As government agencies continue their journey towards digital transformation, many are embracing hybrid cloud deployments to modernize their operations. A transition to a public or private cloud brings new challenges, especially when it comes to securing government workload communications.
This post was originally published in ZScaler.
Use Case: Securing Government Workload Communications
Problem Statement
Government applications running on the cloud face challenges in securing the workloads through the traditional firewall and VPN deployment approach due to complexities leading to amplification of lateral movement, inadequate cyber defense, and exposure of the infrastructure to data leaks.
Realization Approach
A zero-trust architecture model provides an underlying infrastructure for securing government workload communications eliminating the expanded attack surface and lateral movement risks associated with legacy architectures.
Solution Space
This approach eases the operational challenges in managing secured workload-to-workload communications, ensuring that each workload can only communicate with authorized resources based on the principles of least privileged access applied at a granular level of URLs or APIs.
In this blog, we will delve into the reality of hybrid cloud deployments and explore how Zscaler’s zero trust architecture provides a comprehensive solution for securing government workloads in the public cloud.
The Expanding Definition of Hybrid Cloud
Hybrid cloud deployments have become increasingly complex as agencies expand their infrastructure across multiple regions and clouds. Rather than relying on a single cloud or region, agencies leverage different regional clouds to ensure availability and scalability. Additionally, within a specific region, agencies may need to consider availability zones to ensure business continuity. Figure 1 illustrates scenarios of hybrid cloud deployments.
Workload Communications in the Public Cloud
To illustrate the challenges of workload communications, let’s consider the example of a Department of Motor Vehicles (DMV) application deployed in the AWS GovCloud. This application needs to interact with other workloads or applications, such as a CRM or ERP system in the data center, to access driver records. It may also need to communicate with scheduling applications in different regions or clouds, and even access vehicle registration information stored in a different cloud provider such as Azure. Additionally, the DMV application may require software updates and send logs to the Google Cloud Platform.
Legacy Architecture Challenges
Traditionally, agencies have extended their on-premises architecture to the cloud by deploying firewalls and VPNs. While this approach may provide initial security, it also amplifies lateral movement, increases cyberthreats, and exposes the infrastructure to data leaks. Moreover, deploying and managing multiple firewalls and VPNs across different cloud environments and regions adds complexity and operational costs.
Introducing Zscaler’s Zero Trust Approach
Zscaler offers a cloud-delivered security platform based on zero trust principles to address the challenges faced by government agencies in securing workload communications. By adopting a zero trust proxy-based architecture, Zscaler eliminates the expanded attack surface and lateral movement risks associated with legacy architectures.
Connectivity and Security
Zscaler’s platform provides both connectivity and security for workloads in the public cloud. It ensures secure connectivity by allowing access only to specific URLs or APIs, preventing open access to the internet. Workload-to-workload communications are based on least privileged access, ensuring that each workload can only communicate with authorized resources. Before any connection is established, zero trust-based authentication and authorization checks are performed, further enhancing security.
Threat Prevention and Data Protection
Zscaler’s platform offers comprehensive threat prevention and data protection capabilities. It provides URL filtering, intrusion prevention, DNS protection, and behavior analysis, all backed by AI and ML-based risk analysis. Inline data protection ensures that sensitive data does not leak from workloads, with features such as regex-based checks, exact data management matching, OCR technology for file inspection, and AI/ML-based data classification.
TLS Decryption at Cloud Scale
With the increasing prevalence of encrypted traffic, TLS decryption at cloud scale becomes crucial. Zscaler’s platform provides 100% inspection of traffic without compromising performance. This allows for effective threat prevention and data protection, ensuring the safety of data packets and preventing malicious intent.
Granular App-to-App Segmentation
Zscaler enables granular app-to-app segmentation, eliminating the need for expensive networking infrastructure or additional layers of segmentation software. This ensures that workloads can only access authorized resources, providing an additional layer of security.
The Common Platform Advantage
Zscaler’s platform offers a common platform for securing workloads across multiple clouds. By installing lightweight cloud connectors in different clouds, agencies can benefit from standardized and consolidated security operations. This approach simplifies security management, reduces operational complexity and costs, and ensures consistent security policies across multiple clouds. It stops external threats, by protecting egress traffic from any malicious payload. It protects against insider threats by eliminating the threat of a bad actor within the agency who’s got the credential to inflict harm, either by inserting a payload, a malicious payload, or trying to exfiltrate data sensitive data.
The Zero Trust Exchange is designed to eliminate lateral movement and reduce the attack surface significantly. Moreover, Zscaler’s platform is both FedRAMP and StateRAMP Authorized and GovCloud ready.Â
