Zero Trust: Best Practices for Preventing Misunderstandings and Mistakes
Zero Trust can be perplexing when it devolves into just another marketing buzzword. Let’s clarify what it really means.
We have already explored the network features of Secure Access Service Edge. In this blog post, we will address the security features of SASE.
The great success of Secure Access Service Edge (SASE) lies in the unparalleled combination of powerful network and security features. In the first part of our SASE series, we have already explored the basics of networking, such as SD-WAN, cloud-based architecture and the resurgence of the network edge. In this post, we will focus on the security features, the second essential component of SASE.
The security features of SASE are so essential that the consulting company Gartner has even presented a second variant Security Service Edge (SSE), which focuses exclusively on security. It includes features such as Secure Web Gateways (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Firewall-as-a-Service (FWaaS), Data Loss Prevention (DLP), Remote Browser Isolation (RBI) and Virtual Private Networks (VPN). Compared to SASE, SSE is usually easier to implement and is therefore often seen as the first step towards a full SASE implementation.
The security features described below can therefore be part of both a SASE and an SSE implementation.
A Secure Web Gateway is basically a proxy server which all internet traffic passes through. However, unlike a conventional proxy server, a SWG performs additional checks to detect and filter out malicious traffic. Secure web gateways are no longer a hardware appliance that a company buys and sets up in the server room.
Today’s SWGs are based on a cloud service that the customer rents and can scale as required. Since the majority of all communication now takes place via the Internet, Secure Web Gateways are now considered an essential part of the security infrastructure in many companies.
A SWG controls and filters web addresses (URLs) detects and blocks malware and controls which applications may and may not be used. Some solutions also include features designed to prevent the intentional or unintentional transfer of business documents.
A SWG works as easily as it does efficiently: It only allows communication if it does not violate a previously defined security policy. For example, such a policy may require all traffic to be encrypted. Secure Web Gateways used in companies often decrypt the data themselves to check the content – only then do they send it on encrypted. URL filters are usually based on blacklists with prohibited addresses. However, whitelists can also be used with explicitly permitted addresses. All other addresses which are not on the whitelist are rejected.
Many SWGs also offer data loss prevention (DLP) features. The Secure Web Gateway is intended to prevent confidential content from leaving the company without authorization. For example, Data Loss Prevention automatically removes sensitive data such as credit card numbers, blocks the connection immediately, and/or notifies an administrator.
A CASB resides between the end users and the applications or resources in the cloud. Similar to Secure Web Gateways, they enforce a company's security policies when using known and unknown cloud applications. Modern CASB solutions already use artificial intelligence (AI) to detect security threats more quickly.
Cloud-based firewall solutions can be scaled much better than on-premise firewalls. As they are already in the cloud, they can also deal much better with the complex environments that prevail in many companies today. As with other services from the cloud, customers also benefit from easier planning and less effort with FWaaS. For example, they no longer have to worry about updating their security architecture themselves. Remote offices and employees can also be protected flexibly by a firewall-as-a-service.
Security experts used to assume that everything outside the corporate network was potentially evil and everything inside your own network was potentially good. This no longer corresponds to today’s reality. That is why the Zero Trust concept was developed, which initially distrusts everything and everyone. This means that all connections and users must be verified on every access attempt to ensure they are authorized to connect. In a ZTNA-based network, even administrators only receive the authorizations that are absolutely necessary for their current task – and only for a limited period of time. After that, they no longer apply.
ZTNA is not a product in itself, but a series of measures that are combined in an overall strategy. This includes authentication and authorization using multifactor and IAM (Identity and Access Management) solutions, but also behavior-based audits and solutions to defend against cyber threats.
A SASE implementation consists of numerous network and security components that harmonize together. They range from SD-WAN to cloud-based implementation, edge computing at the network edge to SWGs, CASBs, FWaaS solutions and the Zero Trust concept. It is not uncommon for SSE to initially dispense with network aspects to save costs. However, this can be added at a later date. NCP’s flexible VPN products support SSE and are well-suited for entering the future of SASE.
Learn more about SASE, SD-WAN and SSE!