Implementing Network Security When the Perimeter is Gone

Traditionally, many organizations have relied upon a perimeter-based security solution. Like the residents of a castle manning the battlements, cyber defenders rely upon their ability to keep attackers out and away from the sensitive data stored within.

However, the network perimeter is rapidly dissolving as critical data moves outside the corporate network. At the same time, cybercriminals are increasingly performing successful cyberattacks. The traditional perimeter-focused security model no longer works.

The zero-trust security model is a popular and effective replacement; however, it can be difficult to implement on a global WAN. Software-defined WAN or SD-WAN is a partial solution to the problem, but a secure access service edge (SASE) is necessary to make zero trust security both efficient and effective for the corporate WAN.

The Dissolution of the Perimeter and Perimeter-Based Security

In the past, corporate networks largely consisted of the corporate LAN. Most of all of an organization’s employees worked from devices connected to the corporate network, and data was stored and processed on on-premises servers.

This centralization of the organization’s infrastructure on the corporate LAN made securing these devices and data relatively straightforward. Organizations fortified the network perimeter, which was the sole point of connectivity between the “trusted” internal network and the “untrusted” public Internet. By deploying a stack of security solutions at the network boundary, an organization could reduce the probability of a successful cyberattack.

This perimeter-based security model is no longer applicable for several different reasons. A major one is that the network perimeter has largely dissolved in recent years.

As organizations embrace cloud computing, telework, and bring-your-own-device (BYOD) policies, processing, and storage of business data are increasingly performed on devices outside the corporate network perimeter and not under the organization’s direct control. With this evolution of the corporate network and how it is used, companies require a new approach to security.

Corporate Networks Require Zero-Trust Security

The perimeter-based security model is based on the assumption that the organization can keep sensitive data inside the perimeter and potential threats outside. However, data is moving to external systems, and insider threats are a growing problem. Without a perimeter to defend, organizations need a new approach to protecting access to sensitive resources. As a result, the zero-trust security model has grown in popularity.

Zero trust eliminates the assumption that everyone inside the network is good and everyone outside the network is bad. Instead, the organization implements strong user authentication designed to uniquely and accurately identify the user making a request.

Based upon this identification, the organization can apply granular access controls. Access to a particular resource can be permitted or denied based on an employee’s job role and other criteria. This ensures that an employee (or an attacker using a compromised account) only has access to the minimum amount of data and other resources required to do their job, limiting the potential impact of an attack.

Enforcing Zero Trust for the Modern WAN

An effective zero trust security policy requires an organization to both strongly authenticate a user to a system and to enforce the access controls associated with a particular resource. If an organization fails at either of these tasks, then an attacker can gain unauthorized access to sensitive corporate resources.

As daily business moves from the corporate LAN to the corporate WAN, enforcing zero trust access controls becomes more difficult. Cloud-based resources are accessible from the public Internet, making it necessary to allow or deny a request either before it reaches the cloud or within the organization’s cloud deployment itself.

Since many organizations struggle with configuring the security settings provided by their cloud service provider (CSP) and have multiple cloud deployments, consistent policy enforcement requires blocking unauthorized or suspicious requests before they reach cloud-based resources.

The simplest approach to addressing this issue is to route all traffic through the corporate LAN for policy enforcement before permitting it to continue to the cloud. However, this approach has unacceptable latency impacts for remote users as traffic must take a significant detour on its way to its destination.

SD-WAN helps to mitigate some of the network performance impacts of enforcing zero trust access control on the corporate WAN. Each SD-WAN appliance can enforce access policies, and the use of a common infrastructure enables consistent enforcement across the corporate WAN.

SASE Makes Zero-Trust Efficient and Effective

While SD-WAN decreases the impacts of centralizing zero-trust policy enforcement, it is not a perfect solution. SD-WAN appliances can only be deployed at an organization’s physical sites, limiting their geographic distribution. Teleworkers and cloud-based resources may be far from an organization’s physical locations, making the need to route all traffic through an SD-WAN appliance a source of significant network latency.

SASE solves this problem by moving security functionality to the cloud. SASE points of presence (PoPs) include integrated security functionality, such as a next-generation firewall (NGFW) and secure web gateway (SWG), as well as zero-trust network access (ZTNA) capabilities.

As cloud-based resources, SASE PoPs can be geographically dispersed, limiting the distance between a user and the nearest PoP and the network latency incurred by implementing strong WAN security.

As business networks change and evolve, SASE is rapidly becoming the only logical WAN security solution. Employees and servers are moving toward the network edge, and security must either follow or be forced to choose between efficiency and effectiveness.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button