CDSA

Security needs to grow and scale to wherever an organization’s business is going as it expands its staff, data and locations – and, maybe most importantly, as the company moves forward on its cloud journey, according to Palo Alto Networks.

After organizations largely moved from the office to remote work during the pandemic last year, they are now shifting to hybrid workplaces combining offices, homes and other locations, so Zero Trust security strategies continue to be important – but they must adapt, Nir Zuk, Palo Alto Networks CTO and founder, said during the recent second webinar episode, “Why Zero Trust Strategies Must Evolve,” that was part of the company’s “Complete Zero Trust Network Security” event series.

His comments were made about one month after Palo Alto Networks introduced “complete Zero Trust Network security,” including five key innovations the company said makes it easier for customers to adopt Zero Trust across their network security stack: Software-as-a-Service (SaaS) security, advanced URL filtering, Domain Name System (DNS) security, the Cloud Identity Engine and new machine learning-powered firewalls.

During the webinar, Zuk provided his take on today’s requirements to secure the hybrid workplace with tools for a Zero Trust approach that ensures best-in-class security and access.

“A lot of the technology we use in cybersecurity is about establishing trust,” he pointed out. For example, you may trust one file but not another file. Maybe you are not sure where that latter file came from or who sent it to you.

“Over time, we had more challenges trusting things,” Zuk noted. For example, because content could not necessarily be trusted, the Intrusion Protection System (IPS) was created, he said.

There were “different things that we trusted implicitly,” he pointed out. For example, we may trust employees working at the office but not so much when they are working remotely because it is harder to authenticate employees when they are using remote access virtual private networks (VPNs), he said.

As employees and applications got further away from a company’s infrastructure, there was less trust, so more “trust decisions” had to be made, according to Zuk.

“Fast forward to today,” he said, noting that there have been “a lot of changes over the years [that] accelerated with the recent pandemic.”

“Now we have users working all over the place – different locations, different situations, different scenarios, different devices – accessing different applications in different locations, and it’s not clear what we can trust and what we cannot trust,” according to Zuk.

“That’s where Zero Trust comes in. With Zero Trust, we don’t make any assumptions around what we can or cannot trust,” he explained, adding: “We verify everything. We verify the identity of the user. We verify the application. We verify the content. Sometimes we can, sometimes we cannot trust content. We verify the device that the user is using. We verify everything.”

The concept of Zero Trust isn’t new. “We realized maybe 10 years ago that we needed the concept of Zero Trust – of verifying everything before we allow something to be accessed,” he said.

But “I think what’s different today is that now we are realizing that we have many different Zero Trust situations,” he said. As examples, we may have a remote user trying to access a SaaS application or an on-premise user trying to access a local application.

“They are all different situations that require different solutions,” he explained. So if somebody tries to use a SaaS application, we may use a proxy or, if a local user tries to access a local application, we may deliver it with a local firewall, he noted. In some cases, we’ll use a reverse proxy/Secure Sockets Layer (SSL) VPN or cloud access security broker (CASB).

“It’s becoming a mess. It’s becoming something that is very difficult to procure, deploy, manage, audit and so on, [so] we need a different approach,” he said.

“What we need is a different architecture. We need an architecture that works for the reality of today – the reality [that] we have a hybrid work environment” that is going to become more hybrid, with frequent mobile usage, he explained. Two days a week may be spent working from home, two days from the office and one day from a coffee shop or somebody may be working from an island in the Pacific.

“We need an architecture that takes all these different Zero Trust situations and combines them into one system that takes care of all these use cases” by putting what is needed into “complete context,” he said.

That is where “complete Zero Trust network security” comes in that covers all users and all devices, whether they are under the user’s control or not, and all applications, he explained.

“Many Zero Trust systems ignore the content,” which means they are making the Zero Trust decision “at the beginning of the connection and forget about it,” he said.

However, “we cannot trust files if they’re being transferred,” nor can we trust domain names, URLs, etc., he said, noting that an effective Zero Trust system will continually check whether to trust all content.

“To summarize, the future of work is here,” he said. “Employees can work wherever they want, however they want. They work in different locations – on-premise, off-premise, home, coffee shop and so on,” using all types of devices running many types of applications, so “we need a consistent way of applying Zero Trust concepts to that,” he concluded.