Hybrid infrastructures with traditional security applications can no longer withstand modern threat scenarios. Now is the time for companies to upgrade. With a Zero Trust Architecture (ZTA) and Secure Access Service Edge (SASE), they get an all-round solution that reduces attack vectors for hackers.
Thanks to the use of cloud applications and remote work, companies are increasingly moving into IT scenarios that represent one large security zone. As the number of network edges increases, so does the potential attack surface. Previously applied security approaches that focus on scanning for threats at the perimeter are visibly powerless in the face of this dynamic. The more applications and data are managed in the cloud and the more frequently they are accessed remotely, the more attacks can occur unnoticed directly at the periphery. Network security therefore requires a comprehensive segmented approach – simple segmentation is not enough. This is offered by the Zero Trust concept. The basic principle here is “trust nothing and no one within the network”. A Zero Trust Architecture encompasses the entire corporate IT and checks every connection for trustworthiness. This results in higher transparency and network security as well as better data protection.
Granular access control for more security
The strategy of Zero Trust is to include and check every incoming, outgoing and internal data exchange. This is based on the assumption that not only every device and all users, but also every data flow within the network is initially classified as “suspicious”. For access to succeed, it must be authenticated and authorised beforehand. The aim is to prevent unauthorised network requests for data and services and at the same time to make the enforcement of access control as granular as possible.
Zero Trust Network Access is often a component of a ZTA and uses a framework of different technologies that only allow selected persons access to predefined system segments. It includes components that can be operated either on-premises or cloud-based and communicate via a separate management level (control plane). Individually defined policies are used to decide which communication is permitted and which is prohibited. On its way to the user, the data passes through a kind of upstream checkpoint that can render threats harmless. The identity check within a zero-trust concept never remains rigid, but is continuously evaluated, adapted and further developed from various data sources. It is also possible to identify and monitor non-company devices (hardware such as phones, laptops and digital artefacts such as user accounts or digital certificates).
Implement endpoint-specific security policies
This is where Secure Access Service Edge (SASE) comes into play. Because the requirements of digital companies for comprehensive protection are not yet covered by the zero-trust approach alone. SASE makes it possible to implement individually customisable network security functions in a common, comprehensive and integrated cloud solution. The security concept, based on a definition by Gartner, combines cloud-native and WAN security functions such as Cloud Access Security Broker (CASB), Firewall-as-a-Service, Data Loss Protection or Malware Scanning. It provides features that ensure secure connectivity across distributed applications, devices and users. Network perimeters are no longer locations, but a set of dynamic edge functions. These can be deployed from the cloud on demand, giving users and devices secure cloud access to applications, data and services from anywhere, at any time.
In this way, SASE contributes to higher network security. In addition, the integrated and continuous inspection and evaluation of data traffic is linked to the dynamic enforcement of security policies. This prevents the spread of malware and, if necessary, countermeasures can already be initiated automatically. The combination of SASE and Zero Trust Architecture complement each other: SASE provides the user with the required connectivity, while ZTA, as an overarching control mechanism, ensures the right connection to data and applications. Both are ideal partners for centrally managing a distributed cloud architecture while implementing endpoint-specific security policies. Companies benefit from a holistic view of their entire network including cloud infrastructure.
The path to Zero Trust Network Architecture
Agility, networking and remote working demand a comprehensive approach to security that protects devices, users and internal traffic. Cloud-based IT architectures can be reliably secured regardless of location with the combination of SASE and Zero Trust Architecture. The implementation of both concepts is complex. A Zero Trust or SASE project cannot be implemented with a single application. Several update cycles over a longer period of time are necessary to implement and unify both approaches. However, those who want to implement a zero-trust architecture or link it with SASE should not be deterred. ICT service providers can help to identify all vulnerabilities and security incidents in the company network at the start of the project through a cyber security audit and accompany the project in all phases of implementation. Providers like Axians have the expertise to drive the combination of the two security concepts Zero Trust and SASE. They are able to define the security strategy, the necessary tools and ultimately also the policies of the ZTA. The rule here is that each company, together with its IT and security teams and service providers, must determine an individual approach that defines both the target infrastructure and the step-by-step implementation of SASE/Zero Trust. The end result is a solution that offers maximum flexible protection against future threats.
A Zero Trust Architecture includes various logical components that can be operated on-premises or cloud-based. They can communicate with each other via a separate management level (control plane). The application data itself flows via a data plane. (Source: Axians)
Cyber security teams need more visibility and control in their hybrid infrastructures without limiting performance. Solution providers must therefore offer both availability and security. (Source: Axians)
About the author
Ben Kröger, Senior Security Consultant and Head of Support & Managed Service at Axians IT Security (Source: Axians): Ben Kröger has been Senior Security Consultant and Head of Support & Managed Service at Axians IT Security since 2002. Since 2014, he has been responsible for the entire technical area with a focus on firewalling, sandboxing, email, proxy and surf security.