Posted on June 15, 2022
Want to interview Gerry?Contact
By every measure, cybercrime has reached unprecedented levels. Attacks are more frequent, more sophisticated, involve higher ransom demands, and impact a huge range of targets, from small businesses to vital infrastructure and government agencies. No industry or type of public service has remained untouched.
In response, businesses, not-for-profit organizations, and government agencies that have been considering moving to Zero Trust security are now actively seeking network architectures that put the Zero Trust model into practice.
The cloud-based Secure Access Service Edge (SASE) security model is widely accepted as an effective way to achieve a Zero Trust security “end-state” that enhances user, device, application and network security services for organizations. SASE, vs Zero Trust, is a product, not a concept. This paper explores the principles of Zero Trust security, describes the elements required to design effective security solutions, and describes how SASE security services enable organizations to move from conceptual acceptance to practical implementation.
Cybersecurity is more crucial than ever—but current security services and solutions are failing to protect the organizations that depend on them. Powerful players including organized crime and nation states–and their proxies—are successfully leveraging sophisticated phishing and zero-day exploits to launch ransomware attacks against businesses of all sizes. Researchers recently found that 74% of threats detected started as zero-days1—the highest percentage on record.
Ransomware delivery systems have been upgraded to combine email, web browsing, hacking and supply chain attacks. “Ransomware as a service” enables “any doofus to be a cybercriminal now,” in the colorful phrasing of one former hacker2. While gallons of (electronic) ink is spilled on high-profile attacks, the lion’s share of attacks are never publicly disclosed.
In the wake of some exceptionally brazen cyberattacks, the US government is taking a more active stance: The Department of Homeland Security issued cybersecurity directives for pipeline companies3; CISA published a Capacity Enhancement Guide 4 on securing web browsers for federal agencies; the National Institute of Standards and Technology published draft guidance on ransomware risk management5; and the White House issued an executive order6 calling, among other things, on federal government agencies to adopt a Zero Trust strategy architecture. The executive order fact sheet also calls on private sector companies to take the same steps:
We encourage private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.
In the past, the conventional approach to cybersecurity largely entailed perimeter-based network security that protected against threats by deploying firewalls and tools such as antivirus and anti-malware software to detect and block threats. The primary line of defense against phishing attacks was user education.
IT concepts and configurations have changed a lot in recent years, with the months of remote work accelerating what had long been a gradual process. Many organizations that have made headlines following ransomware attacks are now painfully aware that detection-dependent approaches to network security cannot adequately defend against the zero-day exploits that are flooding the web and the myriad new malware variants that are developed each day. User education is likewise only partially effective, with failure rates of 1-3% for the most basic phishing attempts, and in double digits for more sophisticated lures. Of course, even one single click on a malicious URL in a phishing email is sufficient to enable ransomware to paralyze an entire enterprise.
The concept of a perimeter-based defense has been rendered obsolete as resources and computing move to the cloud, apps move to the web, new forms of networking services expand, and more workers are working remotely. It’s a completely new ecosystem, with users who may be within or outside of the network accessing company resources that may be on the network, on private or public clouds, or online.
Zero Trust addresses both the new cyber landscape and long- standing security challenges by assuming all users, network traffic, websites, and emails are dangerous until proven safe. This is a prudent approach in today’s perimeterless digital world, where zero-day exploits and other new threats are always a few steps ahead of signature-based security solutions, and malicious actors are ever-resourceful.
The assumption of danger leads directly to the basic principles of the Zero Trust approach:
As these principles indicate, Zero Trust is not a specific action, service or technology but rather, a security philosophy and security strategy that must guide and underpin every aspect of cybersecurity management.
So, when we talk about today’s organizations, whose operations depend on diverse combinations of legacy hardware and software, cloud resources and SaaS apps, transitioning to a Zero Trust approach—just what does that mean? Where do they start?
To provide secure access from anywhere, to all resources, from wherever users are, in accordance with Zero Trust principles is no simple task. On the one hand, different processes and protections are needed for different paths. On the other, elements that enable application of the three basic Zero Trust principles form a common core for all digital activity in today’s distributed organizations.
Secure Access Service Edge platforms—known as SASE—integrate core network and security solutions that intelligently enable users anywhere, to get to the resource they need, in accordance with Zero Trust tenets. In order to apply the principles consistently, efficiently and across all resources, devices and users of today’s distributed organizations, SASE platforms operate at the cloud edge, via which all access is routed.
To cover each of the myriad access scenarios encountered by users in their everyday work, SASE platforms include a large variety of functions and technologies. One set of technologies, such as SD- WAN, firewalls, anti-virus, and SSL inspection, are familiar solutions that are now being applied at the cloud edge, rather than at the physical network perimeter, as they previously had been. A second set, including cloud access security brokers (CASB), secure web gateways (SWGs) with remote browser isolation (RBI), and Zero Trust network access (ZTNA) address newer access scenarios that have more recently emerged.
A third set of SASE technologies are those that support enforcement of Zero Trust controls across all of these access scenarios, in concert with the other core components. These include identity and access management, microsegmentation, policy management, network traffic analysis/monitoring, and intrusion prevention.
Let’s dive into each of the SASE platform core components outlined above. We’ll start with the capabilities that comprise the security brains that govern SASE and Zero Trust-based controls.
Identity and access management (IAM) is the core verification and permission engine that controls user access to applications and resources, per the “never trust, always verify” and least privilege access principles of Zero Trust. As such, IAM encompasses a comprehensive directory of users and the detailed policies that govern granting access for all system resources as well as an identity engine. It also controls authentication requirements for each user, generally requiring multi-factor authentication (MFA). Additional capabilities that may be managed by the IAM function include single sign-on (SSO) and password-based and passwordless access.
Granular policy creation and management lies at the very hearts of both SASE and Zero Trust — and is one of the most challenging aspects for the teams that manage it. In short, for true least privileged access, policies must be customized for individual user and device behaviors and kept current as their responsibilities evolve. For all practical purposes, policy management must be automated and informed by artificial intelligence (AI) and machine learning (ML) to maintain the required granularity for least privilege access – that is, to create context aware trust levels.
Microsegmentation enables organizations to strictly limit access to each network resource based on privileges stipulated in per-user policies, creating, in effect, one- to-one networks that reflect the Zero Trust least privilege access principle. Some microsegmentation technologies also enforce policies that restrict user visibility to only resources they are permitted to access, to prevent lateral movement in the event of a breach by a hacker or malicious insider. Thus, microsegmentation also addresses the Zero Trust principle of “assuming breach” by limiting the damage in the event of a breach.
Like microsegmentation, network traffic analysis and intrusion prevention capabilities address the Zero Trust principle of assuming breach. Via these functions, SASE platforms constantly monitor network flows and activity on endpoints, complete networks and clouds, to rapidly identify anomalies and minimize impact in the event of a breach.
This group of SASE and Zero Trust capabilities focuses on providing secure access to cloud and internet resources, and on securing access to on-premises data centers and resources from remote locations.
CASB (sometimes shortened from “cloud application security broker”) controls restrict access to public SaaS cloud services to protect sensitive data, prevent malicious as well as unintentionally risky insider activity, and monitor activity, regardless of where a business user accessing cloud services is, or which device they are using. Only authorized and authenticated users can gain access to sanctioned cloud resources, and cloud services that are not authorized for use can be fully blocked, or certain actions— like identifying sensitive data or uploading it —can be restricted.
ZTNA secures access from remote locations to on-premise and private cloud resources by establishing one-to-one connections between users and apps. It enforces least privilege access controls for all users, wherever they are, and prevents lateral movement across network services to ensure security, thereby dramatically reducing the risks that arise from stolen credentials, brute force attacks or malicious insiders.
A Web isolation gateway applies threat intelligence data, secure web gateway, remote browser isolation and other protective technologies to secure user access to the web while blocking malware, ransomware, and other advanced threats. It can block suspected phishing sites or display them in a special ‘read-only’ mode to prevent users from having credentials stolen. It may also integrate content disarm and reconstruction (CDR) technology to sanitize email attachments and web documents prior to download.
The final group of SASE capabilities perform familiar tasks—but on a whole different scale and at levels of sophistication never reached by their on-premises counterparts.
Just as on-premises firewalls and firewall as a service (FaaS) control traffic flows to and within the old network perimeter, SASE cloud firewalls control flows throughout the entirety of today’s distributed networks, to verify that they are legitimate and permitted.
Cloud SD-WAN provides efficient, secure connections between main offices, branch offices and users, eliminating the need for costly MPLS lines. Critically, it also allows for “local internet breakouts”, where security policies for internet use can be applied and enforced in the cloud for remote workforces and branch users, thereby eliminating the costs, complexity and latency added by backhauling internet traffic to on-premises security stacks for screening and to enforce security policies. Cloud SD-WAN, when combined with SWG and RBI, sends local branch traffic directly to the internet while ensuring Zero Trust security principles are still applied.
Like its on-premises counterpart, SASE anti-virus scans web content and downloads for known threats, verifying that harmful content is blocked before it can reach endpoints.
Applies policy-based web SSL traffic inspection to identify and block malware hidden in encrypted packets.
Today, in a world that is dramatically different from what it was just a few years ago, Zero Trust strategy provides the proactive, principle- driven, comprehensive approach to cybersecurity that is required to face the challenges of the modern threat environment. But SASE vs Zero Trust represents comprehensive actionable security solutions that narrow the gaps that allow malware in, and integrates detection and automated response in the inevitable instances when it does.
The concept-solution duo of Zero Trust and SASE together represent a major advancement. And as with most major advances that require significant development efforts, the first SASE platforms were costly, complex solutions suitable for only the largest organizations – leaving midsize enterprises inadequately protected and vulnerable to attack.
The ZTEdge SASE platform is remarkably affordable and simple for smaller organizations to manage, despite the broad capabilities that it offers. With attacks increasing in severity, frequency and reach, there is no time to lose before starting your organization on both Zero Trust and SASE journeys. Contact us today to learn more.
Regulated industries like healthcare and financial services are facing an increasingly complex regulatory environment.
Dr. Chase Cunningham demos how cybercriminals scan for open ports, a step typically used for reconnaissance to plan an attack and find vulnerable targets.
Dr. Chase Cunningham manipulates the source code to change session storage values and the token the fictional Juice Shop uses, then demos the WAI security solution.