Zero Trust and ZTNA (Zero Trust Network Access) are two of the most important concepts in enterprise security. However, these two models are only waypoints on the journey to a new paradigm: Secure Access Service Edge (SASE).
SASE is a term coined by Gartner to describe a combination of Network-as-a-Service and Security-as-a-Service which offers a single, cloud-based solution to the global security needs of a mobile workforce.
Writing before the coronavirus pandemic forced businesses to rapidly shift to a remote working model, Gartner called on security and risk management leaders to “position the adoption of SASE as a digital business enabler in the name of speed and agility”.
Today, the need for secure remote or hybrid working makes preparing for SASE an even more pressing issue. Gartner predicts that 40% of businesses will have a plan to adopt SASE by 2024 – but it’s worth getting ready as soon as possible.
There are some things you can do now to smooth the way to adopting SASE.
Even if you are not currently planning to adopt this new model, the decisions you make today will affect your ability to employ this technology in the future.
For many organisations, the first stop on the road to SASE will be Zero Trust and ZTNA.
The first of these, Zero Trust, is more of a philosophy than a product. It hinges around the premise that trust is never granted implicitly but must be continually evaluated, with the security ecosystem adapting to changes in risk accordingly.
If Zero Trust is the idea, Zero Trust Network Access (ZTNA) is the solution which turns the philosophy into a reality.
Whereas the old model was based on ‘connect then authenticate’, ZTNA turns this on its head, so it becomes ‘authenticate then connect’.
Authentication now comes first via a middle or intermediary Zero Trust Network Access layer that confirms an individual’s identity but also the context in which they are attempting access. Only when the individual has been authenticated are they granted an onward connection to applications and data.
The ZTNA layer, or ZTNA controller, becomes the gateway to an organisation’s assets – whether SaaS or legacy data centre apps – isolating systems from potential trespassers and hiding applications from the internet.
This layer makes applications impervious to many forms of network-based attack including scans, vulnerability exploits, DoS and DDoS attacks.
Guarding the perimeter
To earn the trust of a ZNTA controller, someone who logs on from a remote location may undergo the usual password test and Multi-Factor Authentication (MFA) process. Behind the scenes, a ZTNA layer analyses the identity of the person trying to log on as well as their behaviour, to provide context.
It works to prove the identity of a person trying to log in as well as establish if they are behaving in a way that’s considered “normal”.
The whole concept of Zero Trust becomes even more relevant now that people are working out of bedrooms, kitchens and other remote locations. We have long discussed the idea that the perimeter is dead. But in 2020, it finally perished as context and identity became the new perimeter.
The First Steps To SASE
Zero Trust and ZTNA can be implemented and lay the groundwork for SASE. But there are additional steps which should also be enacted right now.
Here are a few ideas about how to pave the road to SASE:
- Begin to think about identity and Identity-as-a-Service (IDaaS) for Single Sign-On
- Consider context – starting with adaptive (or context-aware) Multi-Factor Authentication (MFA)
- Monitor and log all user activity
- Review admin rights to ensure least privilege
- Limit further investment in VPNs and plan to phase them out
- Start evaluating cloud based ZTNA services for application access
- Reduce services delivered from DMZs
- Segment users from the data centre network
- Ring-fence critical applications
- Carefully consider management of uncategorised web content and links in email
It pays to have Zero Trust – and here is why
Discover full spectrum threat protection for your organisation and users – no matter where they are – via a single cloud security platform.
Censornet takes your organisation beyond events and alerts, and into 24×7 automated attack prevention, connecting the dots with email security, web security, CASB and multi-factor authentication solutions.