Is your network security architecture designed for yesterday’s problems?

Then the global pandemic that was Covid hit in 2020, and the focus shifted onto how businesses could operate when suddenly their workforce became remote overnight. Most businesses had an I.T. Security architecture based on a central location that protected people in the office and not outside of it. With employees working from many different locations and using different devices to access apps and data, the attack surface increased significantly, and it opened business operations up to more threats that they didn’t previously have to protect themselves against.

Fast forward to the post-pandemic world, for many businesses, hybrid working has become the normal, meaning workforces remain widely distributed, and the security perimeter is no longer in one specific location.  It is everywhere.

Most companies have however not changed the infrastructure to secure the traffic passing across their network and still route all cloud traffic through their data centre to be able to leverage existing traditional perimeter protections.

But this ‘traditional’ network security architecture was designed for yesterday’s problems.  They offer inefficient and insecure access, inelastic scalability and deployment complexity, as well as resulting in poor user experience.

As such, the old architectural model of backhauling traffic to data centres no longer makes sense as more users and apps are now outside the enterprise.

So how can businesses ensure that they embrace digital transformation, stay in control of their users and the applications and data sources that their employees are accessing, and above all, still deliver a good user experience securely?

The solution is to adopt the Gartner coined phrase Secure Access Service Edge or SASE, as a holistic approach to networking and security.

So what exactly is SASE? 

SASE is seen as a networking and security architecture that is made up of SD-WAN and SSE or Secure Service Edge, consolidating networking and security as a service into a cloud-delivered service at the network edge.

Secure Service Edge (SSE)

SSE or Secure Service Edge is a collection of cloud-centric security capabilities that facilitates safe access to websites, software-as-a-service (SaaS) applications and private applications*.  In simple terms, this means that if adopted, a business will have a comprehensive set of cyber security technologies to secure remote access to applications, data, tools and other corporate resources and monitor and track behaviour once users access the network. Where a workforce is hybrid, or remote securing mobile users and the data and apps they access is vital.

Broken down, SSE is made up of, but not limited to,  Zero Trust Network Access (ZTNA), Cloud Secure Web Gateway (SWG), Cloud Access Security Broker (CASB) and Firewall-as-a-Service (FWaaS).

Let’s explore these in more detail:

Zero Trust Network Access (ZTNA)

The application of Zero Trust Network Access (ZTNA) removes the implicit trust that was automatically applied in traditional networks where users had full access to everything. The default for ZTNA is deny, providing access only to services once the user has been explicitly granted.

ZTNA is essentially a security framework and access method that works on a principle of never trust and always verify.

The layers of inspection and enforcement include:

• Centralised Visibility and Control: Visibility of your network traffic including the location of data storage and who is able to access the data.
• Identity-Based Authentication: Applying precise least-privileged access users with continuous monitoring of user behaviours for malicious activity and signs of credential theft, malware and data loss.
• Uniform Security Policies: Enforcing security policies on all corporate-owned and third-party applications regardless of where the data resides.
• Granular, Role-Based Access: Granting user access only to the data required for a job role and restrict access based on the type of device and location used to connect.
• Post-Connect Threat Monitoring: Ensuring that ZTNA capabilities are still working and able to detect if an attacker is still able to access the businesses network and detect an attacker based on their network activity.

In summary, ZTNA essentially redirects the user traffic through a security broker, which then verifies the identity of the device or user. It checks on security, compliance, and posture. It only then allows that device or a user to a network or a specific corporate resource and offers a very granular visibility into user’s activities.

Secure Web Gateway (SWG)

The Secure Web Gateway (SWG) component of SASE allows remote users to connect to the Internet through a cloud-based proxy solution, which essentially sits between the user and the Internet and offers similar security functionality as the next generation firewalls did in the traditional work from the offices model.

Instead of connecting directly to a website, a user accesses the Secure Web Gateway, which is then responsible for connecting the user to the desired website and performing functions such as URL filtering, web visibility, malicious content inspection, web access controls and other security measures.

Because the Secure Web Gateway is based in the cloud, it also means that the user traffic doesn’t have to trombone through corporate firewalls which improves the latency and end user experience without compromising levels of Cyber Security protection.

Cloud Access Security Broker (CASB)

Cloud Access Security Broker (CASB) solutions help businesses discover where their data is across multiple software-as-a-service (SaaS) applications. It can detect when data is moving across cloud environments, on-prem data centres or being accessed by mobile workers.

Security, governance and compliance are enforced by policies which allow only authorised users to access and consume cloud resources while enabling businesses to effectively and consistently protect their data across multiple locations.

Firewall-as-a-Service (FWaaS)

Firewall-as-a-service (FWaaS) enables firewalls to be delivered as part of a business’s cloud infrastructure to protect cloud-based data and applications. FWaaS capabilities (as part of a SSE solution) enable the aggregation of traffic from multiple sources – whether from on-site data centres, branch offices, mobile users or cloud infrastructure. It also provides consistent application and security enforcement of policies across all locations and users while giving complete network visibility and control without deploying physical appliances.

Summarising Secure Service Edge

In summary, by deploying a comprehensive SSE solution, businesses can allow their employees secure, remote access to applications, data, tools and other corporate resources whilst monitoring and tracking behaviour once users access the network. As the hybrid workforce expands, securing those remote and mobile users, and the data and apps they access remain protected.

It allows companies to automatically manage dispersed remote and hybrid users by connecting them to nearby cloud gateways instead of backhauling traffic to corporate data centres.

It also provides consistent secure access to all applications while maintaining full visibility and inspection of traffic across all ports and protocols.

SD-WAN

SD-WAN as part of a SASE solution delivers networking functionality, directing and optimising traffic across a businesses’ network.

SD-WAN (compared to traditional MPLS type networks) allows companies to centrally manage their WAN infrastructure, typically from a central application hosted in the cloud. It also allows businesses to dynamically route network traffic based on the requirements of their applications.

Unlike traditional WANs that depend on manual rule creation for routers, SD-WAN is application-centric and virtualised, swiftly adapting to changes and offering better security. It’s crucial to accessing cloud applications securely. Typically it can be managed from a centralised control plane and minimises individual device management. Furthermore, SD-WAN supports diverse connection types, like MPLS and broadband, bolstering bandwidth and performance while simplifying administration.

By not backhauling traffic to a central data centre, latency is reduced, and performance improves, leading to better user satisfaction, all while maintaining strong security.

When coupled with SSE technology the complete SASE solution delivers networking and security as a service in a single cloud-delivered service at the network edge.