Why would you ever let someone connect from the outside to your corporate network? Well, historically you had to do so, in order to provide partners or your own remote users access to applications and data. But why do that, when you should only allow access to the applications that the corresponding person is meant to see? Do you connect to the salesforce network when you want to use salesforce?
Nowadays, your users are more and more remote/mobile and applications are moved from your own datacenter to the cloud. The Internet becomes your corporate network. The question is how to implement network security in this scenario? How to achieve a zero trust model? Well, the good news is: A new cloud-based service called Zscaler Private Access (ZPA) enables you to provide access to your private and key corporate applications without ever connecting the user to the network. Users can access your applications in a transparent, secure and fast way – independently from location, device and network.
Gartner calls this Software Defined Perimeter (SDP) and Gartner reported in November 2017: “By 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of SDP”.
What’s wrong with VPN?
VPN brings connectivity for the users and enables them to access private applications securely. However, it does this by connecting the user to the network. Why would you ever want partners or your own users to share your corporate network when they just need to access a small set of applications? This way your network or some of its elements are exposed to the Internet and might become a target for attacks. And because the access to applications requires the user to be on the network, it can laterally scan other resources and exploit vulnerabilities.
VPN also forces a user to connect to a single location for access – the user over a VPN is locked into the location where the VPN tunnel is connected. This does not make sense anymore when you have applications spread all over your datacenters and in the cloud. Why would you force a remote user to connect to the corporate network only to have them go back out to Microsoft Azure or AWS? VPN has been created in the 90s when users and applications were all in-house and only a few partners and users required remote access.
Not to forget, there are always complaints when it comes to user experience. VPN solutions tend to be clumsy and slow.
Bring the Darknet to your Enterprise
I like the analogy brought up by Nathan Howe, ZPA architect at Zscaler. The term “Darknet” was created in the 70s to describe networks isolated from the Internet. The idea behind was to protect sensitive information by making the network invisible and preventing inbound inquiries. Bringing the Darknet to your enterprise means that your IT infrastructure is completely inaccessible to anyone who is not authorized to see it.
Nathan and one of the first global ZPA customers described this analogy in an Internet post in December 2018: They compare traditional network access with standing in the middle of a residential street. You can see everything, individual houses (applications), buildings (data centers), yards (network segments) and cross streets (other networks). You can even walk up, touch building doors (ports) and try to open them and go on. Trusting people and providing them with access to your network increases your attack surface by far. You have to build locks (passwords) and put multiple fences or gates (firewalls) around houses to protect them. Obviously, this makes it harder for the bad guys, but they can still see the houses and see into your windows. Wouldn’t it be wonderful if people could only see what they are meant to?
Let’s bring the Darknet to your enterprise and do no longer worry about DDoS protection or the next heartbleed vulnerability. The message is pretty simple: You cannot attack what you cannot see. And that’s what ZPA is all about.
For Secure Application Access, there is a new kid in town
The Zscaler Cloud brings two things together: The user (that runs a Zscaler agent on its device) and the application via a connector – a VM that runs in your own datacenter or in a cloud environment. The user is only connected to the application – never to the network. The Zscaler Cloud operates like a switchboard between a caller and a call receiver.
Authentication works via SAML (e.g. ADFS), the Zscaler Cloud provides the logic what users are allowed to see what applications and the user experience is promised to be very good: always-on, transparent, fast and secure. For security-aware customers, they can bring their own keys for double encryption of the tunnels.
As a nice side-effect and heavily marketed by Zscaler, your requirements regarding load balancing, DDoS protection or even internal firewalls for network segmentation are reduced to a minimum. There are many interesting use cases for ZPA starting with pure partner access and M&A acquisitions to cloud migration scenarios and VPN replacement. You may still need VPN for site-to-site connections. However, Zscaler has promised to cover this case in the very near-future as well…
Let a client-VPN leader rise to speak
For traditional client-VPN I strongly recommend Pulse Secure. The solution is very stable, very flexible and comes with an intuitive and seamless user experience. Pulse Secure is a highly matured product that meets requirements of customers of every size and industry.
So, what do the people at Pulse Secure think about the new approach from Zscaler? First, they argue that advantages that Zscaler claims for themselves can also be achieved by their own solution. Pulse Secure can restrict access to specific applications by making use of the Secure Application Manager, which provides per-app VPN capability. They confirm that hybrid and multi-clouds are standard mode of deployments now. Obviously, Pulse Secure cover these scenarios as well with a product called Cloud Secure.
Further, they argue that they are much stronger when it comes to device compliance and multiple controls on the end-user sessions. ZPA does not check for device compliance status and offers less flexibility when it comes to the level of secure access. By offering both strict access and moderate security enforcements, Pulse Secure has a strong and flexible offering to meet the requirements from customers across all industries. In their brand new agent version 1.5, Zscaler added a few more posture tests covering a set of criteria that a user’s device must meet in order to access applications with ZPA.
However, Pulse Secure admits that Zscaler provides a unique selling point when it comes to their user- and application-centric dashboard.
In the end, the customer decides
There is a leading retailer in Switzerland, who has decided for ZPA in 2018. Why have they? There were mainly two reasons for this. First, they were not happy with their current client-VPN (not Pulse Secure): many user complaints, too complicated, too slow. Second, they have been following a cloud first strategy for a few years and came to the conclusion that this new strategy is difficult to fulfill with traditional VPN.
Now, they are at their final steps of migration and the users’ feedback is very good so far. The main obstacles in the roll-out process were several issues with MacOS. Their final goal is to have ZPA rolled-out on all corporate devices – even for mobile phones and tablets. The customer is very happy with its choice. ZPA is invisible, always-on, cloud-ready and their first step towards zero trust.
Finally, what do I recommend?
In the last 12 months I have made some first experience with ZPA PoCs, implementations and rollouts. This new approach to access applications looks definitely very promising to me and according to my experience, CISOs love it as well as IT responsibles with attraction to the cloud.
Of course, by using ZPA you have to trust Zscaler and their cloud platform – in particular when it comes to availability and performance. This is a lot about capacity planning and scalability and Zscaler has a proven track record for this. They have been delivering a cloud platform for secure internet access since around 2006 with now 100+ datacenters world-wide and more than 60 billion transactions processed each day.
The Zscaler App – an agent software for all kind of devices – is a prerequisite to run ZPA. As with any endpoint software there might come up some issues in a POC. For existing Zscaler customers with the Zscaler App already deployed, ZPA is definitely a good option. The same applies for customers with a cloud (first) strategy. When applications will be spread all over your datacenters and the cloud, ZPA is a very good option. The Zscaler cloud platform is an enabling technology for the secure cloud transformation of an enterprise.
As Gartner has already reported in late 2017, software defined perimeter is a strong bet for the future and ZPA is definitely in a very good position to win relevant market shares. The product is strategic to Zscaler and it will definitely develop further. However, potential customers must be aware, that the cost for ZPA are higher than for traditional client-VPN solutions.
On the other side, client-VPN is a mature technology, it just works and it is cost-efficient. For a traditional remote access project, VPN based on a leading product like Pulse Secure might be a very good option as well.
Links – German content only:
Mehr Informationen zu Zscaler ZPA: https://www.avantec.ch/loesungen/zscaler/zscaler-private-access/
Mehr Informationen zu Pulse Secure VPN: https://www.avantec.ch/loesungen/pulse-secure/
Mark Stäheli
Mark Stäheli ist Co-CEO bei AVANTEC AG und beschäftigt sich seit bald 20 Jahren mit IT-Security. Mark hat Informatik studiert mit Schwerpunkt Kryptographie und IT-Sicherheit. Trotz den täglichen Cyber-Hiobs-Botschaften verfällt er keiner Paranoia, behält einen pragmatischen Blick auf die Thematik und berät Unternehmen sehr gerne hinsichtlich sinnvollem und wirtschaftlichem Einsatz von IT-Security-Lösungen.