connection to a series of controls before establishing a connection. This is a three-step process:

  1. Verify identity and context. Once the user, workload or device requests a connection, the zero trust architecture first terminates the connection and then determines who is connecting, what the context is and where they are going.
  2. Control risk. The zero trust architecture then evaluates the risk associated with the connection request and inspects the traffic for cyberthreats and sensitive data.
  3. Enforce policy. Finally, policy is enforced on a per-session basis to determine what action to take regarding the requested connection.

The Zscaler Zero Trust Exchange: The one true zero trust platform

Zscaler is a pioneer in zero trust security, helping organizations worldwide secure their digital transformation with the Zscaler Zero Trust Exchange. This integrated platform of services delivers comprehensive cyberthreat protection and connectivity capabilities that enable organizations of all sizes to achieve a fast, reliable and easy-to-manage zero trust architecture while avoiding the costs and complexity of point products.

Become a zero trust expert

Learn about the core principles of zero trust and grow your career with the Zscaler Zero Trust Certified Architect program. ZTCA is the industry’s first comprehensive zero trust certification, designed to help network and security professionals build and implement zero trust strategy in their organizations.

Sign up today at Get Zero Trust Certified.

Amit Chaudhry is Senior Director, Product and Portfolio at Zscaler.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact