Companies and organizations are increasingly bringing IT services to the cloud. This also means that they expect more and more from the security for these services and the various platforms. Cloud security is, therefore, a growth market and specialized companies such as Zscaler are responding to this. Techzine spoke with Zscaler’s Solutions Architect Nathan Howe about why companies are increasingly switching to cloud-based security and what this will mean for the future of the VPN connections that are still widely used today.
Many companies and organizations today are – or in many cases have already done so – transferring their IT services to the cloud. Not only are they increasingly using an as-a-service model, but they are also transferring all their data and workloads to one of the major cloud platforms.
The move to the cloud also has an impact on the security of all these services, data and workloads. As a result, companies and organizations are increasingly looking at how all connections to the various cloud environments and their assets are secured. Of course, they are often dependent on the service provider in question and the security to be provided by this party. As an alternative, they can, of course, run all cloud services via their own data center and secure them with, among other things, a firewall application.
These two alternatives are not often the most efficient. Companies – and of course, their employees – are working increasingly internationally. This means that access to these cloud services and applications must be possible anytime, anywhere. With traditional ‘hub & spoke’ network architectures, this can lead to latency. As a result, the desired cloud services or applications cannot always work properly, with all the consequences that this entails.
The usefulness of cloud security
A security company such as Zscaler is a good response to this, as we wrote last year. These types of IT vendors offer services in which the security is entirely focused on cloud services and associated applications; from accessing and securing the services and applications to, of course, also the underlying data and workflows.
According to Zscaler-Solutions Architect Nathan Howe, more and more companies see the benefits of cloud security. According to him, the main reason for this is that companies want to use cloud services entirely within their environments and especially in a simple way. As a result, these services need security in one way or another. Companies and organizations can rely on cloud security specialists who offer this ‘as-a-service’.
In addition to securing the services and associated applications, data and workflows, it is also important to be able to secure all end users who use the business cloud services. It is important that they are guaranteed to be able to use these services in a secure manner wherever they work and whenever they want.
Challenges to make the switch
When switching to the cloud or secure cloud transformation, companies still face challenges. According to Howe, the most important thing is that companies and organizations still encounter a lot of legacy in their transformation process with regard to the applications they use. He says that companies and organizations need to be well prepared for this and check which applications they have. It’s about operations and not just about migration when switching to cloud environments.
Cloud security from Zscaler
Providing security services for cloud environments, where everyone has secure access anytime, anywhere, and can also guarantee secure traffic of data and workflows, is exactly what Zscaler delivers. In short, the security company offers two solutions: Zscaler Internet Access and Zscaler Private Access (ZPA). The security platform Zscaler Internet Access has nodes in more than 100 data centers worldwide. Through these nodes, the security specialist ensures that customers always have a fast, secure connection to their own data center and also to the various cloud services of other providers.
The entire traffic is encrypted and can be provided with additional services, such as firewalls, data loss prevention (DLP), bandwidth control possibilities, sandbox functionality and behavioral analysis.
Disconnecting end-users from applications
According to Howe, the possibilities of this platform are at their best when it comes to accessing applications. Nowadays, applications are less and less located in physical data centers, but in the cloud. To access these applications, employees traditionally have to connect to the company network to access them. A VPN connection is often set up for this purpose. After being connected to this specific connection to the corporate network, they can access the application that is often located in an on-premise data center.
This changes with the ZPA service. The end-user is actually ‘disconnected’ from the application. When employees want to access a certain application, they do not do so with a secure VPN connection but get direct access to the applications and services that these applications provide. This makes it possible to place these applications anywhere, whether on physical hardware, in the on-premise data center or in public cloud environments such as AWS and Azure. Of course, these can also be the cloud platforms of well-known applications such as Oracle, Salesforce and SAP.
According to Howe, a major advantage of this is that it no longer matters where the applications are located. For IT administrators, this is very useful because it allows them to manage and orchestrate the applications as they wish, without having to worry about how the end-users will continue to have access to them. ZPA is also completely software-based so that companies and organizations do not have to invest in additional appliances.
How does ZPA work?
ZPA works with a special application on an end user’s device. This API seeks outbound access to the nearest cloud-hosted Zscaler Enforcement Node in the Zscaler Cloud. This node acts as an ‘intermediary or broker’ for the application on the end-user’s devices and the App Connector that the security company places for access to the relevant applications in the cloud or in data centers. The App Connector will then only set up an outbound connection with the end-user from this environment.
All traffic, from demand to access to the recurring outbound connection, runs via SSL micro tunnels. This App Connector only looks at requests for certain apps and not at incoming connections. The micro tunnels only continue to exist when the applications have to ‘talk’ to the end-users. If they don’t ‘talk’, they disappear.
Alternative to traditional VPN
Zscaler’s cloud security solutions are therefore a good alternative to the VPN connections that are still widely used today, says Howe. With a VPN connection, users still often see the entire network. This, of course, makes it vulnerable. With the Zscaler solution, with two-way micro tunnels, users see nothing but the applications they want or are allowed to access. That’s all they need at that moment. As a result, cloud security solutions such as ZPA are much safer, according to the Solutions Architect.
Future of VPN
According to Howe, whether VPN will lose in the near future still depends on how VPN is deployed. In the first place, companies and organizations use VPN clients to give their end-users access to applications or services. This is also known as ‘client to site’ VPN. Howe expects this to disappear, as with the rise of secure access to applications, such as Zscaler’s, these clients will no longer be needed. As a result, the security model used by companies and organizations changes from a network-based security model to a security model that focuses on providing secure access to applications.
In addition, companies and organizations use VPN to connect data centers for mutual traffic, for example. VPN traffic for employees can also go through this. These types of VPN connections are also known as ‘site to site’ connections.
According to the Solutions Architect, VPN will still have a role to play in this type of connection. Certainly, if the VPN traffic for employees is replaced by secure application access such as ZPA, this will only result in so-called ‘machine to machine flow’, such as for data synchronization between databases, among other things. According to Howe, VPN is very suitable for this purpose.
Connections with third parties
There are also the connections that companies make with third parties. To be able to do this safely, a VPN connection is a good starting point. Nevertheless, Howe sees that VPN connections will no longer be needed for this in the near future.
This mainly depends on which architecture companies are going to use for the latter type of connections. In other words, whether this will be a network-focused security model or a model that focuses on secure access to applications.
Secure access to applications is most important
The most important thing is that end-users simply need to have secure access to applications. The way in which this happens must be simple. End users should not have to think about this. So we are curious to see what solutions Zscaler will come up with, in the near future, to achieve secure access to applications.