Trust but monitor: secure access in COVID times

Issue 1 2021 Infrastructure

Much has already been written about how COVID-19 lockdowns have changed the workplace location and, in so doing, the IT dynamic. In hindsight, many commentators have admitted that worldwide lockdowns accelerated a trend that was already picking up steam: work from home, work from anywhere, as long as you work!

When we engage with our customers, this ‘trust-but-monitor’ cultural mindset is clearly articulated in the feedback they offer. Chief technology officers (CTOs) are telling us, “We trust our employees to work from anywhere. As long as they are productive, we don’t care where they are,” and critically, that “we need to monitor our employees – for governance, compliance and productivity reasons of course.” And as the need for secure remote working has grown, they are telling us that “it’s IT’s job to make business happen securely. Just make it happen. And don’t get hacked.”

From my perspective, the essence of these insights from customers aligns with several of the buzzwords already top of mind for C-suite executives (CISOs, CIOs and CTOs):

• Cloud Access Security Broker (CASB)

• Firewall as a Service (FWaaS)

• Secure Web Gateway (SWG)

• Zero Trust Network Access (ZTNA)

• Software defined WAN (SD-WAN)

These technologies/frameworks align perfectly with the introduction of SASE (Secure Access Services Edge) that was first used by Gartner in 2019. Pronounced ‘sassy’, this new category of technology solution is currently at the top of the 2020 Gartner hype cycle ‘peak of expectation’ for cloud security (https://www.gartner.com/smarterwithgartner/top-actions-from-gartner-hype-cycle-for-cloud-security-2020/), and is defined as all the above technologies, or at least some sort of intersection between them. More information is available at https://www.catonetworks.com/blog/what-the-2020-gartner-hype-cycles-taught-us-about-sase.

Wrapped up into a single pane of glass, delivered as a service, with seamless security for the user and the administrator, SASE will ensure perfect secrecy for all your employees – onsite and remote, technical or technophobe, malicious or technologically illiterate.


Ian Shak.

However, due to the vast expanse of SASE’s intended goals, there is no one-stop shop.

You might buy a Cloud Access Security Broker (CASB) solution, with elements of SD-WAN, Secure Web Gateway (SWG) and Firewall-as-a-Service (FWaaS) from a vendor that historically provided only one of the elements, and has built, acquired or integrated the other components.

Alternatively, you may take a Zero Trust Network Access (ZTNA) approach to deploying SaaS applications, and a different approach for endpoint security.

One size does not fit all

Selecting one of the aforementioned technologies as the centrepiece of a security strategy would depend on a combination of technical goals, appetite for risk, level of maturity and, importantly, budgetary constraints.

For example, if you're buying an SWG you need to force people browsing through the nearest cloud based proxy. You will need an identity mechanism, and the tools to implement forward proxies and/or tunnels to get you there.

You then want to get as much out of your SWG spend as you can, by turning up the security dials until the security/convenience trade-off tilts too far. And then dial it back to a more usable level of security, while still implementing a level of Data Loss Prevention (DLP).

On the other hand, ZTNA presents more complicated architecture decisions, given that the goal is to provide direct access to IaaS, PaaS and SaaS apps, without a VPN perimeter. Identity and two-factor authentication (2FA) come to the fore when thinking about ZTNA, and you will rely heavily on the authentication tools provided by your SaaS vendors.

That said, ZTNA is one of the frameworks that places heavy emphasis on the end-user experience, by ensuring that convenience is top-of-mind; a proven method to ensure that users don't have to think of creative ways to bypass security controls.

CASB could be viewed as the middle ground. The vendor provides cloud on-ramps at multiple locations (POPs – points of presence) to ensure low-latency access for ingress and egress traffic. Reverse proxying enters the arsenal of tools.

If you run a business on laptops and SaaS applications only, CASB has the potential to evolve into your SIEM (Security Information and Event Management). But what about your endpoints? You’re probably going to need an Endpoint Detection and Response (EDR) solution, and the trusty old firewall, perhaps with a ‘Next Generation’ sticker.

SASE has nothing to do with endpoints, and is therefore not the complete solution. It could therefore be thought of as a framework, composed of a bundle of services which achieve a percentage of your security goals.

The winners and losers have yet to be determined, and indeed most of the large vendors are jostling for dominance, either through mergers and acquisitions or strategic partnerships.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
The hidden cost of cheap networking gear
Duxbury Networking Infrastructure
When it comes to building a network, price is always a consideration, especially in the current economic climate, but there is a difference between smart spending and short-term savings with long-term losses.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
Fastest PCIe Gen 5.0 NVMe SSD
Products & Solutions Infrastructure
Sandisk has unveiled the WD_BLACK SN8100 NVMe SSD with PCIe Gen 5.0 technology, an internal SSD delivering speeds up to 14 900 MB/s and capacities up to 4 TB, with 8 TB solutions available soon.

Read more...
Unified storage solution
Products & Solutions Infrastructure
CASA Software has announced the local availability of Nexsan’s upgraded unified storage solution, Unity NV4000, which is ideal for mixed workloads, from virtualisation and video surveillance to secure backup and recovery.

Read more...
Suprema unveils BioStar Air
Suprema neaMetrics News & Events Access Control & Identity Management Infrastructure
Suprema launches BioStar Air, the first cloud-based access control platform designed to natively support biometric authentication and feature true zero-on-premise architecture. BioStar Air simplifies deployment and scales effortlessly to secure SMBs, multi-branch companies, and mixed-use buildings.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
Advanced surveillance storage from ASBIS
Infrastructure Surveillance Products & Solutions
From a video storage solutions perspective, SkyHawk drives, designed for DVRs and NVRs, offer high capacity, optimised firmware, and a reliability workload rating of hundreds of terabytes per year.

Read more...
Power surges are killing our networks
Duxbury Networking Infrastructure
With power surges and lightning strikes becoming an all-too-familiar threat to South African infrastructure, Duxbury Networking is calling on local installers and network integrators to follow proper grounding protocols.

Read more...
A passport to offline backups
SMART Security Solutions Technews Publishing Editor's Choice Infrastructure Smart Home Automation
SMART Security Solutions tested a 6 TB WD My Passport and found it is much more than simply another portable hard drive when considering the free security software the company includes with the device.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.