The discussions around Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) got a big boost in the pandemic period as organisations en masse moved onboard the WFH / WFA model, for business continuity. While remote working models gained traction globally, they also took the access of the enterprise applications out from the air-tight security of the enterprise networks. The SASE and ZTNA helps in solving the security challenges emanating from this shift in the working model.
At the outset, it’s important to clearly demarcate the definitions: SASE is an overarching security philosophy, of which ZTNA is an important component. SASE is a network security architecture, which to put simply, offers an alternative to the currently siloed approach to network security. The practice followed involves cloud access service brokers (CASB), firewall as a service, secure web gateways, SaaS all operating in siloes. SASE combines these cloud architecture and security models and offer it as one to build a cloud based secure network. Empowered by ZTNA.
ZTNA throws the concept of IP address-network-based-access, out of the window. The current practice of complete access to the network after initial authorisation is eliminated. The Zero Trust Network Access is based on the philosophy of providing least privilege. The administrator is provided with granular access controls with the assumption that the access can be from anywhere – office, home, cloud, on the road. This also commands complete control over the threats from not only from outside the organisation but also inside, in case if the device is vulnerable to assets already compromised.
The world economic forum (WEF) recently released a report on ‘The top ten worrisome risks for companies’. “The third most prevalent risk was the risk of cyber frauds and data theft due to the sustained shift in working models. Adoption of cloud and ZTNA will help solve the challenges with respect to securing the endpoints better,” says Romanus Prabhu, Global Head – Technical Support of Endpoint Management and Security, ManageEngine.
How does the cloud and ZTNA help ? According to Prabhu, many companies suffered out of not moving their customer facing applications on the cloud. They continued to use the VPN. Granting permissions is the only worry, when authorising applications on the cloud, but if not, then it’s risky to move the applications on the edge because there is no certainty whether the applications are designed to be secure when accessed through the edge devices.
Even after porting the applications on cloud, it’s important to have ZTNA in order to ensure their health for the endpoint to access them. “Zero trust reduces the perimeter of the permission granted to the user to access the network. The access is restricted to only the required data in the application rather than a sweeping access to the entire subnet,” says Prabhu.
Dr Yask, CISO, IOCL, had a slightly divergent view on cloud adoption. He opined, “The point is whether ZTNA, SASE are as relevant on the on-premise infrastructure,” because moving to the cloud is not a lift and shift game. Companies should be clear on the objectives and intent behind cloud adoption. The decision should not be taken just to outsource the IT infra but to actually realise the benefits of cloud.
Dr Yask informed that IOCL is working on adopting the ZTNA technology.
CH A S Murty, Associate Director, CDAC agreed with Dr Yask’s view that moving onto the cloud model should be done as a process and a big bang approach is not advisable.
ZTNA is not a technology. It is a journey towards having a robust security posture. Look at the low hanging fruits and do the easy things first and then take up difficult options. The concept of least privilege is important in ZTNA, “The finance person should only be given access to the SAP accounting application. Why should he has access to the sales / CRM applications on cloud ?. I have seen companies exposing their applications to public, which are supposed to be accessed only by the partners or employees. I have seen RTP servers open without any security configurations enabled, which can result in an attacker entering the organisation on a toe-hold and start percolating into the systems by escalating privileges,” says Sudip Banerjee, Director, Transformation strategy, APJ, Zscaler.
ZTNA in its truest sense should have a monitoring mechanism to identify rogue employees and devices already infected in an ongoing attack, “The machine of the legitimate ZTNA user can be infected with a malware or the user might have bad intentions. The privilege thus should be revoked with immediate effect with the help of a user activity monitoring solution. The ZTNA is a next generation VPN, which has, may be a DLP solution on cloud to prevent data loss from least privilege and a user activity monitoring solution,” says Ajay Dubey, Channel Head (India/ SAARC), Forcepoint.
This article is based on the panel discussion organised as a part of the Digital Technology Sabha 2021. To watch the video click here