SASE: Enforcing the Zero Trust Imperative in a Mobile-First World

By Atos staff

Over the last three decades, traditional cybersecurity approaches have centered around connecting end-users to proprietary data and business applications hosted in servers residing behind secured perimeters. The traditional trust but verify models run on a static set of parameters hardwired into authentication policies. However, in the recent decade, we are witnessing the mainstreaming of never trust, always verify, or a Zero Trust approach that seeks to eliminate implicit trust and privileges from the equation to limit the incidence of malicious perpetrations. The contemporary approach can be well-appreciated in light of the recent developments in which the UN reports a 350%  increase in phishing incidents and Interpol have issued cybersecurity advisory in the wake of the COVID-19 induced disruptions.

In an era of ubiquitous computing and software-defined business services, where data resides beyond the organizational boundaries, successful orchestration of Zero Trust Network Access (ZTNA) pivots on the ability of the administrators to gain complete visibility of the networked assets and the transient end-user pool. The efforts to reduce the available network attack surface can be undermined by a range of factors, including the migration of sensitive information to the cloud, prevalence of mobile-centric work culture, and the growing popularity of the software-as-a-service (SaaS) apps. This is where architectures like Secure Access Service Edge (SASE) can be used to balance cybersecurity imperatives and business interests against stakeholder expectations.

The SASE framework runs on a cloud-back delivery model, dovetailing network security solutiuons like Data Loss Protection (DLP), ZTNA, Cloud Access Security Broker (CASB), etc. into a cohesive platform. Its capabilities are projected in real-time, defined by the sum of continuous risk evaluations, enterprise compliance positions, and privilege rules, to allow conditional access for groups and systems to enterprise resources.

In this backdrop, some of the most prominent voices in the network security domain today examine how companies can accentuate their cybersecurity policies by successfully embedding Zero Trust and SASE into their enterprise vision. It involves closing a range of existing loopholes in their IT matrix to reap a cumulative return on their cybersecurity investments.

Acknowledging the flip in the conventional notion of access

Before formulating an effective defense, the enterprise primarily needs to understand the seismic shift that has rendered many security best practices that were golden standards, even a decade ago, obsolete. The fortress data centers designed to bolster in-house security initiatives in silos are giving way to managed security service providers possessing a broader inventory of capabilities and bringing the one-to-many knowledge to the table. From static fire-wall-driven approaches, access management’s fulcrum is shifting toward the device-agnostic, identity evaluation of the end-users, based on a set of rules that can be remotely altered on the fly. With the extension of the IoT and edge computing closer to the shop floor, network security will be related to the mitigation of grey areas like unverified device access to the enterprise networks, lying beyond the traditional scope of the business IT.

Today’s business IT is essentially characterized by the waning away of the classical perimeter. According to Eric Taylor, Chief Technology Officer of Cybersecurity Services, Atos North America, the perimeter approach is no longer relevant with more data exploding into the cloud. “Least privilege per request access decision, the basic premise of the Zero Trust approach can be easily implemented with the capabilities provided by SASE vendors and Idendity Access Managmenet solutions that allow businesses to reimagine their security strategies by exploiting them at an optimized cost,” he says. Evan Woollacott, Senior Analyst, TBR, agrees. In his opinion, as companies begin to deploy more SASE applications to enable their remote workforce and curb the abuse of access privileges, they will look for integrated offerings that can reduce the total cost of ownership, attend the agility of scale in amplifying end-user experience and ensure the security of critical IT infrastructure components.

Comprehending SASE for a realistic strategy

While implementing SASE, businesses need to review specifics regarding the multiple cloud-hosted security aspects that varies from vendor to vendor. Eric Taylor says, “the offerings of the SASE providers need to align seamlessly with the enterprise security goals and requirements to muster the desired outcomes.” As no cybersecurity strategy is flawless and no company can address threat vectors in totality, Geoff Woollacott, Senior Strategy Consultant and Principal Analyst, TBR, portrays SASE as an enabler, rather than a panacea. According to him, network security threats can best be mitigated through a deep understanding of the evolving vectors and framing a security strategy with overlapping layers of SASE and traditional attributes. For instance, using pervasive encryption standards to improve data integrity, proactive hardening of networking devices critical to the SASE layer, and the Identity Access Management (IAM) or setting access rules for IoT network components and monitoring request deviations to detect emerging vulnerabilities.

Understanding technology, user and application choices available with SASE

As an example, one componentent of SASE, ZTNA, leverages an array of technologies like proxy and VPN based approaches to deliver security propositions. For companies seeking transformative benefits, it is essential to be conscious of the enterprise technology environment and its dependencies to make the right call. The multi-technology availability in SASE presents the flexibility to choose the right tool for the job to the enterprise users. For instance, “micro-segmentation, allowing only condition-based communication between systems, can be implemented using different technology and operating system stacks. It can be deployed in wide open or more reclusive environments, with the SASE products, and vendors supporting both the scenarios. Now, the success of implementation pivots on the company’s understanding of its particular use cases and expectations of the investments,” says Eric Taylor.

With the tectonic shift in work culture and the proliferation of cyber threats in the wake of the COVID-19, businesses may be compelled to join the SASE implementation bandwagon. However, the experts recommend that it is prudent to invest enough time in due-diligence and adopt a collaborative approach in partnership with an experienced SASE vendor to discover the various applications and methodologies pertinent to an organization’s unique context. Also, Geoff Woollacott says, “even for a SASE-backed cybersecurity approach to be holistic; it is imperative to invest enough resources to educate the employee base about the emerging threats of the technology construct of the digital business that can transform harmless on-floor behaviors like unguarded network access from personal mobile devices into potential security breaches, costing the organization a fortune.” And monitoring employee behavior as part of the integrated cybersecurity plan is one of the most formidable challenges for the companies in the new normal. Patrick Heffernan, Practice Manager and Principal Analyst, TBR, remembers detecting a spike in demand for the cybersecurity services at the onset of the pandemic. Organizations struggled with the fact of a significant chunk of their workforces operating from beyond their institutional boundaries. It further fueled interest in cloud-based cybersecurity orchestration opportunities offered by SASE.

Making Zero Trust a part of the company culture

In the new digital construct that defines modern enterprise cultures, SASE-backed Zero Trust cybersecurity strategies need to strike the right balance between mitigation and end-user experience. The incentive is to simplify practices that the employees can adapt and follow with ease. For instance, single sign-in to the workplace environment, negating the need for multiple credential management. According to Eric Taylor, the COVID-19 situation and the disruptions at its heels have exposed the tenacity of the synergy and coherence of the corporate cultures across the enterprises. “The companies with more efficient communication and training mechanisms for their staff are able to scale by rapidly implementing changes and driving a workforce-wide adoption. They have a better grasp on the employee hearts and minds as compared to businesses that were underprepared with limited communication and training systems,” he says.

Framing protocols that can accommodate both access and optimum security

With the rise in per capita device ownership, digital data consumption is disaggregated into an array of permutations. The proprietary data must be accessed and manipulated by various stakeholders across the business value-chain daily. A company’s cybersecurity framework needs to be permeable enough to make digital commerce viable by providing controlled access to the end-user on a strict need-to-know basis. According to Geoff Woollacott, building a cybersecurity policy set on hyper-rigid rules and regulations is detrimental to business profitability and progress in general. For instance, overlapping jurisdiction on healthcare data privacy and a large number of stakeholders across the healthcare value chain who can access it, including pharmaceutical research, healthcare establishments, individual physicians, etc. To defend the patient’s rights and sustain the momentum across the healthcare segment simultaneously, we need a set of soft policies and smart controls that can set the conditions of access and detect violations on the fly.

As data volume grows, rigidity in terms of access rules will project negative implications for innovation in hyper-connected environments. “A modern factory floor generates millions of lines of structured and unstructured data that are fed into the manufacturing status center, and are distributed between cloud-hosted and on-premise systems. The end users are continuously rediscovering the use cases of the feeds for more productive applications. In such a high-speed scenario, it’s not practical to set bottlenecks of absolute access rules upfront,” says Evan Woollacott. To overcome such dilemmas, companies need experienced technology partners capable of designing accommodative access control frameworks with an overlapping use of SASE and other security methodologies, while preserving core business interests.

Building the Zero Trust transition roadmap

Such an exercise involves a deep introspection of the company’s data security policies followed by a complete mapping of the stakeholder’s roles and privileges with their access requirements. Eric Taylor feels that the best approach to reimagine the company’s cybersecurity structure is to take a hard look at the business aspects of it rather than the networking details. The priority is to evaluate the conditions of the data and the underlying relationships that guide their transmission across the ecosystem, rather than the channels over which they are transmitted. According to him, the COVID-19 situation has provided great impetus for the companies to quickly rewrite the existing data-access rules and policies for their stakeholders to match the needs of the time. It allowed them to tie their cybersecurity posture closer to reality by edging off much of the redundant regulatory burden.

Dynamic management of security rules and access privileges is not a new concept and has been a top agenda for enterprise leaders and resource managers for some time. As cybersecurity evolves from being predominantly an on-prem affair of specific companies to a global concern, enforcing the Zero Trust imperative through SASE becomes a prerequisite for defending fundamental enterprise interest in the contemporary, mobile-first world of ubiquitous connectivity and ever-evolving threat vectors.