One of the toughest IT challenges has been figuring out how to allow users to bring their own devices to work while maintaining the security of internal apps. It becomes even more complicated when a good chunk of users are partners, contractors, and other third parties—those who present a disproportionately high security risk.
IT teams have begun to leverage a zero trust security strategy that enables third parties and users on unmanaged devices to securely access internal apps. But can such access be accomplished without placing users on the network and without a mobile client?
2. 1
“75% of businesses saw
third-party access grow
over the past two years.”
Did you know?
“63% of all cyber attacks
could be traced either
directly or indirectly to
third parties.”
Soha Systems Report
Third-party Report
Bomgar Survey
Vendor Vulnerability Report
3. 2
Virtual Private Network (VPN) access
The challenges of legacy partner access
• Partner users are placed on the network
• Overprivileged partner access to apps
• Lack of visibility into partner/user activity
Software-defined Perimeter (SDP) access
Enable “least privileged” access to private apps without
granting network access leveraging the
software-defined perimeter (SDP)
Securing partner access is challenging, but what if it wasn’t?
Policy Enforcement
Checkpost
Public Cloud
Private Cloud /
On-Premise DC
4. 3
What is the Software-Defined Perimeter (SDP)?
SDP provides a modern approach to remote access technology:
Abandons the network-centric design, and instead secures private application
access to users without granting network access.
“By 2021, 60% of enterprises will phase out network VPNs for digital
business communications in favor of software-defined perimeters.”
Gartner, November 2017
• Decouples private application access from network access
• 100% software-defined; No physical or virtual appliances needed
• Application access is micro-segmented and provisioned on a “least privileged” basis
• Advanced visibility into all user and app activity
5. 4
Three Ways SDP Redefines Partner Access
App access is detached
from network access
1 2 3
Minimize risk with
micro-segmentation
Monitor any
suspicious activity
Partners are never placed
on the network
Eliminate overprivileged partner
access via inside-out connections
Surface area of attack
is minimized
Enhanced security posture
with encrypted TLS micro-tunnels
Granular visibility into all
partner and app activity
Ability to enforce policies based
on individual partner user
Automatic log streaming to
SIEM in both past & real-time
Segment of one created
between partner user & app
6. 5
The Benefits
1. Users never access the network
2. Micro-segmentation made applications invisible
to unauthorized users
3. Empowered IT with comprehensive visibility & control
4. Effortless access to applications with Browser Access
The Solution
Needed a new approach. Decoupling application access from the
network was the ideal choice. They were able to achieve this through
a SDP solution. This led us to choose Zscaler Private Access (ZPA).
What’s next at Navigant
Considering securing access to apps for partners
8. 7
BYOD Contractor
Zscaler Private Access – fast, secure, software-defined access to internal apps
Public Cloud
• Application access is decoupled
from network access.
Private Cloud
/ Data Center
• Micro-segmentation, not network
segmentation.
INTERNALLY
MANAGED
Partner Users
• Inside-out connectivity makes
private apps invisible
• Double encrypted micro-tunnels
ensure secure, segmented access to
private apps.
9. 8
Zscaler App / Browser Access1
2 Zscaler Enforcement Node
(enforces policy)
Data Center
4
Brokered
connection
App Connectors
3 3
How it works
Traffic is directed to the Zscaler
Enforcement Node (ZEN)
• User is authenticated through IDP provider
• Custom access policies are applied
• Access request signal is sent to
nearest App Connector
2
Partner user attempts to access web
app (i.e., partner portal) through Z App
or Browser Access
1
App-to-partner user connection is securely
stitched together within Zscaler cloud
4
App Connector closest to partner portal responds
and establishes an inside-out connection
3
Browser Access - Effortless app access for partners
Secure access to web apps without ever deploying a client
10. 9
Take ZPA and Browser Access
for a test drive.
Try our free 7-day hosted demo:
https://www.zscaler.com/zpa-interactive
ThankYou!
Kunal Shah
Principal Product Manager
Zscaler, Inc.
Lets get technical!
Get a deeper look into how
ZPA’s browser access works:
https://help.zscaler.com/zpa/about-BrowserAccess
Editor's Notes
New approach - policy-based access to specific applications
Fully software-based – no inbound gateway appliances
Based on Defense Information Systems Agency (DISA) work in 2007
Popularized by Google BeyondCorp
Two key criteria before providing access to an app:
User device – device posture
User identity – authorized user access
SDP – Coined by Gartner
4 Tenets:
Application access is decoupled from network access, never placing partners on the network.
Inside-out connectivity makes private apps invisible, never exposed to the internet
Micro-segmentation, not network segmentation. Authorized users only have access to named private apps.
In using the internet as the new corporate network, via double encrypted micro-tunnels which reduce lateral access