Cloud security provider Zscaler today is announcing a new per-application approach to security that would replace virtual private networks and offer a more flexible and lower-cost option the company claims is also more secure. (See Zscaler Offers Per-App Security.)
Created for today's networks, which no longer have defined perimeters to secure, the Zscaler Private Access service essentially lets enterprises spin up security when they create applications and tailor that security to the app and to specific users in the process, says Denzil Wessels, director of product management for Zscaler Inc. This micro-segmentation service eliminates the need for stacks of security gear at every data center, which reduces capex and opex, and offers greater protection than a VPN because there is no blanket access to everything connected on a network, as often exists today, he says.
"This is a new approach to application access," Wessels says. "Today application access really equals network access. If someone wants to provide access to an application, they have to put someone on the network to get access to it and they get access to everything on that network. We want to focus on application access for a user rather than traditional network access."
Zscaler's cloud security services have targeted public Internet services and public software-as-a-service apps as well, but the company is now adding protection for private connections. The Zscaler Private Access service, which is sold to and resold by network operators such as BT, is specifically designed for supporting access to public and private cloud applications and for allowing remote access by employees and partners to enterprise applications, wherever they are housed.
On the remote access front, the Zscaler approach lets an enterprise give an employee or a partner access to specific applications without making other aspects of its network vulnerable to exposure. Wessels points out that kind of protection would prevent the kind of data breach that hit Target, which had a network that was breached through a third-party partner.
The service is also designed to replace the need for stacks of security gear at individual data centers, to protect traffic going between data centers, as often exists today.
"If enterprises are looking at moving some of their applications out to an AWS or Google Compute or Azure, they have to extend their network out to those public clouds in order to provide connectivity," Wessels says. "They want to embrace the agility of the cloud and put their private applications there. But they are having to use old legacy network plumbing tools to be able to extend that connectivity."
One approach is to secure applications and networks by making them harder to access and layering on new barriers, but Wessels says that gets in the way of enterprises making it easier for employees and partners to access the apps they need from wherever they are, and restricts movement of applications to the cloud as well.
The solution has two parts: the Zscaler app which is the client software that runs on endpoints and collects client traffic and sends it up to the Zscaler cloud. With this announcement, the app now supports private application access. The second part, the Zen Connector, is a new product, a lightweight virtual appliance that runs on a hypervisor within the same enterprise network where the applications live and registers on behalf of the customer, according to Wessels. It can be provisioned in seconds and talks to the Zscaler cloud but because it has no inbound traffic, only outbound, it doesn't need to be behind a firewall or other protection.
Enterprise administrators communicate with the Zscaler cloud to establish policies that govern who has access to which applications on the network, he notes.
"It doesn't matter where the application lives, whether it lives in a legacy data center or a public cloud -- the solution can steer the traffic to wherever it needs to go," Wessels says. "When you spin up additional apps or services, you can spin up this functionality right up alongside -- it works in the same virtualization environment that those applications are designed to run."
— Carol Wilson, Editor-at-Large, Light Reading