Understanding SASE and Zero-Trust to Strengthen Security
Cyberthreats have reached unprecedented levels; cyberattacks are happening more frequently than ever before and highly sophisticated cybercriminals are laser-focused on devising innovative new ways to compromise networks. Ransom demands are increasing and impacting a wide range of targets, from small businesses to vital infrastructure and government agencies, leaving no one untouched. As a result, businesses, nonprofit organizations and government agencies that have been contemplating making the move to zero-trust security are seeking a better understanding of cloud-based secure access service edge (SASE) and how it can help them achieve a zero-trust security “end state.”
How SASE and Zero-Trust Fit Together
The cloud-based secure access service edge (SASE) security model is regarded as a highly effective approach to securing businesses as they make the strategic move to perimeterless and hybrid networks. Critical to the ability to do this safely and securely is the implementation of zero-trust security solutions that deliver enhanced protection for an organization’s users, devices, applications and networks without disrupting user experience.
This article examines how the SASE framework sets the stage for the move from conceptual acceptance of zero-trust security principles to the practical implementation of solutions for organizations of any size.
New Solutions are Needed to Protect Against Future Unknowns
With the cybersecurity landscape constantly evolving, solutions that were built to protect perimeter-based networks are unable to protect organizations in the new threat environment.
In the wake of some absolutely devastating cyberattacks, in which organized crime and nation-states—and their proxies—leveraged sophisticated phishing and zero-day exploits to execute destructive ransomware attacks against all types of organizations, the US government is taking a more aggressive stance. The Department of Homeland Security issued cybersecurity directives for pipeline companies; CISA published a Capacity Enhancement Guide on securing web browsers for federal agencies; the National Institute of Standards and Technology published draft guidance on ransomware risk management; the White House issued an executive order calling for federal government agencies to adopt and implement zero-trust security architecture.
Perimeter-Based Defense and User Training are No Longer Enough
The standard approach to cybersecurity used to involve securing the network perimeter against cyberthreats by utilizing firewalls and tools such as antivirus and anti-malware software in hopes of detecting threats and blocking them before they could get in.
In recent years, however, IT concepts and configurations have changed a great deal, with the new normal of remote work accelerating what had been a slow and steady process. Many organizations that have (unfortunately) made headlines following ransomware attacks are now painfully aware that detection-based approaches cannot successfully defend against the zero-day exploits and the multitude of new malware variants that inundate the web daily.
User education—the oft-cited front line of phishing defense—is somewhat effective. But when it comes to the most convincing phishing emails, in a recent simulation up to 24% of employees clicked on a malicious link even after training. Consider that IBM saw a 6,000% increase in phishing attacks between just March and April of 2020. Even one single click on a seemingly innocuous URL in a phishing email is all it takes for ransomware to paralyze an entire enterprise.
The concept of a perimeter-based defense has been rendered obsolete as digital transformation and cloud migration initiatives continue, more workers work remotely, and cybercriminals continue to hone their skills. For this completely new ecosystem—with users who may be within or outside the network accessing resources that may be on the network, on private or public clouds or online—organizations need security approaches that protect all users and resources, wherever they are.
The Zero-Trust Security Philosophy
Zero-trust addresses both the new digital landscape and longstanding security challenges by assuming all users, network traffic, websites and emails are malicious until proven otherwise. This is a prudent approach in today’s perimeterless, cloud-based digital world, where zero-day exploits and other unknowable threats stay a few steps ahead of outdated signature-based security solutions and malicious actors are creative and ever-resourceful.
The basic principles of the zero-trust approach are to never trust, always verify; grant only least-privilege access and assume breach.
Zero-trust is not a specific service or technology but a security philosophy and strategy that must guide and underpin every aspect of cybersecurity management.
What does transitioning to a zero-trust approach entail for today’s organizations, whose operations depend on combinations of legacy hardware and software, cloud-based resources and SaaS apps? How should organizations begin the transition process?
SASE is Zero-Trust Philosophy Made Actionable
Establishing secure access from anywhere, to all resources and devices from wherever users are located, in accordance with zero-trust principles is no easy task, since different processes are needed for different paths.
Secure access service edge platforms—known as SASE—integrate diverse technologies that enable secure access for users anywhere and anytime, to the resource they need when they need them in accordance with zero-trust tenets. To apply the principles consistently and efficiently across all resources, devices and users of today’s distributed workforces, SASE platforms operate at the cloud edge, via which all access is routed. Elements that enable application of the three basic zero-trust principles form a universal core for all SASE capabilities.
In its most recent cycle research for networks and endpoint Security, Gartner groups SASE capabilities into a “WAN service edge” and a “security services edge.” The WAN edge services focuses on access technologies such as SD–WAN, quality of service and routing, while the security services edge (SSE) focuses on making that delivery secure, through solutions such as secure web gateway (SWG), CASB, ZTNA and remote browser isolation (RBI) services. These security services protect organizations’ users, apps and stored data from breaches, web-borne malware and ransomware, phishing, and careless or malicious user behavior.
Identity and access management (IAM) and micro-segmentation underpin both sides of the SASE construct, enabling specification and enforcement of policy-based restrictions controls across all access and security technologies, for all scenarios.
Cybersecurity Your Organization Needs
The world today is drastically different from what it was just a few years ago. Zero-trust is a proactive and comprehensive approach to cybersecurity that is essential for meeting the challenges organizations regularly face in today’s threat environment. SASE platforms provide a comprehensive security approach that shrinks the gaps that allow malware in and integrates detection and automated response to stop any malware that slips in, as some inevitably will.
Zero-trust security, as enabled by SASE, is a major upgrade to perimeter-based solutions. As is typical for major technological advances, the first SASE platforms were expensive and complex solutions designed for larger organizations—leaving small and midsize enterprises without the proper protection they needed against cyberattacks. Fortunately, more affordable platforms are available that are much simpler for smaller organizations to manage yet provide the full range of capabilities necessary to secure them. Given the current cyberthreat landscape, there’s no better time than right now to jumpstart your organization’s zero-trust journey by starting to bring SASE capabilities on board.