As Digital Transformation accelerates in the Middle East, organisations are increasingly adopting cloud services and shifting from traditional network security to cloud-based security that accommodates the complexity of the modern environment, embraces hybrid workplaces and protects people, devices, apps and data wherever they’re located.
Probably the best solution is creating a Zero Trust architecture to unify access across cloud and on-prem apps and ensure the right users have access to resources. Lawrence Morrison, VP of Middle East and Africa at Zscaler, explains the business outcomes of adopting a Zero Trust approach and three steps every organisation should consider in defining what cloud strategy to use.
What is cloud adoption and what are some of its benefits?
Simply put, cloud adoption is the process where organisations in a bid to reduce cost, mitigate risk and achieve scalability of database capabilities, use Internet-based computing to process resources and data from one device to another without any hurdle of location. This means software and services reside and operate on ‘the cloud’ instead of a local compute.
Cloud adoption is a major part of Digital Transformation. For example, non-differentiating applications such as HR, Finance and CRM can effectively be consumed through cloud subscription services like Workday and Salesforce.com.
Also, most organisations are not in the business of managing data centres with all the capital and operation costs associated leading to a ‘lift and shift’ of on-premises applications to public cloud infrastructure such as Azure, AWS and Google.
The major benefit of cloud adoption is that cloud services are fully automated and can be spun up and down instantly allowing organisations to be nimbler and accelerate their time to market depending on their industry.
How do traditional networks and security stacks cope with cloud adoption?
Our journey at Zscaler, supporting over 150 global data centres and processing over 250 billion secured transactions per day, has proven that traditional hubs and spoke networks are architected to protect users only when they are on the network connecting to applications in the self-managed data centre. This means all traffic is sent through a security stack comprising various products before heading out to the Internet or data centre.
Now that users are often working remotely and applications are increasingly residing in various locations, the better solution will be to adopt a Zero Trust architecture to unify access across cloud and on-prem apps that will effectively adapt to the complexity of the modern environment, embrace hybrid workplace and protect their people, devices, apps and data wherever they’re located.
What in your opinion is the biggest risk an organisation will face with reluctance in utilising the Zero Trust approach and expanding their cloud adoption solutions?
The most common use case is user experience being traded off to maintain security in a hub and spoke network. This means users will often bypass any security inspection and connect straight to the Internet when they’re off the corporate network and this heavily increases the risk of cyberthreats.
Also, the increasing use of VPN technology pre-and post-Covid has become a threat vector for organisations as it connects users to random networks which increases the risk of lateral movement and attacks from infected devices or bad actors.
What should organisations consider when adopting a Zero Trust approach and defining what cloud strategy to use?
When I speak to CISOs and CIOs, there are three notable steps I break down when it comes to adopting a Zero Trust approach and defining what cloud strategy to use.
Firstly, adopt an anchor security policy on identity where all personal data is not disclosed to any person who has no right to receive it. This is done by taking all reasonable steps to confirm identities before providing details or any personal information the organisation holds about people.
Secondly, inspect all SSL traffic. This will intercept and review SSL-encrypted Internet communication between the client and the server. The inspection of SSL traffic has become critically important as most of the Internet traffic is SSL encrypted including malicious content. This added layer of security helps protect sensitive information, but it can also conceal malicious communications that play a role in cyberattacks such as phishing, data breaches, distributed denial of service (DDoS) and many others. Remember the same tool that confers security can also nurture insecurity.
The last step will be to reduce attack surface by never publishing internal applications. So, while you design, code and configure your application to prevent and defend against cyberthreats, most importantly understand that internal apps generally contain more valuable data and are just as vulnerable to attack as external apps.
Unlike legacy networking and other security products, Zscaler uses Zero Trust Exchange which is a purpose-built platform helping organisations to leverage cloud, mobility, AI and OT technologies. Can you tell us about this platform and how it helps businesses achieve a more productive experience and become more agile?
Zscaler is currently the World’s largest security cloud leveraged by the largest banks, government and oil and gas organisations to connect their users to applications from any location using any device and we have over 150 global data centres processing over 250 billion secured transactions per day (about 20x the amount of Google searches per day).
Our platform consumes identity from a customer’s existing solution (i.e. AD or OKTA) and allows the customer to build policies based on these identities. Those policies follow the user to any location, on any device and connect to any destination. This is based on the advantage that Zscaler co-locates with the largest ISP and Microsoft POPs guaranteeing excellent user experience in the most secure way.
To further support Digital Transformation and help businesses across the Middle East to achieve a more productive experience, our company has invested aggressively in building out its locally based infrastructure (especially in Saudi Arabia, UAE, Qatar and Kuwait) and people, including multiple sales teams as well as engineering and support functions.
Our main objective over the next 24 months is to continue driving value for customers, helping them to simplify their security infrastructure by leveraging our security cloud to drive down costs through consolidation of point products, increase user experience (i.e. Microsoft 365) by connecting directly through the fastest path and improving security against ransomware and data loss through Zero Trust.
Zero Trust as a modern way to design enterprise security has been described in numerous articles as the future of data security. What’s your opinion on this and how do you see this evolving in the years ahead?
I believe the Internet will act as the new corporate network and everyone will have the ability to be on this. Therefore, it is important that organisations protect their users in any location using any kind of device.
Data in motion between workloads and IoT systems will also need protection. That’s why there is no better alternative than to adopt a Zero Trust architecture and I’m so excited to be working for the number one vendor in this space in a geographical market that is primed for transformation.