Securing the modern workforce: Zero Trust in a SASE architecture


By Nick Savvides

“Nick Savvides”

COVID-19 has driven a not just a revolution in the way we work but also in the technologies we use. Today, the working sphere has become far more flexible for many more workers. Employees now need to access their data from outside their traditional locations, and through new applications, often outside of the visibility of their security tools that assumed fixed perimeters. These changes have firmly established a realisation that organisations must adapt far quicker than anticipated to the changing security environment.

One of the key challenges with such upheaval is that users will be looking for any possible shortcuts and workarounds to help make their workflow easier and, without the structure of the workplace, many will find their risk perceptions decreasing.

Between the increased threat of malicious attacks brought about by the expanded threat surface, combined with less visibility over potential insider threats, security teams face a daunting challenge in securing data and supporting legitimate actions in a world that looks nothing like the one traditional security structures were built for.

Traditional security and the modern workforce

When our data and applications lived inside our own data centres, so did our security stacks. However, when data and applications moved to the cloud, our security stacks unfortunately stayed planted where they were – all while separate cloud specific security tools gained traction.

This divergent model delivered the worst of both worlds where the flow of data for all users, even remote users, was forced to pass through an on-site central data centre through established security measures, while some cloud applications had completely different security measures. Wide-scale remote working amplified these problems resulting in weak performance, high latencies, and connection failures – placing security firmly in the way of productivity.

In order to avoid the performance problems, many companies now connect their mobile or remote employees and their branch offices directly to the internet and cloud applications. They use technologies such as SD-WAN, but are forced to forego the peace of mind provided by centralized on-premise security technologies.

This updated model, with multiple access points across a wide geographical landscape, has become the ideal target for cybercriminals looking to extort sensitive data. And those cybercriminals aren’t wasting any time – according to a study by the University of Maryland, hackers attack every 39 seconds, or an average of 2,244 times a day. This, coupled with the fact that 83% of enterprise workloads will be in the cloud by 2020, means securing the cloud has become a high priority.

SASE brings networking and IT security to the cloud

To address these performance and security considerations, the Secure Access Service Edge (SASE) model has been developed. It is the latest security and networking architecture model which promises to converge network, web, data, and cloud app connectivity with security to be delivered via the cloud.

SASE is able to address the challenges of securing a remote workforce by converging networking and cyber-security in the cloud – and thus directly to where the applications and data reside. Importantly it equalises security outcomes, by ensuring all users have the same level of coverage. This is achieved by combining the necessary security and connectivity technologies and making them available as a comprehensive cloud service; from Secure Web Gateway, Firewall as a Service, Cloud Access Security Broker or Data Loss Prevention/Data Leakage Prevention to SD-WAN. As a result, SASE architecture enables companies to connect their users and branch offices around the world directly to the cloud through a single security layer, while simultaneously increasing performance.

Addressing the insider threat: SASE and Zero Trust

Unfortunately, attacks by malicious outsiders aren’t the only issue facing organisations. Though the idea might seem paranoid to some, the truth remains that people are the largest threat in any business. According to Varonis, 53% of companies had over 1,000 sensitive files open to every employee. This statistic becomes all the more alarming when nearly 75% of data breaches happen due to risky insider behaviour or as a result of compromised access (Gartner).

Traditional insider threat solutions were designed for the traditional infrastructure-centric security, and required complex integrations and specialist skills to build, operate, and manage. It required a high level of sophistication and specialist knowledge, not just in the security operations and response teams, but also in the business to apply context and understanding. Modern enterprise networks that have evolved into highly distributed environments make this challenge even greater with the traditional systems struggling to integrate with the various networks, applications, and systems. Not to mention, the working from home explosion has caused this problem to be amplified even further.

While the new landscape brings challenges, it also offers us opportunities to improve our overall security posture by adopting the very same concepts that have created the challenges. Insider threat technologies need input signals from user activity from all sources, network activity, application activity, and endpoint activity in order to understand the users and build risk profiles.

SASE helps with this because it brings visibility into the network and application usage that can feed the insider threat analytics however, it alone is not enough. Here is where the Zero-Trust concept can further assist. Zero Trust is a security paradigm that replaces implicit trust with continuously assessed explicit risk/trust levels based on context – each individual operation and interaction is assessed and real-time mitigations, controls, and interventions can be applied. While many people and organisations focus on one component of Zero-Trust, the Zero-Trust Network Access, piece that delivers micro-permitters and secure connections to applications and systems, Zero-Trust is much broader.

If we take the guiding principle of Zero-Trust, of continuous assessment and risk understanding, we can further improve our insider threat posture. This is achieved, by feeding further user activity signals from endpoint monitoring, and access control systems, along with the signals from the SASE environment into the insider threat analytics.

By integrating the SASE stack and endpoint monitoring and control, we can in real-time, feed the output of those analytics back, responding to risks as they emerge. For example, a user might be about to inadvertently leak confidential data via an upload, but as the analytics have determined the user has been displaying risky behaviour from their continuous monitoring, the insider threat system can tell both the endpoint and the SASE stack to dynamically block uploads and removable storage copies for that user, thus preventing the loss event before it can occur.

For the first time in cyber-security, these advanced capabilities are within reach of all organisations, as they have also been digitally transformed into a cloud service with expert guidance, further extending the convergence in the cloud. This provides organisations of any size the ability to gain meaningful visibility and immediate action into risky user behaviour, significantly reducing risk exposure by bringing forward both detection and response to the earliest points in the chain.

Utilising the continuous assessment of Zero Trust in conjunction with established practices such as behaviour centric cybersecurity in a SASE infrastructure would mean a comprehensive security solution can be spread out far and wide to multiple endpoints through the cloud – identifying and eliminating malicious actors, or actions, at the source.  SASE, with its convergent architecture and single layer security system, is proving to be a viable solution to all the cybersecurity needs of a remote working enabled future.

By combining SASE with Zero-Trust and comprehensive user and behaviour analytics, this new security model not only simplifies security but significantly reduces risk exposure by service the primary defence against the most valuable of modern assets: Data.