The dynamic of extending security into the cloud

Digital transformation threats erode the security perimeter into a virtual and dynamic concept, rather than fixed infrastructure at specific locations.
Read time 5min 00sec

In my last article, I discussed how software-defined wide area network (SD-WAN) technology forms the foundation of secure access service edge (SASE) by providing the required features. This time, I will discuss how SASE extends security to the client and the cloud.

The traditional enterprise network security approach separated internal resources from the outside world with a fixed, well-defined border. Digital transformation trends and threats have eroded the perimeter into a virtual and dynamic concept, rather than fixed infrastructure at specific locations.

The notion of a software-defined perimeter (SDP) draws on the Defense Information Systems Agency idea of restricting connections to those with a need to know, rather than trusting everything inside the fixed perimeter of the enterprise network.

The Cloud Security Alliance (CSA) SDP Working Group popularised SDP to create highly-secure, trusted, end-to-end networks for broad enterprise use.

By default, SDP trusts nothing − the zero-trust model − and permits per-session access based on authentication and policy. Software-defined networking (SDN) transformed all aspects of networking − including the perimeter and the wide area network (WAN) − into a software-only model. Fundamental to SDN architecture are the separate, isolated control and data planes.

This separation allows for control of both the SD-WAN and the SDP control plane in a network, which in turn enables enterprises to implement both SD-WAN and SD-security in the same software control component.

To achieve SASE, a solution must be able to broker safe client-to-cloud security with an integrated software-defined architecture.

Figure 1 below shows how organisations need to integrate advanced SD-WAN capabilities and security functions together to achieve SASE. For the purpose of this discussion, I will briefly touch on three of these elements and go a bit more in-depth on zero-trust network access (ZTNA).

There are multiple ways of detecting and preventing threats and vulnerabilities:

Next-generation firewalls: Next-generation firewalls include traditional state-full inspection, but additionally go beyond those capabilities with identity-based and application-level visibility and control using deep packet inspection (DPI).

Intrusion detection and prevention systems: An intrusion detection and prevention system (IDPS) inspects network traffic. An IDPS provides detection via several methods − such as signatures, protocol anomaly detection, various methods of analytics, behavioural monitoring and heuristics, sandboxing, and threat intelligence (TI) − to uncover unwanted and/or malicious traffic and report or take various actions on it.

DNS security: Because it has no implicit security of its own, DNS traffic must be secured with various DNS security mechanisms like DNS security (DNSSEC), DNS proxy, DNS filtering and IPS/IDS.

To achieve SASE, a solution must be able to broker safe client-to-cloud security with an integrated software-defined architecture.

Managing and controlling security threats: All traditional security mechanisms − firewalls, IPS/IDS, malware, anti-virus, employee privileges, user and resource authentication, and URL/website filtering − now apply dynamically to every transaction on the network, whether on-premises or in the cloud.

Malware protection: Leading-edge Unified Threat Management malware detection inspects traffic as it traverses the security point and extracts files for malware analysis.

Dynamic secure web gateway: Protects enterprises and users from being accessed and infected by malicious web traffic and from being contaminated by hijacked websites that contain malware or viruses.

ZTNA and the new perimeter of users and devices: A zero-trust network access(ZTNA) solution creates an identity- and context-based logical access boundary around an application or set of applications. ZTNA provides controlled identity- and context-aware access to resources, reducing the surface area for attack.

When a user attempts to access an application in a zero-trust environment, the security software enforces authentication and evaluates the application access policy based on the user, device and location. It verifies identity using an enterprise-specific authentication system such as Active Directory or Single Sign-On (SSO) using Security Assertion Markup Language.

Depending on the context and security requirements, it may also enforce multi-factor authentication in addition to the enterprise-specific authentication system.

As a result of digital transformation, many enterprises have more applications, services and data residing outside their traditional borders than inside. Cloud-based ZTNA services place the security controls where the users and applications are: in the cloud.

Adopting a zero-trust model focuses all security on identity: users, applications, devices, services and systems. By normalising the user experience for application access, ZTNA eliminates the distinction between being on and off the corporate network.

A SASE solution proxies authentication into the infrastructure and directly monitors network traffic, integrating with SSO and federated services to ensure an authoritative view of ‘who is using what’ across the entire enterprise.

Securing the cloud

In addition to the traditional security services, new cloud-focused services were established after organisations began to move to the cloud, such as cloud access security broker (CASB), remote browser isolation (RBI), and user and entity behavioural analytics (UEBA).

These services are critical to every transaction − merging old and new security protections. Only by bringing together traditional security mechanisms with new cloud-native security approaches can organisations achieve secure client-to-cloud for their SASE implementation.

CASB delivers five critical security capabilities: cloud application discovery, data security, adaptive access control, malware detection, and user and entity behaviour analytics.

Data loss prevention technology (also known as data leakage prevention technology) is designed to stop data being used or located where it shouldn’t be.

RBI moves the execution of a user’s browser activity from the client device to a remote server − hosted on-premises or in the cloud.

UEBA uses packaged analytics to evaluate the activity of users and other entities (such as hosts, applications, network traffic and data repositories).

In my next article, I will discuss capitalising on SASE.

Andre Kannemeyer

National chief technical officer (CTO) at specialist distributor Duxbury Networking.

Andre Kannemeyer is national chief technical officer (CTO) at specialist distributor Duxbury Networking.

Based in the Cape Province, he has been with the company for 20 years and has extensive experience in the IT industry, particularly within the networking space.

Kannemeyer is a passionate, entrepreneurial and tech-savvy technologist with proven technical leadership in his interactions with all Duxbury Networking customers and partners.

As national CTO, he is responsible for looking at new trends and technologies that Duxbury could bring onboard to the benefit of the company’s customers, as well as ensuring the company continues to be a leader in the networking arena.

See also