Cloud Delivered Network Security Service Edges: SASE/ZTE/SSE

Established network and security vendors are pretty much all now at the table with an offering that ticks the boxes, for at least the foundational features, necessary to be considered either SASE, ZTE or SSE. Consolidating multiple network and security products into a single solution, in order to protect our remote users and satellite offices, is the main play here and it makes a very good case when we consider where staff work from and what they need access to. Cloud adoption, distributed roaming workforces and increasing threats has increased the urgency to simplify and scale security. A converged set of established remote access security solutions from one vendor, hosted by that vendor across a global network of distributed Points of Presence (PoP's) and packaged as an all-in-one subscription offering with a unified management portal and unified endpoint client does seem the most suitable way forward for both vendor and customer. We will focus primarily on SASE in this article as SASE also incorporates the security elements required of SSE/ZTE solutions.

A progression towards leveraging cloud delivered SaaS security solutions, particularly for roaming endpoints, has taken place over the last number of years. This brings us to where we are now in the SSE/ZTE/SASE era and the consolidation of those security solutions into a unified license with a feature set offering the "must haves" in securing our endpoints for both their remote access and their corporate SaaS and internet access. It has been a gradual move from the likes of deploying SaaS managed DNS layer security clients on mobile endpoints. A simple but effective security solution which sends external DNS queries to globally distributed cloud-based DNS filtering solutions, attempting to prevent users from even establishing a session with a potentially malicious destination. Especially for the ever-increasing roaming workforce operating outside the boarders of our traditional on-prem security perimeters. DNS layer security agents pointing at vendor hosted filtering services offered a simple, highly available and highly effective security layer for those roaming users and it still does.  But it’s not enough, we want layered security covering all bases with as much visibility as we can get.

As always, there will be exploitable gaps found by threat actors. DNS queries hidden within TLS and QUIC provided ways to circumvent DNS layer security and vendors moved quickly to provide more cloud hosted security services, such as Web Proxying/SWG and Sandboxing solutions, Secure Internet Gateways or CDFW's, Remote Browser Isolation, CASB and Data Leak/loss Prevention services in an attempt to close any possible windows of opportunity for exploitation or compromise. Of course, this necessity to deploy robust remote working security services was accelerated by the remote working surge due to the Covid pandemic.  The scramble to get all these new remote workers connected and enabled to work from anywhere at any time, with the inevitable afterthought of adding more security to connectivity. SASE includes all of these security solutions into one cloud platform and integrates SDWAN networking capabilities for optimal and redundant connectivity back to our private infrastructure.

Once threat prevention solutions are in place, we also need to think about how we authorise access to corporate data, applications, and services. The idea of Zero Trust Network Access is straightforward.  Before a user on an endpoint can access anything we want to be able to determine the health, or posture check, the connecting endpoint against our benchmarks for what is considered a secured and protected endpoint, while also verifying the users identity against our chosen identity provider. This cannot be a once only at the time of connecting check, the staff members current level of access may need to be restricted at any point in time and our policies need to be able to dynamically adapt and react, even if the user is already authorised and connected. As importantly, the health of the endpoint the staff member is using might also change after the staff member has connected, an endpoint security agent stops functioning or an important update to the OS, a client application or one of the security agents is not applied and now the endpoint does not meet that security benchmark we have set and again our policies need to be able to dynamically react. This is the general principal of ZTNA and building a ZTNA strategy is a foundational component of a SASE solution.

When we reflect on where corporate data, applications and services are living these days it's a guarantee that some, or possibly all of it, lives in the cloud. In the SMB sector it is fairly common to run the entire business using cloud services, for everything from file storage to collaboration, identity management and all line of business apps. This makes life easy for roaming users accessing those cloud services but IT teams need to layer security in front of those cloud business services and having an on prem security solution to protect remote users accessing a cloud service makes little sense when trying to implement security and provide a good digital experience for the user. CASB security provides IT teams a security solution to integrate into popular Cloud apps and monitor activity and enforce security policy. Our modern Firewall OS's also have CASB features for policing cloud applications "in-line" through traffic inspection and allows for better and more granular policy creation to circumvent "shadow IT", restrict access to only company owned and authorised cloud apps, reducing the risk of unsafe or inappropriate sharing, transfer, or use of sensitive corporate data. When using the "in-line" CASB capabilities of a Firewall we still have to consider how we place that Firewall between our remote users and cloud applications. Redirecting that traffic back to on-prem for inspection makes little sense if we want that user to have a good digital experience. A Cloud Delivered Firewall seems more appropriate and again we are looking at another component of a SASE solution. Digital Experience Monitoring (DEM) can also help gain insight into that digital experience our remote users are having.  Many SASE offerings are also including this as an optional feature, giving IT teams the ability to look at connection quality indicators and reports of users accessing those cloud services through the SASE solution, a valuable tool for network teams for obvious reasons.

SASE does seem like the best approach to take, or at least strongly consider, for connecting and securing work from anywhere users and their endpoints. A consolidation of all the security solutions you should really be considering in your security stack to protect the remote workforce. The vendor hosts the service on their globally provisioned infrastructure with integration into your SDWAN setup, backed by SLA’s on availability, with global route optimization to cloud providers. Allowing you to select from the many PoP's across the vendors global presence to determine where you wish to have an instance of your service available more locally to a global or roaming workforce. Even from a modern remote access technology perspective there are some really cool new techniques and protocol adoption to improve remote access security and the users remote access experience. The use of ZTNA application proxies to be able to restrict access to only staff members on corporate devices to private applications but without the need for the staff member to connect a full client VPN tunnel can work really well. The introduction of a similar "micro tunnelling" approach for access to any individual application or service and using QUIC/MASQUE as the transport, instead of traditional IPSEC or TLS, for a quicker, more reliable, and resilient UDP based connection, looks really promising and flexible. "Clientless" browser-based access with some ZTNA checking thrown in, can also have some good use cases. Let’s not forget, remote access services are a prime target for threat actors seeking exploitable entry points into businesses. Having to deploy, possibly host and certainly maintain "on prem" remote access services to give staff access to resources in our private and public cloud data centres or HQ's and mitigating any attacks, using IPS/IDS security solutions, integrating into cloud identity providers, and frequently scrambling to patch the latest critical CVE published for SSLVPN remote access is not an easy or enjoyable practice. With SASE that pain is offloaded to the vendor who deals with the underlying infrastructure and any CVE maintenance for the platform. This alone could be enough to shift to a SASE solution.

Author: Eoin Kiersey, Tech Pre-sales Account Manager at Exertis Ireland