Zero Trust Network Access (ZTNA) works best when paired with SASE.
“Zero Trust is the What, and SASE is the How,” said security engineer David Ramazetti during his talk on this very topic at the 2021 Innovate Cybersecurity Summit in Scottsdale, Arizona this October.
Castle and the Moat Security
Businesses have traditionally used the Castle and Moat approach to security. But when using this approach at the enterprise level, they end up allocating many resources to protecting the gates.
Where this approach fails is against internal attacks, insider threats, and the factors that generally produce data breaches.
Today, the Castle and Moat security approach is considered outdated and a recipe for failure.
ZTNA establishes how and when users get access. It assumes that there are security risks both inside and outside the network perimeter. Nothing inside the network has trust by default.
Castle and Moat was a strategy that didn’t consider that employees could be involved in corporate espionage or be fallible in general, and today these types of threats are rising.
The days when the security strategy focused on keeping attackers outside the firewall from getting in have passed.
Today’s networks have to be protected from threats both inside and outside the perimeter. Through lower-effort attacks like a malware-loaded phishing campaign, actors can more easily gain access to a network vs a frontal assault on the perimeter.
What Does Secure Access Service Edge (SASE) Do?
What does Zero Trust have to do with SASE? SASE begins with Zero Trust or CARTA (Continuous Adaptive Risk/Assessment), as labeled by Gartner.
SASE is internal threat focused. SASE refers to Zero Trust being implemented here:
- Externally Accessible Services (DMZ)
- Publicly Accessible Cloud-based XaaS
It looks at internal people, external users, and strives to provide the same experience, internal or external.
Zero Trust Controls Access to Networks
This security concept is built around the ideology that nothing inside or outside the network perimeter should have automatic trust, and SASE is the means to implement.
SASE includes multiple technologies, but what are they, and what do they do? Some are core technologies while others are recommended.
Here’s a list of the core SASE technologies:
- SD-WAN (Software-Defined Wide Area Network) – A software approach to managing the WAN.
- SWG (Secure Web Gateway) – Keeps devices from becoming infected while browsing the Internet and enforces policies set by your company
- CASB (Cloud Access Security Broker) – Acts as a go-between for users and cloud service providers
- ZTNA (Zero Trust Network Access) / VPN – a product or service that creates an identity and context-defined access perimeter surrounding an application or set of applications. It verifies identities and restricts movement to other parts of the network.
And a few recommended ones:
- RBI (Remote Browser Isolation)
- Web Application & API Protection (WAF)
- Identity & Authentication Management (IAM)
Where To Begin?
Where to begin to implement SASE in the network? A few suggested things short and long term:
- Leverage agile frameworks because they provide robust abstracts for high-end overviews.
- Remove legacy VPNs for remote workers.
- Inventory existing equipment and begin phasing out the perimeter and branch hardware such as on-premises proxies and similar. Begin implementing cloud-based delivery of SASE capabilities.
- Begin consolidating vendors with a focus on cutting complexities and reducing costs.
- Actively engage with initiatives for branch office transformation and MPLS offload to integrate cloud-based security edge services into the scope of project planning.
Approaches that are iterative to corporate strategy help to foster collaborative thinking and further the overall value proposition. They work to build the holistic world view of disruptive innovation organically via workplace diversity and empowerment.
Planning for the Long Term
Further down the road, primary goals should be:
- Consolidate SASE to one or two vendors.
- Implement ZTNA for all users, regardless of whether in the office or remote.
- Choose SASE tools that let your team control where the inspection takes place, how traffic is routed, what is logged, and where logs are stored to meet privacy and compliance requirements.
- Have a team specifically tasked with the responsibility for secure access engineering spanning on-premises, remote workers, branch offices, and edge locations.