Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Products & Solutions

New Innovations in Intelligent App Segmentation

image
SHUJAAT JAFFREY
juillet 12, 2023 - 4 Min de lecture

A compromised machine can cause severe damage if it allows lateral movement inside an organization’s network. To prevent lateral propagation and reduce your attack surface, user-to-app segmentation—based on the premise that you can’t attack what you can’t see—is pivotal. At Zenith Live 2023, we announced several new features that make Intelligent App Segmentation even more effective.

 

Easy starting point with CMDB import 

Most organizations start with a “wild card” app segment (e.g., *.internal.acme.com with all or almost all ports open), which helps discover applications being used across the organization. After application discovery, organizations need an intelligent way to group similar applications, and then provide least-privileged access to the right set of users.

Last year, we launched the AI/ML-powered Intelligent Application Segmentation feature, which generates app segment recommendations based on user access patterns to help organizations achieve user-to-app segmentation (see more details here). If you’re interested in enabling this feature for your ZPA, tenant please contact your account team or Zscaler support.

When adopting a zero trust solution like Zscaler Private Access (ZPA), application information you feed into the ZPA system translates to app segments, which consist of application details like FQDN, IP, TCP/UDP ports, and so on. Organizations often maintain CMDB databases used to store such information. Today, you can feed this information through API calls or by manually entering the details into the ZPA portal to create individual app segments.

We envision providing an option to import CMDB files into ZPA to help with configuring granular app segments, giving organizations an easy starting point to embark on the journey to zero trust. After importing the CMDB file, you would be able to view extensive details about app segments that can be configured right away, including granular information like which domains are receiving active traffic vs. those that are not. 

Image

 

We would go a step further to highlight the TCP/UDP ports on which we are observing traffic. With this information, you would be able to configure granular app segments to reduce your attack surface. 


 

Image


 

Visualize and reduce your attack surface with Intelligent App Segmentation

AI/ML generates app segment recommendations based on user access patterns, and we can now visualize the quantifiable attack surface reduction for each app segment recommendation to help with prioritization. In the following example, if accepted, the recommendation would result in about a 90% exposure reduction.

 

Image

 

The final step in reducing the attack surface for each app segment is to create an access policy that ensures only the right users have access to the application segment. An organization’s Active Directory server may sometimes have stale user information (e.g., if a user was recently moved to a different department).

We can now look at the list of individual users in each department for every recommendation. This helps you in two ways, enabling you to:

  • Validate that the right set of users are getting access to the application segment
  • Take a list of users to your identity team and request a new AD group/department or directory info update

 

Image

 

Make your segmentation configuration scalable and robust

As you start doing segmentation, app segment configuration is expected to grow. For example, if you have seven Active Directory servers today, you would have to define seven entries in the app segment with the individual FQDNs/IPs. On top of that, whenever you bring a new server online, you need to make sure the new FQDN/IP is updated in the app segment to prevent any service impact.

 

Image

 

To make the configuration more scalable and robust, we envision introducing the ability to define patterns while configuring app segments. This will help optimize and future-proof the configuration, as it will enable you to easily bring new servers online without having to make any changes to the app segment.

 

Image

 

Benefits

  • Easy starting point: Begin your zero trust journey with ease with the ability to import CMDB files.
  • Quantified attack surface reduction: Visualize attack surface reduction for each app segment recommendation.
  • Granular, user-level detail: Drill down to find individual usernames to help you fix potential IDP grouping issues.
  • Pattern definition for app segments: Define patterns in app segments to make configurations scaleable and future-proof.

 

Next steps and future direction

Zero trust is an increasingly popular model for secure user access to applications and resources. Moving away from traditional VPN-based network access is a critical element of zero trust, and Intelligent App Segmentation can help you get there. Zscaler is working tirelessly to innovate and introduce more exciting capabilities in this area.

Please reach out to your account teams to learn more, and to share your use case details and other feedback.

 

Top Recommendation: User to App Segmentation with ZPA

Visit Zscaler Academy to enroll and complete the User to App Segmentation with ZPA course. This 45-minute course will provide a clear overview of how ZPA helps you create flexible, granular app segments to reduce your attack surface.

 

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.