InfoSec Insider

How Zero Trust and SASE Can Redefine Network Defenses for Remote Workforces

The SASE model for remote access and security coupled with Zero Trust can help redefine network and perimeter defenses when a traditional “perimeter” no longer exists.

Zero Trust has been touted for years as the future of network security. But, only recently has it started to gain traction as a practical enterprise security framework. The implementation of digital transformation initiatives has thrust Zero Trust into the spotlight as network applications and resources migrate to the cloud and blur the traditional network perimeter. This has exposed security vulnerabilities in firewalls, secure gateways, VPNs and proxies.

While many businesses started the year with the intention to implement digital transformation programs, enabling employees to work from home suddenly took priority in March due to the COVID-19 pandemic. The scramble to configure networks for remote access left organizations and users overexposed and at risk of cyberattacks. The proof lies in the proliferation of cyberattacks and threat vectors seen since the end of February.

Zero Trust provides a comprehensive yet flexible approach to safeguard IT infrastructure, applications and data.

Zero Trust Policy-based Security 

When Zero Trust policy-based security is applied to user interactions, organizations reduce their network attack surface. Each individual and system is authenticated for limited access to only the applications, data, and resources they are authorized to use. In most cases, security decisions are enforced at the endpoint but defined and managed in the cloud. Access policies can be granular to make security decisions at the access edge, based upon the IT resource, session data, authentication, and a host of other factors.

Executing Zero Trust Using the SASE Framework

Secure Access Service Edge, or SASE, the innovative security concept that was proposed by Gartner in a 2019 report titled, “The Future of Network Security is in the Cloud,” is getting a lot of recognition in the cybersecurity industry. It represents an architectural transformation in enterprise security that is suitable for today’s ever-changing work environment, with applications shifting to the cloud and workers connecting from distributed locations using all sorts of devices.

Fully aligned with SASE’s edge-based security approach, the Zero Trust security construct can be executed using the SASE framework. To illustrate, let’s look at two areas that have Zero Trust security requirements and the associated capabilities highlighted in Gartner’s report.

  • Zero Trust Network Access (ZTNA) is a security construct that is built upon the idea that least-privileged access controls need to be put in place to properly secure networks from advanced threats. It highlights the extensive network permissions that exist in most enterprises as the key vulnerability that exposes applications and other resources to threats such as the lateral spread of malware inside organizations. ZTNA solutions include micro-segmentation tools, such as application isolation, that can be added to your existing VPN and network, and other technologies like software defined perimeter (SDP). These types of technologies control lateral movement inside a network, preventing attacks by limiting remote and internal application access to only what is truly required. They can also limit the “blast radius” of attacks by making applications and data invisible to any hackers who have found a way to successfully penetrate a network’s perimeter.
  • Zero Trust web browsing presumes all websites are unsafe, and therefore, doesn’t permit them to interact freely with the browser software installed on a user’s endpoint. In this case, the SASE framework highlights a technology known as remote browser isolation (RBI) — a security capability that operates under the assumption that nothing from the web is to be trusted, and all website code, active content, and downloads are suspect. With RBI, all browsing takes place remotely, in a virtual browser in the cloud. Only safe rendering information is sent from the website to a device’s browser, providing a safe, fully interactive, seamless user experience.

Zero-Trust Security is the Destination, SASE is the Path

To understand how SASE is an approach that enables a Zero Trust security model, we’ll dig a little deeper into Gartner’s vision. In its introduction to the SASE model, Gartner listed many capabilities and elements that can form SASE platforms — network-as-a-service technologies, such as SD-WAN, CDNs and WAN optimization, as well as network security services, such as cloud SWGs, VPNs, NGFWs, ZTNA, cloud access security brokers (CASB) and RBI. As individual components of SASE, these are available today and in varying degrees, are being used by most organizations. Gartner’s SASE vision is that the evolution of these solutions will bring them together into an integrated, simple-to-use, global, cloud delivered platform.

By integrating network infrastructure capabilities with network security functions, SASE enables security controls to be enforced at all network connection points. SASE solutions combine core connectivity and security policy capabilities, providing controls that allow access policy and data use decisions to be made in-line between the requesting user and IT resources (database, app, etc.) whether they’re located within the enterprise network or in the cloud.

SASE greatly improves network security and, if implemented correctly, can be put in place with minimal impact on users. SASE solutions provide IT staff full control and visibility over every user’s access throughout the organization’s networks and applications. Integrated and ongoing inspection and analysis of traffic combined with dynamic security policy enforcement is what makes SASE a game-changing enabler of digital transformation initiatives.

Starting the SASE Journey

Gartner expects at least 40 percent of enterprises to have strategies in place for adopting SASE by 2024. Early adopters need to stay flexible since vendors are still in the process of developing their integrated cloud-based SASE platforms, but there are things they can do to prepare for SASE.

First, you can begin by reevaluating the network architecture of your organization and ensuring that network security is a part of the process. Having the correct architecture in place is vital to establishing structures that are strong and adaptable.

Second, look for some quick SASE wins by adding complementary security capabilities to your existing network infrastructure.  For example, upgrade your NGFWs and VPNs to add Zero Trust Network Access capabilities, or add RBI to bring Zero Trust web browsing to your organization.

Finally, you can plan for SASE by gradually reducing hardware dependency. Cloud-native applications and web access and security solutions lay the foundation for decentralized architectures in addition to working with legacy networks. Select transitional solutions that work with your roadmap to assist you and lead you to your eventual Zero Trust security end-state.

David Canellos is president and CEO of Ericom Software.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.

Suggested articles