A couple of years ago, I was able to sit in on a vendor partner briefing for an association of which I am a member. The briefing was aimed at educating my fellow CISOs and CIOs on the best path towards a Zero Trust network. The presenter spent a great deal of time talking about different technologies and discussing where they fit into the overall Zero Trust architecture. I must admit, the vendor, whom I will not name, did an excellent job of concisely summing up how their proposed package of products would amount to a zero-trust stack.
In fact, I was impressed, but as I looked around the room, I also noticed for every one person that understood the promise of a zero-trust architecture, there were at least 10 who did not. Naturally, the question was asked, where do you start? That is when the information became a bit more convoluted and people seemed to be overwhelmed by the prospect of building out a network. Yet if they understood what was truly being presented, they would have realized they probably already have some of the key components needed to establish a control plane for a zero-trust network in place.
Fast-forward a couple of years and I am sitting in a room discussing cybersecurity architecture from a strategic point of view with a group of people. I mentioned Defense-in-Depth and was immediately met by someone saying, “You mean expense-in-depth.” The person was quoting a line from a Forrester article. In the article the author asserts that applying a multilayered approach is a diminishing return on investment. Now, I am not posting this to argue with another expert.
When I read the article, I agreed with the assertion in principle. You can’t just throw technology at a problem. I and many others are always telling people there is no silver bullet to eliminate the risks of cyber-threats. However, you also just can’t rebrand descriptions of security architecture as an attempt to create a value proposition. Ultimately, ROI on any IT expenditure, security or otherwise, should be derived from cost savings in productivity, improvements in customer interaction, efficiency, etc.
Moreover, Gartner recently coined the term SASE (pronounced “sassy”), Secure Access Service Edge, as a means of describing a cloud centric security architecture where the borders of the enterprise are no longer constrained to traditional brick-and-mortar data centers. Now, CIOs and CISOs are getting bombarded with marketing materials that contain promises on how product X (fill in the product name here) will transform your environment towards the SASE architecture. And yet, leaders in the trenches are still wrestling with the idea of Zero Trust and how to get it implemented. Before I continue, let’s establish some extremely oversimplified definitions.
This is the idea that an organization can place technologies such as firewalls, intrusion detection/prevention systems (IDS/IPS), web proxies or secure web gateways, end point protection (antivirus), etc., between the attacker and the protected asset as a means of having redundant technologies that can defend the enterprise; should one layer of defense fail, another can pick up. Most people consider administrative controls such as organizational policy and processes to be part of the overall Defense-in-Depth model.
In concept, this one is simple to describe. This model of thinking assumes every connection within your enterprise is hostile. Threats are assumed to always exist within the enterprise. In this model you don’t use terms like trusted network or trusted host. Every device and every user is authenticated. In short, this is kind of a verify and trust versus a trust but verify way of thinking.
Think of it as asking for someone’s driver’s license to validate their identity while simultaneously verifying with the DMV that the driver’s license is in fact legitimate. The interesting thing about this architecture is that the components needed to establish this type of scrutiny of devices and people can be quite expensive, but most organizations probably already have a fair amount of the technology needed to establish the control plane for Zero Trust in place – I will explain this later.
This construct, published by Gartner in 2019, is actually a very elegant way to describe not only the morphing of security architecture into this decentralized type of access control plane, but also how the ideas of both Defense-in-Depth and Zero Trust are evident throughout the description of the SASE architecture. SASE as a concept arranges defensive architecture in such a way that it converges networking and network security into a single point of reference to support the needs of businesses moving to or operating exclusively in the cloud. This concept has been referenced a lot in the past year as a means to describe how an enterprise might be reshaped to better support the new work from home model that has evolved as a result of the global pandemic.
Now, that we have some definitions on the table, I want to take a moment to let you know the good news is that you are likely already on your way toward a well-defended enterprise, with layers of protection that do not trust anything that is connecting with it in the environment, and with a dynamic access edge that is shifting to support your work force and customer demands. I can say this because Defense-in-Depth, Zero Trust, and SASE are concepts.
They exist to provide description to a complex combination of technical and administrative controls and are coalesced into your cybersecurity strategy. You already likely have layers of defensive technologies in place. You also likely have capabilities inherent to many of your products that either support or provide some level of multifactor authentication, which allows you to at least start implementing an Identity and Access Management program essential to establishing a Zero Trust control plane. You are also likely already conducting daily work processes through cloud hosted services and are accessing components of your enterprise from any device anywhere in the world.
In closing, I want to put forth the idea that we move our planning beyond focusing our efforts based on a singular concept or even concepts. Instead, describe your enterprise based on the analysis of your exposure to the most common and most likely threats to your specific organization, and what your current ability is to respond to these threats via policies, processes, plans, and technologies.
Look at how your enterprise services your employees and customers, and measure this against how the company plans to improve the customer experience and what that will require from the employees. After you have done this, the technology roadmap becomes apparent. You will know what technologies you need, and how they need to be arranged to mitigate risk and improve efficiency and access. Finally, when you have all of this evidence in front you, the network can be logically depicted to show a Defense-in-Depth posture with overlays that show where Zero Trust and SASE efforts are to describe how your enterprise is verified, accessed, and defended.