Achieving Data Protection With SASE

Data is the ultimate asset of modern business and the foundation of digital transformation. It is the currency that funds innovation and growth. Data must be protected with the utmost rigor, but it must also flow effortlessly to where it can deliver the greatest benefits. This backdrop is what calls for an evolution of data protection as we know it, and a whole new meaning behind what it means to provide effective zero-trust. The new concept stemming from this evolution is what I describe as zero-trust data protection, and it’s critical to achieving the secure access service edge (SASE) architecture every networking and security team is now talking about.

Because the current construct for data protection is outmoded and in urgent need of an update, the biggest fundamental shift in the world of digital transformation is that data is no longer on a CPU that the enterprise owns. Security teams must invest in the right technology to achieve more complete data protection, and we all need to ensure zero-trust principles are applied everywhere data needs protection.

Enter: zero-trust data protection, the next era of zero-trust principals that are particularly equipped for the problems we are facing today. Zero-trust data protection is the only effective way to dynamically manage risk across a mix of third-party applications and a remote-first workforce that needs always-on access to cloud apps and data to stay productive. We all have to accept that this is the new normal as of 2021.

In the cloud era, the traditional premise of data loss prevention (more commonly known as DLP) no longer applies. Yes, there is still crucial data housed in the data center inside the perimeter, but most organizations now have as much or more data in SaaS applications and in private applications hosted in the public cloud. To protect it while also doing a better job of protecting the data center, we must rethink data protection in a way that is fully cognizant of the way users really work these days, which means protecting a much wider, much more dynamic attack surface. To solve this challenge, we have to take full advantage of the fact that the flexibility provided by cloud infrastructure also allows us to do a better job of protecting data—if we set it up the right way.

Data Protection is Ultimately About Context

By monitoring traffic between the user and the apps, including API traffic, we can both allow and prevent data access based on a deep understanding of who the user is, what they are trying to do and why. That is the context that zero-trust data protection leverages to deliver security. Knowledge of the interplay between user, device, app and data enables security teams to define and enforce conditional access controls based on data sensitivity, app risk, user behavior risk and other factors. The result is more effective security via continuous risk management.

Any conversation about this evolution inevitably becomes a discussion of SASE architecture. Vendors and analysts and plenty of other people have argued about what SASE really means ever since it was coined by Gartner in 2019, so here’s a simple explanation of SASE and how zero-trust data protection helps get us there:

SASE Saves Time and Money and Reduces Risk

SASE, when implemented properly, protects the use of data within the context of how data is being used today. Sharing, downloading and other potentially harmful use cases can be controlled much more seamlessly. SASE also allows for different levels of protection for company and personal data, and can advise users of dangerous behaviors that can put their data at risk. It eliminates the backhaul and hairpinning that restricts productivity and could otherwise prevent users from using the best and most effective tools to drive business growth.

Zero-Trust Still Applies to SASE

Whether in a traditional, on-premises architecture, a SASE architecture or across architectures that are transitioning from traditional to SASE, zero-trust principles must be applied. For any data to be secured successfully, there must be no implicit trust between entities. All entities must be continuously verified and assessed throughout the network interaction.

Zero-Trust Data Protection Bridges the Gaps That Exist

Where zero-trust data protection comes in (and why it goes well beyond the more specific uses of zero-trust network access and other zero-trust constructs) is that it offers real-time, conditional application and data access and protection enforcement for on-premises data or data in public or private cloud applications. Today, there are many isolated zero-trust projects focused on networks, users, devices or isolating servers. The main thing most of these projects miss when they focus only on concepts like zero-trust network access is that they are not addressing the data. Data is the grand strategy for security teams protecting the core digital assets of any organization. But we must go beyond access control and isolation, and there is a fast-growing group that believes zero-trust must extend all the way to data protection. Zero-trust data protection provides continuous, real-time access and policy control based on users, devices, apps, threats and data context.

Zero-trust data protection isn’t just a new way to think about DLP, nor is it yet another ‘marketecture’ concept hitching itself to the star of the latest buzzword. Zero-trust data protection gets to the heart of what SASE is all about, which is to transform security and networking for the era of cloud, enable access from anywhere and ensure data is protected everywhere it needs to go. The ability to do this effectively and completely, instead of taking a piecemeal approach, is what separates the true SASE technology providers from the pretenders.

Avatar photo

Jason Clark

Jason Clark brings decades of experience executing successful strategic security programs and business strategies to Netskope as Chief Security + Strategy Officer.

jason-clark has 1 posts and counting.See all posts by jason-clark