We, at Avertium, sat down with Chris Scheels, VP of Product Marketing at Appgate, to get his take on Zero Trust, why it’s so hot right now, and how Appgate’s Software-Defined Perimeter (SDP) helps companies accelerate their journey to Zero Trust Network Architecture (ZTNA).
- What is Zero Trust? What is Appgate SDP and why is it so relevant today?
- When faced with upgrading an aging split-tunnel VPN Solution, how could migrating to Appgate’s technology be a good alternative?
- If a company is currently using a hybrid cloud environment (which inherently introduces complexity, inconsistency, and visibility around the flow of sensitive data), how might Appgate help?
- When considering a move to a ZTN Architecture, how does Appgate fit into this environment? What’s the value add?
- If it’s not a technology the company is familiar with, what does third-party management look like?
Q: What is Zero Trust? What is Appgate SDP and why is it so relevant today?
A: Sadly, the term Zero Trust has been overmarketed, overhyped, and misrepresented way too much, which has caused a lot of confusion in the market. I have joked about finding a Zero Trust ham sandwich at RSA in 2019 with all of the Zero Trust craziness, and while that seems like a forever ago, it has only gotten worse. Let’s set the world straight for once and for all – Zero Trust is not a technology. It is a strategic mindset and philosophy. And that philosophy is about removing the assumed trust or implicit trust inherent in networks, people, resources, and security as a whole. But this mindset should extend to everyday business processes and workflows as well.
Back in 2010 when Zero Trust was introduced by John Kindervag (former Principal Analyst at Forrester), it was about eliminating the idea of a “trusted network” and an “untrusted network.” He surmised that all packets should be treated as untrusted. It was quite visionary and truly ahead of its time. People have asked me why it took so long for Zero Trust to become a “thing.” I attribute this to two things:
- Back then the technology wasn’t there to support John’s vision; and
- Let’s call it the ‘status quo’ – the fact that we had been doing security and networking the same way for decades. It was familiar, comfortable and no one was getting fired for doing it the then accepted way.
Zero Trust was asking security and network admins to go way outside of their comfort zones. I would know, I was one of them. Today, it is largely accepted that the ‘status quo’ isn’t working. Company after company is falling victim and becoming the next major headline. Practitioners, including myself, began to accept that the old way wasn’t working and couldn’t ever be made to work. In parallel, new technologies were rapidly evolving. Technologies exist that can put Zero Trust philosophy into practice and have been proven over and over at companies large and small. Appgate Software-Defined Perimeter (SDP) is one of those proven technologies that adhere to the principles of Zero Trust, providing least privileged access to private resources regardless of user or resource location. Furthermore, it protects a company’s intellectual property, the crown jewels if you want, is why it is so relevant today.
Related Resource: Part 1 of 3 of our ZTNA Webinar Series — When “Trust but Verify” isn’t Enough.
Q: When faced with upgrading an aging split-tunnel VPN Solution, how could migrating to Appgate’s technology be a good alternative?
A: This is one of my favorite questions. Many enterprises are quickly realizing the three core issues that come with 25-year-old VPN technology:
- They don’t scale
- They are constantly under systematic attack by opportunistic adversaries and advanced persistent threats
- They hold back a company’s ability to be agile which is critical in today’s digitally transformed world
Appgate SDP solves for all of these VPN shortcomings, and more. It is like the cloud and for the cloud and can scale linearly up or down quickly and easily as your hybrid workforce comes and goes. It uses Single Packet Authorization, a sophisticated and highly secure version of port knocking to cloak your entire infrastructure, eliminating exposed ports on the internet. A common entry point for attackers.
Appgate SDP also creates just-in-time session-based micro firewalls, what we call “segments of one” or micro-perimeters. When entitlement to an app is granted, a micro firewall is built around the user and the granted resource which restricts a user’s ability to move laterally. It is least privileged access personified, which is what Zero Trust is all about. Because these micro perimeters greatly limit lateral movement, they reduce ransomware splash damage, protect against insider threat, and make it difficult for a compromised device under threat operator control to pivot inside the network to the crown jewels.
As I mentioned, the third issue is agility. VPNs are very static in nature, created in a time when the perimeter was static and resources and apps were fixed. Today, that is not the case. The perimeter has been turned inside out and resources are everywhere – ephemeral or fluid. With the advent of the hypervisor and IaaS, new resources can be created, moved from one location to another, and destroyed all in minutes. This is a nightmare for any VPN administrator. Appgate SDP uses context, risk, and meta-data from the environment to adapt within minutes, allowing security to be hyper-agile and provide Zero Trust security at today’s speed of business. One customer, a Sr. Enterprise Technology Strategist, said it best: “Appgate SDP has made it possible to innovate at the rate desired by the business, not at a rate constrained by the CISO and IT.”
Lastly, one of the most beautiful things about Appgate SDP is that it allows you to think big, start small, and scale fast. Ripping out an entire VPN all at once can be a daunting task. With Appgate SDP, you can start with a single-use case for a subset of high-risk users, or lock down access to a high-risk resource to provide immediate risk reduction and demonstrate improved security posture, then scale from there to full VPN replacement.
Q: If a company is currently using a hybrid cloud environment (which inherently introduces complexity, inconsistency, and visibility around the flow of sensitive data), how might Appgate help?
A: The term hybrid cloud environment is a loaded phrase, and there can be a lot of ambiguity with words, so first, I will define this a bit. When I think of cloud environments there are two main types: private, typically hosted at a users facility, and multi-tenant public Clouds Service Providers like AWS, GCP, Azure.
For a hybrid cloud environment, I define that as a mix of both public and private clouds. Appgate SDP provides a unified policy framework that can protect and provide least privileged access to resources regardless of where or how they are hosted. This simplifies configuration and complexity of locking down resources within any hybrid cloud environment. It also provides a single pane of glass or policy decision point for all access policies, entitlements, and conditions configurations across all cloud-based resources, providing more consistency in the typical shared cloud security responsibility model.
Visibility in the cloud is key but can be challenging. Appgate SDP collects a rich set of detailed logs that provides the who, what, when, and where behind every access request. This data can be presented using the built-in ELK stack and Kibana or be fed to an enterprise SIEM to enrich the logs and data for SOC and incident investigation and response. The Appgate SDP logs are also invaluable to our customers as it makes compliance efforts easier and actually reduces audit scope.
Q: When considering a move to a ZTN Architecture, how does Appgate fit into this environment? What’s the value add?
A: There are a lot of directions I could take this question, but I think what will be most relevant is the fact that Appgate SDP can reside on top of any existing infrastructure. This makes implementing a Zero Trust Network Architecture (ZTNA) easier than other solutions. In addition to that, you can start small.
Our customers often start by protecting critical resources with Zero Trust first and then continue to expand the solution into more resources and use cases. Two reminders for our readers. One, Zero Trust is a journey, not a technology, so it doesn’t happen overnight. It’s a process. The second is that when vetting a new ZTNA solution, it is important for you to start with the end in mind. Don’t just find a solution that solves for an initial use case like third-party access or protection of cloud resources. Often overlooked is how to provide Zero Trust for all users and all resources, regardless of location. You must implement a solution with a unified policy framework that will solve not just remote access needs, but can also address other scenarios, such as on-premises users and resources, data centers, IoT, BYOD, and legacy applications, and custom applications.
There are enough silos and point solutions today and security is already complex enough. A ZTNA solution needs to be 100% API-first, extensible and programmable, to work with other solutions to create a cohesive security ecosystem. Seek out a solution that covers all of these use cases and reach the destination of a fully deployed Zero Trust Network Architecture.
What’s the value add? Making Zero Trust or least privileged access to all private resources a reality at whatever pace is acceptable or required for your organization. It’s easy to get started. At the end of the day, Appgate SDP delivers secure granular, dynamic, and conditional (risk-and context-based) access to anything from anywhere by anyone to keep the business running.
Related Resource: 6 Steps to Implementing a Zero Trust Network
Q: If it’s not a technology the company is familiar with, what does third-party management look like?
A: This is an important question for organizations that are currently developing their Zero Trust strategies and/or network architectures. The reality is that this is a relatively new concept for many. We’re having conversations with organizations – large and small – on a daily basis and get this question often. Many are grappling with limited resources, lack of requisite skillsets, and/or the inability to stay on top of the latest security vulnerabilities. This results in friction, delays, and roadblocks as they seek to start their Zero Trust journey.
There is no need to go at it alone. A Managed Security Services Provider (MSSP) can relieve this burden and greatly accelerate your journey. That is why Appgate has partnered with Avertium, the managed security and consulting provider that companies turn to when they want more than check-the-box cybersecurity. As a key component of Avertium’s rigorous approach to providing extended detection and response (XDR), ZTNA gives their customers more visibility into data across networks, the cloud, endpoints, and applications.
Avertium, a trusted partner, has gone through Appgate’s rigorous training and certification program and now serves a critical need for many organizations – stepping in to deploy and manage Appgate SDP for their customers. Avertium can quickly step in to not only supplement resources, but also to build new skill sets within your team and support the buildout of your initial Zero Trust infrastructure. This way, it’s ready to handle the initial use case and then scale fast on your journey. This is all part of that think big, start small, scale fast mindset I mentioned earlier.
If you’re ready to start your Zero Trust journey, Avertium is a perfect way to eliminate the heavy lifting for smooth implementation and administration of your ZTN deployment. Every company has a unique situation, risk tolerance, and set of circumstances. Appgate and Avertium are here to help you build your Zero Trust architecture from the ground up to ensure initial and future success, one customer at a time. Your success on your journey to full Zero Trust is our success and it’s what we are passionate about.
Download our latest eBook on ZTNA: Leveraging Zero Trust Architecture to Contain & Combat Ransomware
Explore this eBook to learn how you can leverage ZTNA to contain and combat ransomware.
About Chris Scheels
VP of Product Marketing, Appgate
Chris has been aligning people, processes, and technology to drive companies forward for over 20 years. He has cybersecurity experience in product marketing, product management, and IT consulting. His passion is helping businesses succeed through the strategic use of technology. Chris’s current focus includes evangelizing and marketing Appgate’s Software-Defined Perimeter Platform to accelerate enterprise customers’ Zero Trust Journey. His background also includes experience in operations, sales, telecom, and new business development.