One of the toughest IT challenges has been figuring out how to allow users to bring their own devices to work while maintaining the security of internal apps. It becomes even more complicated when a good chunk of users are partners, contractors, and other third parties—those who present a disproportionately high security risk.
2. 1
“75% of businesses saw
third-party access grow
over the past two years.”
Did you know?
“63% of all cyber attacks
could be traced either
directly or indirectly to
third parties.”
Soha Systems Report
Third-party Report
Bomgar Survey
Vendor Vulnerability Report
3. 2
Legacy partner access
The challenges of legacy partner access
• Partner users on net
• Overprivileged partner access to apps
• Lack of visibility
Zero trust security with SDP
Enable “least privileged” access to apps and services
with the software-defined perimeter (SDP)
Securing partner access is challenging, but what if it wasn’t?
Policy Enforcement
Checkpost
Public Cloud
Private Cloud /
On-Premise DC
4. 3
What is zero trust security?
Introduced 8 years ago by
zero trust was previously unachievable due to:
• Cost and complexity of legacy approaches
• The required network access in order to a
gain app access
• Inability to segment on the app level without
complex network segmentation
Zero trust security
• Concept that the enterprise should never inherently trust any user or network
• Users must be verified before access is extended
• App access is granted on a “least privileged” basis
• Visibility into all user and app activity
5. 4
Three Ways Zero Trust Redefined Partner Access
Application access,
not network access
1 2 3
Minimize risk with
micro-segmentation
Monitor any
suspicious activity
Partners are never placed
on the network
Eliminate overprivileged partner
access via inside-out connections
Surface area of attack
is minimized
Enhanced security posture
with encrypted TLS micro-tunnels
Granular visibility into all
partner and app activity
Ability to enforce policies based
on individual partner user
Automatic log streaming to
SIEM in both past & real-time
Segment of one created
between partner user & app
7. 6
Location
Illinois, USA
Industry
Consulting Services
User Count
5,000 employees
The Challenge
Who are we?
Navigant is a specialized, global professional services firm
that offers a range of advisory, consulting, outsourcing, and
technology services to clients facing transformational change.
• Purchased ZPA for 2,500 users
• Application types – Web & RDP
1. Remote users were put on net, creating unnecessary risk
2. Users were being given overprivileged access
• Network segmentation is complex
• Need segmented access on the application level
3. Limited visibility into user activity
8. 7
The Benefits
1. Users never access the network
2. Micro-segmentation made applications invisible
to unauthorized users
3. Empowered IT with comprehensive visibility & control
4. Effortless access to applications with Browser Access
The Solution
We needed a new approach. Zero trust security was the ideal and
we were able to achieve that through a SDP solution. This led us to
choose Zscaler Private Access (ZPA).
Looking Forward?
Considering securing access to apps for partners
10. 9
BYOD Contractor
Zscaler Private Access – fast, secure, zero trust access to internal apps
Public Cloud
• Zero trust access to internal apps
running in any environment
Private Cloud
/ Data Center
• Provide app connectivity without
placing users on-net
INTERNALLY
MANAGED
Partner Users
• Embrace application
segmentation by default
• Delivers seamless user experience
across users & apps
11. 10
Zscaler App / Browser Access1
2 Zscaler Enforcement Node
(enforces policy)
Data Center
4
Brokered
connection
App Connectors
3 3
How it works
Traffic is directed to the Zscaler
Enforcement Node (ZEN)
• User is authenticated through IDP provider
• Custom access policies are applied
• Access request signal is sent to
nearest App Connector
2
Partner user attempts to access web
app (i.e., partner portal) through Z App
or Browser Access
1
App-to-partner user connection is securely
stitched together within Zscaler cloud
4
App Connector closest to partner portal responds
and establishes an inside-out connection
3
Browser Access - Effortless app access for partners
Secure access to web apps without ever deploying a client
12. 11
Take ZPA and Browser Access
for a test drive.
Try our free 7-day hosted demo:
https://www.zscaler.com/zpa-interactive
ThankYou!
Mike Smith
IT Security Manager
Navigant Consulting, Inc.
Kunal Shah
Principal Product Manager
Zscaler, Inc.
Lets get technical!
Get a deeper look into how
ZPA’s browser access works:
https://help.zscaler.com/zpa/about-BrowserAccess
Editor's Notes
New approach - policy-based access to specific applications
Fully software-based – no inbound gateway appliances
Based on Defense Information Systems Agency (DISA) work in 2007
Popularized by Google BeyondCorp
Two key criteria before providing access to an app:
User device – device posture
User identity – authorized user access