Zero Trust with End-to-End Data Security and Continuous Risk Assessment

By Michael Schneider -

March 22, 2022 6 Minute Read

These are exciting times for all of us at Skyhigh Security.

The current business transformation and remote workforce expansion requires zero trust access to corporate resources, with end-to-end data security and continuous risk assessment to protect applications and data across all locations – public clouds, private data centers, and user devices. Skyhigh Security Private Access is the industry’s first truly integrated Zero Trust Network Access solution that enables blazing fast, granular “Zero Trust” access to private applications and provides best-in-class data security with leading data protection, threat protection, and endpoint protection capabilities, paving the way for accelerated Security Service Edge (SSE) deployments.

We are currently operating in a world where enterprises are borderless, and the workforce is increasingly distributed. With an increasing number of applications, workloads, and data moving to the cloud, security practitioners today face a wide array of challenges while ensuring business continuity, including:

• How do I plan my architecture and deploy assets across multiple strategic locations to reduce network latency and maintain a high-quality user experience?
• How do I keep a tight control over devices connecting from any location in the world?
• How do I ensure proper device authorization to prevent over-entitlement of services?
• How do I maintain security visibility and control as my attack surface increases due to the distributed nature of data, users, and devices?

Cloud-based Software-as-a-Service (SaaS) application adoption has exploded in the last decade, but most organizations still rely heavily on private applications hosted in data centers or Infrastructure-as-a-Service) IaaS environments. To date Virtual Private Networks (VPN) have been a quick and easy fix for providing remote users access to sensitive internal applications and data. However, with remote working becoming the new normal and organizations moving towards cloud-first deployments, VPNs are now challenged with providing secure connectivity for infrastructures they weren’t built for, leading to bandwidth, performance, and scalability issues. VPNs also introduce the risk of excessive data exposure, as any remote user with valid login keys can get complete access to the entire internal corporate network and all the resources within.

Enter Zero Trust Network Access, or ZTNA! Built on the fundamentals of “Zero Trust”, ZTNAs deny access to private applications unless the user identity is verified, irrespective of whether the user is located inside or outside the enterprise perimeter. Additionally, in contrast to the excessive implicit trust approach adopted by VPNs, ZTNAs enable precise, “least privileged” access to specific applications based upon the user authorization.

With Skyhigh Security Private Access, an industry-leading Zero Trust Network Access solution that includes integrated Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) capabilities, organizations can enable fast, ubiquitous, direct-to-cloud access to private resources from any remote location and device, allow deep visibility into user activity, enforce data protection over the secure sessions to prevent data misuse or theft, isolate private applications from potentially risky user devices, and perform security posture assessment of connecting devices, all from a single, unified platform.

Why does ZTNA matter for remote workforce security and productivity?

Here are the key capabilities offered by ZTNA to provide secure access for your remote workforce:

• Direct-to-app connectivity: ZTNA facilitates seamless, direct-to-cloud and direct-to-datacenter access to private applications. This eliminates unnecessary traffic backhauling to centralized servers, reducing network latency, improving the user experience and boosting employee productivity.
• Explicit identity-based policies: ZTNA enforces granular, user identity-aware, and context-aware policies for private application access. By eliminating the implicit trust placed on multiple factors, including users, devices and network location, ZTNA secures organizations from both internal and external threats.
• Least-privileged access: ZTNA micro-segments the networks to create software-defined perimeters and allows “least privileged” access to specific, authorized applications, and not the entire underlying network. This prevents overentitlement of services and unauthorized data access. Micro-segmentation also significantly reduces the cyberattack surface and prevents lateral movement of threats in case of a breach.
• Application cloaking: ZTNA shields private applications behind secure gateways and prevents the need to open inbound firewall ports for application access. This creates a virtual darknet and prevents application discovery on public Internet, securing organizations from Internet-based data exposure, malware and DDoS attacks.

Is securing the access enough? How about data protection?

Though ZTNAs are frequently promoted as VPN replacements, nearly all ZTNA solutions share an important drawback with VPNs – lack of data awareness and risk awareness. First-generation ZTNA solutions have categorically focused on solving the access puzzle and have left data security and threat prevention problems unattended. Considering that ubiquitous data awareness and risk assessment are the key tenets of the SSE framework, this is a major shortcoming when you consider how much traffic is going back and forth between users and private applications.

Moreover, the growing adoption of personal devices for work, oftentimes connecting over unsecure remote networks, significantly expands the threat surface and increases the risk of sensitive data exposure and theft due to lack of endpoint, cloud and web security controls.

Addressing these challenges requires ZTNA solutions to supplement their Zero Trust access capabilities with centralized monitoring and device posture assessment, along with integrated data and threat protection.

Skyhigh Security Private Access

Skyhigh Security Private Access is designed for organizations in need for an all-encompassing security solution that focuses on protecting their ever-crucial data, while enabling remote access to corporate applications. The solution combines the secure access capabilities of ZTNA with the data and threat protection capabilities of Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) to offer the industry’s leading integrated, data-centric solution for private application security, while utilizing Trellix‘s industry-leading Endpoint Security solution to derive deep insights into the user devices and validating their security posture before enabling zero trust access.

Skyhigh Security Private Access allows customers to immediately apply inline DLP policies to the collaboration happening over the secure sessions for deep data inspection and classification, preventing inappropriate handling of sensitive data and blocking malicious file uploads. Additionally, customers can utilize a highly innovative Remote Browser Isolation solution to protect private applications from risky and untrusted unmanaged devices by isolating the web sessions and allowing read-only access to the applications.

Fig. 1: Skyhigh Security Private Access

Private Access further integrates with the Skyhigh Security Service Edge (SSE) Portfolio to enable defense-in-depth and offer full scope of data and threat protection capabilities to customers from device-to-cloud. Customers can achieve the following benefits from the integrated solution:

• Complete visibility and control over data across endpoint, web and cloud.
• Unified incident management across control points with no increase in operational overhead, leading to total cost of ownership (TCO) reduction.
• Multi-vector data protection, eliminating data visibility gaps and securing collaboration from cloud to third-parties.
• Defending private applications against cloud-native threats, advanced malware and fileless attacks.
• Continuous device posture assessment powered by industry-leading endpoint security.

Additionally, Skyhigh Security SSE includes Hyperscale Service Edge, which operates at 99.999% service uptime and is powered by intelligently peered data centers—providing a blazing fast and seamless experience to private access users. Authentication via Identity Providers eliminates the risk of threat actors infiltrating the corporate networks using compromised devices or user credentials.

What Sets Skyhigh Security Private Access apart?

With dozens of ZTNA solutions on the market, we’ve made sure that Skyhigh Security Private Access stands out from the crowd with the following:

• Integrated data loss prevention (DLP) and industry-leading Remote Browser Isolation (RBI): Enables advanced threat protection and complete control over data collaborated through private access sessions, preventing inappropriate handling of sensitive data, blocking files with malicious content and securing unknown traffic activity to prevent malware infections on end-user devices.
• SSE readiness with UCE integration: Skyhigh Security Private Access converges with Skyhigh Security SSE to deliver complete data and threat protection to any device at any location in combination with other Skyhigh Security offerings, that include Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Endpoint Protection, while enabling direct-to-cloud access in partnership with leading SD-WAN vendors. This ensures a consistent user experience across web, public SaaS, and private applications.
• Endpoint security and posture assessment: Skyhigh Security Private Access leverages industry-leading Trellix Endpoint Security powered by proactive threat intelligence from 1 billion sensors to evaluate device and user posture, which informs a risk-based zero trust decision in real-time. The rich set of telemetry, which goes well beyond the basic posture checking performed by competitive solutions, allows organizations to continuously assess the device and user risks, and enforce adaptive policies for private application access.
• Securing unmanaged devices with clientless deployments: Skyhigh Security Private Access secures access from unmanaged devices through agentless, browser-based deployment, enabling collaboration between employees, external partners or third-party contractors in a most frictionless manner.

With Skyhigh Security Private Access, customers can establish granular, least privileged access to their private applications hosted across cloud and IT environments, from any device and location, while availing all the goodness of Skyhigh Security’s leading data and threat protection capabilities to accelerate their business transformation and enable the fastest route to SSE. To learn more, visit SkyhighSecurity.com/en-us/products/private-access.html

Back to Blogs