Securing Networks in a Perimeterless World
The network perimeter—as it is traditionally understood—is dead. Firewalls were once considered the pinnacle of cybersecurity: erect a strong enough one around the network and everything inside will be secure. Unfortunately, that was probably never true, but it’s easy to see why the idea gained popularity. Humanity has been building walls to keep enemies at bay for thousands of years, and a network firewall was seen as a digital extension of the fortified walls and parapets that once kept cities and fortresses secure. Today, those digital walls are less effective than ever.
The concept of the perimeter has broken down. Organizations conduct transactions with vendors, suppliers, customers and other individuals outside the network on a regular basis. Personal device use is rampant, with employees using their own personal phones and tablets for work purposes, logging into corporate networks via unsecured Wi-Fi networks. IoT has also become an essential part of business operations and comes with its own set of vulnerabilities that exist well outside the four walls of a company HQ. For these reasons and more, the old understanding of the network perimeter is no longer valid—which means organizations require a new understanding of network security.
Understanding SASE and the New Perimeter
The term ‘secure access service edge (SASE) was originally coined by Gartner and represents a fundamental shift in how organizations approach security. Defining the term is as simple as breaking it down to its component parts: ‘Secure access’ refers to the fact that computers, smartphones, IoT infrastructure and other devices must be able to safely connect to a network while ‘service edge’ refers to the fact that these devices exist beyond the network edge—outside the traditional understanding of the ‘network perimeter.’
Like zero-trust, SASE is a set of principles rather than a specific set of software or hardware solutions and essentially assumes that any actor on the network is a potential attacker until proven otherwise. And today, an “actor” doesn’t just refer to a user—it might refer to a machine, process, mobile device, server, application or any one of dozens of other entities using and accessing corporate networks. Over the past few years, the number of these entities connecting to the average corporate network has vastly increased, making it more essential than ever to adopt a zero-trust mentality.
One of the factors contributing to this explosion of devices connecting to corporate networks is the exponential expansion of the internet of things (IoT), adding new connected devices that monitor, measure and gather data. In addition, the COVID-19 pandemic accelerated the shift toward remote work and the percentage of employees connecting via personal devices from home Wi-Fi has further expanded the network footprint. Today, vendors, partners, suppliers and other third parties might also require access to the corporate network, creating additional inroads for would-be attackers. For each of these elements, the ability to securely authenticate to the network is essential—and none should be afforded greater privileges than they absolutely require.
PKI and the Principle of Least Privilege
The SASE model applies the principle of least privilege to each identity connecting to the network. This means that each entity is only permitted to access the areas of the network or perform the specific functions necessary to do its job. To put it in real-world terms, the human resources department does not need access to the source code, while programmers and developers do not need access to employees’ personal information. And since they don’t need it, their accounts will not be permitted to access it. The technicalities of SASE are more nuanced than this, but this is a good way to think about it.
Limiting the permissions of individual user accounts might sound simple, but what about applications, servers, IoT devices and other entities? To ensure that appropriate permissions are set for an entity accessing the network, enterprises need a robust and reliable digital identity solution. If an entity on the network is requesting data, issuing a command or attempting to access a gateway, the system must be able to definitively identify who it is and whether they have the rights to perform that action. Whether the entity is a server, an employee’s personal device or a workstream running on the public cloud, positive authentication must be achieved for permission to be granted.
Today, public key infrastructure (PKI) remains the only technology capable of establishing a completely trustworthy digital identity. The technology is ubiquitous, using digital certificates to authenticate the legitimacy of a user, server or other identity and validate that communication between these entities is secure. These certificates are a critical part of establishing the principle of least privilege: Whenever an identity attempts to do something within the network environment, its certificate must be authenticated. If its identity cannot be verified or its permissions are insufficient, it will be denied. This process of constant verification means that no identity is automatically trusted and must instead provide proof of its rights and permissions every step of the way.
Moving Forward with PKI and SASE
The network perimeter no longer exists in the traditional sense, which has led many to remark that identity is the new perimeter. As enterprises begin to embrace the principles of zero-trust and SASE, the ability to reliably and effectively authenticate and manage those identities will only grow in importance. PKI enables today’s organizations to easily adhere to the principle of least privilege, keeping network assets secure from those without the proper permissions. Total reliability in digital certificate performance is the core of SASE and a key element of security in today’s post-perimeter world.
