Why identity-based, distributed controls are better suited to address cloud-era threats
With more and more IT resources moving to the cloud and remote work becoming a ubiquitous business practice due to COVID-19, perimeter-based security is undeniably becoming a weak link, especially since attackers have repeatedly demonstrated they can bypass firewalls and spread laterally within enterprise networks.
It’s time for a different approach – one that centers on user identity and risk rather than binary network connectivity. In addition, security must be enforced closer to end users, rather than backhauling traffic across the Internet to a centralized data center for inspection. Two complementary concepts have emerged that address these challenges.
The first has existed for several years and is now gaining real traction to address the security gap created by the disintegration of the network perimeter. Zero trust architecture (ZTA) states that an organization should not trust anything inside or outside its borders by default and should instead verify anything and everything (users, IoT devices, bots, microservice processes) trying to connect to its systems and resources before granting access. ZTA enforces granular controls so that entities can only reach the resources they require.
In addition to ZTA, the second and emerging concept that helps close the holes that have been punched through the enterprise perimeter involves moving security to the network edge. Research firm Gartner has dubbed this approach the Secure Access Service Edge, or SASE (pronounced “Sassy”). According to the firm’s analysts, the SASE approach provides the agility to rapidly deliver security capabilities when and where they are needed without compromising on effectiveness or the user experience.
The SASE architecture is designed to eliminate the need for VPNs and backhauling traffic to a data center for inspection, relying instead on a fabric of security capabilities that are available throughout the Internet as a utility and can be provisioned wherever and whenever they are needed.
Organizations can use SASE technology to achieve a zero trust security posture. Here are a few key things to consider when moving an organization along this path:
Adopt an Identity Provider (IdP): Everything is moving to the cloud – applications, security controls and identities. Migrating to an Internet-based identity infrastructure simplifies integration with cloud resources and positions an organization for the future.
Enforce multi-factor authentication (MFA): In a recent study by Microsoft, 99.9% of all compromised accounts did not have MFA enabled. MFA can dramatically reduce an organization’s susceptibility to account takeover threats and lay the groundwork for all other zero trust principles.
Reduce reliance on VPNs: With the increasing use of SaaS applications, the need for VPN access is shrinking. Furthermore, VPN access can pose a liability if it enables users to reach assets they should not be able to see or use. VDI, SaaS, access proxies, and other tools can be used to eliminate VPNs and migrate to an alternative remote access control and management architecture.
Protect remote workstations: SASE can be used to provide always-on network security protection to remote workstations without requiring a VPN. These users can get the benefit of the security and visibility afforded from being “behind the firewall” without having to perform an authentication action, without having their traffic backhauled across the Internet, and without the risk that a compromise of their devices can infect other corporate assets.
Use microsegmentation to narrow zones of trust: A key tenet of zero trust is reducing the avenues that attackers can use to move laterally within enterprise networks once they have achieved an initial point of compromise via a server, workstation, or remote worker’s personal device. No matter where the compromise starts, containing it is the key to stopping an incident from turning into a significant breach.
Cloud adoption and remote work trends have irrevocably changed the enterprise security landscape, making many traditional perimeter controls obsolete. Zero trust and new network architectures like SASE promise to fill the void by eliminating attack vectors that are built-in to reactive, legacy security models while improving user experience and business agility.