Application transformation has upended traditional monitoring approaches: applications reside in SaaS, infrastructure gets deployed in public clouds, and users (employees, partners, and customers) access assets from mobile devices well-outside the corporate domain. Business no longer takes place on a trusted corporate network or inside a well-defined security perimeter. The legacy hub-and-spoke network with a castle-and-moat security model that worked well during the pre-cloud and pre-mobile world does not work anymore.
Cloud security using Zscaler’s Zero Trust Exchange makes the internet a safe place to do business by securely connecting any user, device, and application—regardless of eithers’ location. The Zero Trust Exchange is a modern approach that enables fast and secure connections to corporate applications, assets, and data using the internet as the corporate network. People can connect from anywhere, using any device, and maintain the same level of security and data protection. The zero trust principle of least-privileged access provides comprehensive security using context-based identity and policy enforcement.
Traditional firewalls advertise connections to your applications through your network security perimeter directory to the internet. But bad actors can also discover these same network “holes.” VPNs put remote users onto the network, where a single breach can laterally compromise the rest of the networks and systems behind the secure login. Both expand your attack surface. The Zero Trust Exchange makes apps invisible and only accessible to authorized users. The network ceases to have holes because it isn’t a defense wall. Zero trust creates a zero attack surface.
Historically, diagnosing application and network problems for remote users accessing internal applications has always been a challenge due to the lack of monitoring data. In VPN environments, network paths within the VPN tunnel are always encapsulated and hidden from view. Good luck finding that wireless latency issue or the gateway that is dropping packets!
At first glance, it would seem that moving to a zero trust architecture would make this problem worse: now, internal applications are hidden entirely from the network. Traditional network path analysis techniques like traceroute and ping no longer work. What can you traceroute or pingto when the application is no longer visible on the network?
ZDX provides a unique monitoring overlay for the Zero Trust Exchange and provides deep visibility into the performance of both public and private applications.
ZDX’s recent integration with Zscaler Private Access (ZPA) makes it possible to understand user experience from an application and network perspective. ZDX provides application performance statistics for every employee every few minutes and combines that with network path analytics to the ZPA Service Edge (with complete end-to-end path visibility coming soon) using CloudPath (see Figure 1).
Figure 1: ZDX exposing hop-by-hop network details for an internal application protected by ZPA
CloudPath leverages Zscaler’s integrated Client Connector agent to measure hop-by-hop network performance every few minutes, identifying places where latency and packet loss might be affecting application performance. CloudPath makes use of ZDX’s unique 360-degree monitoring (see my recent blog here), where path analysis is not only from the client endpoint outbound but instead takes advantage of the Zero Trust Exchange to view network path from the internet inbound.
This visibility exposes performance problems caused by server delays, DNS resolution times, weak Wi-Fi, local ISP latency, internet backbone issues, and more. Everything that used to be hidden with traditional VPN environments can now be monitored and measured.
Replacing your legacy VPN with a zero trust model always had a massive security benefit. Who knew that there was also an enormous benefit for IT operations as well?