Enhancing Zero Trust in Azure and Azure Government with Zscaler
Azure Gov Team
This guest post was contributed by Zscaler’s Jose Padin, Director of Pre-sales Engineering for US Public Sector; and Anup Barde, Sales Engineer; and Microsoft’s Adam Dimopoulos, Senior Program Manager for Government Cybersecurity, Azure Global Critical Infrastructure
As government users are working remotely now more than ever, the apps they rely on are moving to the cloud to meet the demands of today’s workloads. Legacy security perimeters that agencies once relied on are disappearing because of this user and workload decentralization. Classic castle-and-moat perimeters no longer exist, and organizations must adopt new approaches to secure the enterprise. One of the most effective approaches adapted for cloud-first security is the Zero Trust model, and Zscaler has developed integrations which make it easy to adopt Zero Trust in Azure and Azure Government.
Zero Trust is primarily an access control model, which shifts security functions to focus on securing access to and from resources in any location, rather than securing a traditional network perimeter. This means agencies can make decisions on which users can have access to which applications and data, then allow the security platform to enforce those policies in real time without bringing the user and device into an agency’s private network. At its core, Zero Trust means instituting a deny-all-until-verified/authenticated approach, or in other words maintaining strict access control. This concept is critical to prevent attackers from pivoting laterally and elevating access within an environment.
Microsoft’s implementation of Zero Trust centers on strong user identity, device health verification, validation of application health, and secure, least-privilege access to corporate resources and services. This is further enhanced by Zscaler’s offerings which encompass multiple access scenarios and integrations with Azure and Azure Government. Zscaler’s FedRAMP-High authorized multi-tenant cloud security platform works by applying policies set by the agency to securely connect the right user to the right application from anywhere in the world. In traditional on-prem hub-and-spoke architectures, traffic inefficiencies are created when traffic is backhauled over dedicated wide-area networks. Zscaler gives agencies an opportunity to modernize the on-prem castle-and-moat approach to security.
Mapping Zscaler to Zero Trust principles and federal certifications
For civilian agencies Zscaler supports a TIC 3.0 model which aligns with Microsoft’s Zero Trust implementation. Zscaler and Microsoft collaborated to build integration with Zscaler Internet Access (ZIA), and Zscaler Private Access (ZPA), in the following areas:
- Direct integration with Azure Active Directory to consume identity.
- Enforce Azure Information Protection label/classification with Zscaler DLP policies.
- Control access with Zscaler integrations to private applications from within your Microsoft management tools.
- Stream Zscaler’s log data to Azure Sentinel for visibility/forensics.
- Integration with Azure Virtual WAN (vWAN)
Here’s a deeper look at these five areas and how to easily integrate these offerings:
1. Azure Active Directory
Zscaler provides a FedRAMP-authorized, cloud-delivered Zero Trust access solution that uses identity from Azure Active Directory to connect authorized users to specific internal apps, without placing them on the network. Azure AD is a cloud-based identity and access management service. This allows users to securely access resources like the Azure portal, O365, and thousands of other SaaS applications. Both Zscaler Internet Access, as well as Zscaler Private Access can leverage Azure Active Directory for user provisioning.
Configuring ZIA/ZPA to leverage Azure Active Directory can be done in less than 5 minutes:
Once the Zscaler application is added and assigned to users/groups, the configuration inside the ZIA/ZPA portal can be completed.
Administrators can automatically provision or deprovision Zscaler accounts in near real-time with Azure AD provisioning services using SCIM 2.0 anytime a user joins, moves or leaves the organization.
2. Azure Information Protection
Azure Information Protection (AIP) assists agencies to protect information and files from inappropriate forwarding, sharing, and distribution, through policies set by Microsoft security. Paired with Zscaler, customers can create Data Loss Prevention (DLP) policies within ZIA to enforce data exfiltration controls and further protect from insider threats as well as compliance violations.
Zscaler DLP (Z-DLP) integration with AIP assists with creating granular policies to ensure enforcement and prevention of data exfiltration. Z-DLP takes care of the inline enforcement while AIP takes care of data classification and labeling. Due to Zscaler’s built-in file decoding capability, this works even for AIP encrypted files.
It’s simple to make integrating AIP labels into Zscaler DLP polices. Users can apply “block, detect, and or protect” labels to individual files, which will be enforced by Zscaler DLP policy, by managing each Label ID within Zscaler’s custom dictionaries.
3. Integration with Microsoft Endpoint Manager and Intune
Zscaler integration adds improved management of individual endpoint devices. Create policies to define simplified, on-demand access to private applications without exposing internal networks. With Microsoft Endpoint Manager, individual mobile devices will require conditional access policies to gain access to any ZPA application.
Users and group access to Zscaler resources are controlled within the Microsoft Intune console. The deployment and configuration of the Zscaler App is automated for a seamless user experience. Microsoft Intune can be leveraged to deploy the Zscaler Client Connector on end user machines. Zscaler authenticates both admins and users via single sign-on for remote access to corporate resources. Access to applications can also be limited, as desired, based on Microsoft Endpoint Manager and Azure AD conditional access policies. For example:
4. Azure Sentinel
Azure Sentinel is Microsoft’s cloud-based Security Information and Event Management (SIEM) solution. It’s primary functions are security, data collection, threat detection, AI-based correlation, investigation and hunting, and incident response with orchestration and automation. Zscaler’s Nanolog Streaming Service (NSS) can be integrated with Sentinel to provide organizations with full visibility and advanced threat protection across their networks and users. Benefits from this integration include:
- Instant value to security analysts by allowing for seamless log collection and capturing employee transactions globally which can be visualized through pre-built dashboards for SOC analysts
- Scalability to support the growing digital estate, whether incremental or sudden bursts in activity, to meet the requirements of any sized organization
- Improved effectiveness – Azure Sentinel’s use of AI/ML and automation helps to predict and protect against advanced threats, detect previously uncovered threats, and reduce false positives. With additional feeds from Zscaler, enterprises can take advantage of a full-stack security platform
5. Azure Virtual Wan (vWAN)
Azure is the leading public cloud provider in native security offerings, and this extends into the hybrid networking space with Azure Virtual WAN (vWAN). vWAN provides centralized network connectivity, routing, and security functions through a single operational interface. These functions include branch and enterprise network connectivity for a variety of SD-WAN and edge networking partner solutions.
Zscaler is an approved Security as a Service (SECaaS) partner provider for Azure vWAN. Connectivity to an Azure vWAN Hub is handled via encrypted IPsec connections. Leveraging Microsoft’s APIs, the IPsec connection between Azure and Zscaler can be fully automated.
From the Azure Firewall Manager you can convert any Azure virtual hub into a Zscaler secure virtual hub. Zscaler ZIA will now act as a Microsoft-approved security-as-a-service provider for outbound Internet traffic. The secure virtual hub is included in a Zscaler ZIA subscription.
To learn more about Zscaler’s end-to-end Zero Trust solutions for government, check out these resources: