by Joe Hedegaard Ganly
Information Security Adviser
Connect with Joe Hedegaard Ganly on LinkedinZero Trust & SASE
At Saepio, we’ve been asked a lot about Secure Access Service Edge by customers. SASE is a framework and architecture to enable immediate, uninterrupted, and secure access to data, no matter where users are located. Key parts of a SASE architecture are services delivered based on identity of the entity, real time context, enterprise security and continuous assessment of trust throughout the sessions.
An element of SASE which we get a lot of questions on is how to achieve Zero Trust principles, especially around network access. Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.
Excellent guidance has been recently released by the NSA and NCSC giving concrete and viable recommendations helping achieve Zero Trust across organisations. A lot of the guidance matches SASE principles of focusing on user identity, device reputation and the data that users are accessing.
- Define mission outcomes
– Derive the Zero Trust architecture from organization-specific mission requirements that identify the critical Data, Assets, Applications & Services. - Architect from the inside out
– First, focus on protecting critical data, assets, applications & services. Second, secure all paths to access them. - Determine who/what needs access to the Data, Assets, Applications & Services to create access control policies
– Create security policies and apply them consistently across all environments (LAN, WAN, endpoint, perimeter, mobile, etc.). - Inspect and log all traffic before acting
– Establish full visibility of all activity across all layers from endpoints and the network to enable analytics that can detect suspicious activity.
Step by Step
Transitioning to a mature Zero Trust architecture all at once is also not necessary. Incorporating Zero Trust functionality incrementally as part of a strategic plan can reduce risk accordingly at each step. Like most security principles that we encourage at Saepio, gradual maturity through a risk based and prioritised approach is the key to long term security improvement.
The NCSC’s guidance can be more friendly for UK organisations already aligning to NCSC frameworks and language structure. The link below includes hyperlinks to the individual 8 principles.
- Know your architecture including users, devices, and services
- Know your user, service and device identities
- Know the health of your users, devices and services
- Use policies to authorise requests
- Authenticate everywhere
- Focus your monitoring on devices and services
- Don’t trust any network, including your own
- Choose services designed for zero trust
Read the full NCSC (National Cyber Security Centre) Blog here
Should it be a Priority?
It’s not a coincidence that a lot of the outcomes found in SASE and Zero Trust architectures are also priorities for organisations now. The Gartner Top 10 2020-2021 security projects are a great way of beginning to put SASE and Zero Trust on the wider business’s agenda as key IT and security initiatives.
It is featured in 4 of the Gartner Top 10 projects
- No. 1: Securing your remote workforce – to repeat a common buzz phrase, remote working isn’t going anywhere. Ensuring that a resilient and well architected set of policies and technology controls are wrapped around your users, their devices and corporate data is essential.
- No. 3: Extended Detection and Response – in line with both NSA and NCSC guidance, ensuring that total visibility of traffic and logs in the organisation is key. Once identified, detecting and responding to suspicious or malicious activity regardless of where a device or user is, is integral to a Zero Trust or SASE architecture.
- No. 5: Simply Cloud Access Controls – CASB – Cloud applications are a business enabler and often a great source of increased mobility and cost saving. Ensuring that security controls and standards are replicated into your cloud applications, ideally with the ability to apply real time in-line DLP is important.
- No. 7: Passwordless Authentication – the NCSC have repeatedly encouraged the reduction in use of passwords wherever possible. A SASE architecture can encourage the use of intelligent factors and tighter controls on data and systems to be able to create password less authentication systems where logical.
Saepio constantly evaluate the guidance and best practise from global security and national intelligence agencies to ensure that we can provide guidance for our customers on some of these objectives. If looking at implementing Zero Trust, or SASE is something you’re considering but aren’t sure where you’re at in your maturity, or not even sure where to start, we’re on hand to help.
