top of page

“Sassy”, SSE, ZTNA, The New World of Cyber Security

In the last 40 years, information technology and computers have evolved over hundreds, if not thousands of times. January 1, 1983, over 40 years to this day, TCP/IP came to fruition.[1] In April of 1993, the internet or “World Wide Web” took the planet by storm.[2] Back in the turn of the millennium the only computer learning tracks that were available were programming codes such as C, C++, C#, and HTML/CSS, and networking, installing routers, hubs, and switches.

 

Cyber security and hacking were just a few “cool kids” and movies on TV. Then in the 2000’s, with faster internet, fiber-optics, and easier technologies to use like cell phones, hacking started to grow. In this aspect, so did digital forensics, and the ability to dig into a computer or device and “tell the story” of what happened in a criminal activity. It wasn’t until 2011 with Sony PlayStation, and 2013, only 10 years ago, with the hack on “Yahoo!” that spurred the need for more security practices and technologies. From 2010 to 2020, an estimated 40,650 data hacks had been recorded.[3]

 

With so many data breaches and attacks on infrastructure around the globe, cyber security has slowly progressed into the limelight for many stakeholders internationally. One of the main tools for the earliest cyber defense is the firewall. There are currently five generations of firewall according to Fortinet, a major firewall manufacturer.[4] These generations are:



Included with the firewall, was the need to “mask” packet data going out over the internet and outside of the “network perimeter.” This was the need for a Virtual Private Network or VPN. According to Tech-target, the VPN concept was developed by Microsoft in 1996 as a PPTP (Point to Point Tunneling) protocol. Then becoming mainstream in the early 2000’s, this protocol is just as it seems, a tunnel.

 

The VPN’s main role is to encrypt data from point to point, packet data, and to obfuscate data till it reaches its target. So, if “Billy” wants to remote work, he can connect to the office via a VPN established on a server at work, connected through his own computer via a small software module, installed in his endpoint or computer. Once connected, all transmission of data to and from that server and network at work, will look like “garbled soup” to a “man in the middle.” VPN was a great concept, but didn’t negate “backdoor” attacks, Remote Access Trojan technologies, phishing, or “shoulder surfing” methods of attack.

 

This is where endpoint security came to fruition, to protect the device from viruses, malware, intrusion, etc. To protect the end point, whether it may have been a mobile device, laptop, desktop, server, and now the Internet of Things or IoT. Some of the best software’s today protect the user and make them “stupid proof” so that is a link is clicked, or a website is loaded, that the user’s device is not compromised. They can immediately stop the process of transmission of data and block the source from attacking. This doesn’t negate though accessing services with known phished credentials. As shown in this overview, the concepts mentioned above:


 

To combat authentication, and possible compromised user access, multi-factor authentication or MFA was developed. MFA is “an authentication method that requires the user to provide two or more verification factors to gain access to a resource.”[5] This verification process could entail things you know or knowledge, things you have or possession, and things you are or inherit. There are a number of services out there that deal with authentication like Universal or Single Sign On Logins, Password-less Logins, and Hardware based authentications.

 

After all of these methods came to fruition, they still had holes in them. The Zero Trust methodology was coined in 2010 by Forrester’s John Kindervag, which in layman’s terms “traditional IT network security trusted anyone and anything inside the network. A Zero Trust architecture trusted no one and nothing.”[6] Think of the traditional security philosophy as a “castle and moat” process. It was hard to access the castle, if the moat was around it. With cloud technology, the need to access outside resources grew incredibly!

 

Zero Trust had several principles to it:


  • Continuous Monitoring: The concept “verifies user identity and privileges as well as device identity and security.”[7]

  • Least Privilege: Giving the user as much access to resources as they needed. User Permissions and Management.

  • Device Control: No devices are trusted and allowed to be controlled by the organization.

  • Micro-segmentation: This is the practice of “breaking up security perimeters into small zones to maintain separate access for separate parts of the network.”[8]

  • Preventing Lateral Movement: Moving across other portions of the network and gaining access.

  • Multi-Factor Authentication.

 

In 2019, Gartner, a respected research and advisory company, coined the terms ZTNA which stood for Zero Trust Network Access, and SASE which is said to be “sassy” and stood for Secure Access Service Edge. The concept was “the mix of software-defined edge networking, user-focused authentication and access control, and seamless integration across the cloud.”[9] SASE architecture provided agility, transparency, networking and security staff, centralized policies, and ZTNA.

 

First, ZTNA is said to “conceal most infrastructure and services, setting up one-to-one encrypted connections between devices and the resources they need.”[10] It can replace or augment VPN technology which differs from VPN “in that they grant access only to specific services or applications, where VPNs grant access to an entire network,”[11] secure remote work, access cloud resources, onboard contracting or third parties, and onboard new employees.


Our partner NVIS at https://www.nvis.cc is an excellent ZTNA Provider.

 

SASE also incorporated the methodology of Software-Defined WAN (SD-WAN) or “cloud-delivered, overlay WAN (Wide Area Network) architecture that provides the building blocks for cloud transformation at enterprises.”[12] Cloud Security is also a main function within the SASE, which is “a set of technologies and applications that are delivered from the cloud to defend against threats and enforce user, data, and application policies.”[13] This could have come in the form of:

 

  • FWaaS: Firewall-as-a-Service that independently “enables high-performance SSL inspection and advanced threat detection techniques from the cloud. It also establishes and maintains secure connections and analyzes in-bound and out-bound traffic without impacting user experience.”[14]

  • Secure Web Gateway (SWG): This protocol is a “defense-in-depth strategy with web filtering, anti-virus, file filtering, DLP (data loss prevention), and more for both managed and unmanaged devices.”[15]

  • ZTNA Services.

  • Cloud Access Security Broker (CASB): The CASB is a “security policy enforcement points that sit between a cloud services provider and its users.” It also “enforces an organization’s security, governance, and compliance policies, allowing authorized users to access and consume cloud applications while enabling organizations to effectively and consistently protect their sensitive data across multiple locations.”[16]

 

SASE has its pros and cons, which will transition into the future and provide services for the next generation of security concepts. Some of the benefits of SASE are reduced costs and complexity, secure seamless access for users, central orchestration, more secure remote workers, and increased effective management of resources. To sum up the challenges, SASE “will be a gradual process as IT rethinks how to connect a remote workforce to the distributed information resources they need. There will also likely be an increasing demand for "as-a-service" procurement models that offer more flexibility.”[17]

 

Taking security, a step forward, in 2021 Gartner introduced SSE or Security Service Edge, that is a “single-vendor, cloud-centric converged solution” that is a step above SASE and integrates into the SASE architecture.

 

Think of SSE as the security component of SASE.[18] SSE has an access control, threat prevention, data security, and monitoring mission, on top of enforcing integration.

 

With the next generation of SASE, SSE and Gartner introduced this approach by combining Wide Area Network (WAN) with a highly converged platform as SSE. The WAN Edge Infrastructure, one of the SASE components, “focused on the network connectivity element by transforming network architectures to enable a more efficient direct-to-cloud connectivity.”[19] In addition to ZTNA, SWG, CASB, and FWaaS, there were new additions for example:

 

  • Data Loss Prevention (DLP): This principle is a “policy-based classification of information content contained within an object, typically a file, while in storage, in use or in motion across a network.”[20]

  • Remote Browser Isolation (RBI): RBI is a mechanism or solution that “protects users from any malware or malicious code that may be hidden on a website and eliminates the opportunity for malicious code to touch the end user’s device.”[21]



Deploying SASE and SSE can be done via one or two vendors, assessments and engagements need to be strategized so that these vendors and protocols can seamlessly integrate. If there are holes in the services, they need to be assessed and remedied by other services or products including endpoint security, and physical security mechanisms.

 

With all of today’s technological approaches to security, there are hurdles that need to be addressed. For example, adaptation to Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), will grow off site network resources, as well as remote connections. As well as training personnel, new and old, on the newest technologies and terminology. Also, the evolution and adapting of SASE and SSE technologies from a vendor and consumer standpoint is needed, with the understanding of pricing points, and protocols / methodologies the newest technologies are replacing. In all, there is an incredible future for cyber security!


[1] Online Learning Library Center; University System of Georgia; A Brief History of the Internet; Accessed on 11 August 2023 at https://www.usg.edu/galileo/skills/unit07/internet07_02.phtml.

[2] Ring, Julian; NPR; 30 years ago, one decision altered the course of our connected world; Created 30 April 2023, Accessed on 11 August 2023 at https://www.npr.org/2023/04/30/1172276538/world-wide-web-internet-anniversary.

[3] Leonhardt, Megan; CNBC; The 10 biggest data hacks of the decade; Created 27 December 2019, Accessed on 11 August 2023 at https://www.cnbc.com/2019/12/23/the-10-biggest-data-hacks-of-the-decade.html.

[4] Fortinet; What Is a Firewall?; Accessed on 11 August 2023 at https://www.fortinet.com/resources/cyberglossary/firewall.

[5] OneLogin; What is Multi-Factor Authentication (MFA) and How Does it Work?; Accessed on 11 August 2023 at https://www.onelogin.com/learn/what-is-mfa.

[6] Cloudflare; What is Zero Trust security?; Accessed on 11 August 2023 at https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/.

[7] Ibid.

[8] Ibid.

[9] Golden; SASE; Accessed on 11 August 2023 at https://golden.com/wiki/SASE-BW6PZ9.

[10] Ibid Cloudflare.

[11] VMWare; What Is Zero Trust Network Access (ZTNA)?; Accessed on 11 August 2023 at https://www.vmware.com/topics/glossary/content/zero-trust-network-access-ztna.html.

[12] Cisco; What Is Secure Access Service Edge (SASE)?; Accessed on 11 August 2023 at https://www.cisco.com/c/en_ca/products/security/what-is-sase-secure-access-service-edge.html.

[13] Ibid.

[15] Ibid.

[16] Palo Alto; What Is a CASB? Conventional Versus Next-Generation CASB Explained; Accessed on 11 August 2023 at https://www.paloaltonetworks.com/cyberpedia/what-is-the-difference-between-a-traditional-casb-and-an-next-generation-casb.

[17] Ibid Cisco.

[18] Skyhigh Security; What is Security Service Edge (SSE)?; Accessed on 11 August 2023 at https://www.skyhighsecurity.com/cybersecurity-defined/what-is-sse.html.

[19] Ibid.

[20] Ibid.

[21] Ibid.

Comments


bottom of page