For years, security was added on as an overlay to networking solutions. But networks and threats have changed, so security needs to evolve as well. To improve agility and productivity, organizations have added new digital technologies and practices that redefine the network edge. And in today’s work-from-anywhere world, users move between on-premises locations, interconnected branch locations, home offices, and temporary locations during travel.
The changes in business and workforce needs mean the network edge is more dynamic and dispersed than ever, which increases the attack surface and exposes the business to new, advanced threats. The traditional hub-and-spoke architecture to connect offices to the data center for application access no longer makes sense.
Now, multiple edge environments may include WAN, multi-cloud, data center, Internet of Things (IoT), and home and other remote workspaces. Connecting all these edges has improved performance, but often at the expense of centralized visibility and unified control. Even worse, each edge has different types of risks and vulnerabilities that allow attackers to gain access to the network.
Security at the Edge
In addition to dealing with increasingly complex security needs, organizations are struggling to defend themselves against cyberattacks that are more sophisticated and complex than ever before. The best way to secure the edge often depends on who you ask.
Secure Access Service Edge (SASE) is a case in point. Presented as a way to secure network edges, SASE is a cloud-delivered service that combines network and security functions with wide area network (WAN) capabilities. Conceptually, SASE extends networking and security capabilities beyond where they’re typically available so that users can take advantage of firewall as a service (FWaaS), secure web gateway (SWG), zero-trust network access (ZTNA), and threat detection functions.
SASE is based on the idea that security is only delivered using the cloud. However, many organizations aren't cloud-only; they have hybrid network architectures with SD-WAN as the foundation to connect data centers, campuses, branches, multicloud deployments, and home offices for remote workers. In hybrid networks, cloud is often used where flexibility and scalability are critical, but on-premises workloads remain because of compliance, financial or low-latency performance requirements, as well as a number of other considerations that make moving to the cloud a bad idea.
Because hybrid IT architectures aren't likely to disappear for the foreseeable future, a cybersecurity approach that supports both cloud-delivered and on-premises workloads is needed, such as a Zero Trust Edge architecture, which converges networking and security but isn't limited to the cloud like SASE is.
A simple way to think of Zero Trust Edge is that it’s SASE-based cloud convergence for remote users combined with on-premises convergence to secure modern infrastructure technologies. But the key differentiator of Zero Trust Edge is that ZTNA is available everywhere – in the cloud and on-premises – to provide private and explicit access to applications for both network edges and remote users.
Security and Networking Convergence
Zero Trust Edge is based on zero-trust network security principles and is an example of security-driven networking, which converges security and networking everywhere across the network to provide secure access to critical applications and resources, whether users are on-premises or accessing resources through the cloud.
The zero-trust network security model is based on the principle that a user or device can only be trusted after explicitly confirming their identity and status. Zero trust focuses on users, devices, and the specific resources being accessed, using segmentation and zones of control. Every request for access must be authorized and continuously verified. Even once they have been granted access, users and devices only can access the resources required to do their job and nothing more.
Providing enterprise-grade security and granular access control to remote workers has been a particular challenge for IT teams since the onset of the COVID-19 pandemic. Taking a zero-trust approach to securing ever-expanding network edges converges security and networking to help ensure that everyone and everything everywhere on the network remains protected. A complete Zero Trust Edge solution includes:
- SD-WAN to securely connect all offices to every data center, multi-cloud, and software-as-a-service (SaaS) environment. And in addition to providing reliable connectivity and cloud on-ramp, SD-WAN should include advanced security, enables dynamic segmentation to prevent lateral threat movement for East-West protection, and maintains superior user experience through digital experience monitoring.
- A unified system for consistent policy distribution, orchestration, and enforcement for deploying consistent security everywhere, both for on-premises and remote users.
- Cloud-delivered security to securely connect remote users. Comprehensive web security from the cloud must provide multiple layers of defense with artificial intelligence-powered web filtering, video filtering, DNS filtering, IP reputation, and anti-botnet service. The solution should have the ability to address data loss prevention and protect mobile users with in-line cloud access security broker (CASB) integration.
- ZTNA for securing access to critical applications and resources, no matter where users, devices, or resources may be located. Unlike a traditional VPN, ZTNA provides access to users per application based on identity and context.
Security Should Be Everywhere
Cybercriminals will continue to target the expanding attack surface. To address the shifts in the workforce and threat landscape, many enterprises need consistent converged networking and security that is available both on-premises and in the cloud. Zero Trust Edge can improve the user experience for distributed applications using SD-WAN as a foundational technology and provide application access and continuous verification of users with ZTNA enforcement available everywhere.
SASE is just one part of the Zero Trust Edge journey of securing today’s infrastructure. No one can refute the fact that there's a tremendous need for cloud-delivered security. But for those organizations that continue to have an on-premises component, Zero Trust Edge provides a more holistic approach to security.
How Secure SD-WAN Can Help Relieve IT Burdens
What to Consider when Selecting a SASE Provider
Will 2021 SASE Advances Persist in 2022?