07 April 2022

Go beyond zero trust network access to ensure the ultimate in data protection for your SASE security frameworks, writes Renaud Perrier, senior vice president international, Virtru

Secure Access Service Edge (SASE) is becoming increasingly adopted in both commercial enterprise and government organisations. A SASE strategy aims to unify an enterprise’s security across multi-cloud environments, teleworking setups, and data-sharing networks. Therefore, in a complex technology ecosystem, enterprises can benefit from a more sustainable and unified approach that consolidates vendors and ensures new software and systems provide the necessary integrations and support. With this, one of the key benefits of SASE is in bringing of Zero Trust cloud security and network functions - including identity management - into a common framework.

However, whether it’s in your current strategic plan or on your long-term roadmap, there are several considerations that are essential to implementing an effective SASE ‘as a service’ strategy.

First and foremost, adopting a data-centric approach is a more sustainable and flexible strategy than a purely network focused one. While Gartner has put the focus on Zero Trust Network Access you should go beyond this to ZTDA — Zero Trust Data Access. Taking a data-centric approach to Zero Trust is the most granular and effective way to ensure your data remains protected, regardless of what network it lives on, and even after it’s been shared with an external third party. Both inside and outside your organisation, data can safely travel through cloud environments and even compromised locations while remaining secure.

Building policies that focus on the data will equip your organisation to get the greatest value from a SASE framework. Only then can we convincingly say we have moved beyond a perimeter-based approach. This is because enterprise risk changes, and usually increases, as data moves. That movement creates risk because there is more assurance that the protection and access intent is accurately applied and equally enforced where that data travels.

A SASE implementation, built on a true ZTDA pillar, solves this problem because the data itself describes the burden of proof required to gain access, ensuring the system it finds itself in isn’t the weakest link.

Identity management
Bear in mind too that SASE is tightly integrated with identity management. Therefore, it’s vital that endpoints (whether human or machine) prove that they are who they say they are. However, legacy, role-based access control is simply not flexible enough to meet the needs of modern organisations.

After all, data access needs change, and basing access on roles alone is likely to give individuals access to more data than they realistically need - often resulting in access that extends well beyond the intended period and purpose. By using attribute-based access control (ABAC), an enterprise can be far more granular and accurate in ensuring that the right people have the right access to the right data, at the right time.

For ABAC to be effective though, your organisation needs to complete an assessment of what kinds of sensitive information you manage and share. This process can take time, especially for a large enterprise. But this shouldn’t prevent adopting ABAC protections for new data being created or shared. This will help you deploy essential data protection, such as encryption, to safeguard those most sensitive assets. Bearing in mind that change is inevitable, ensure that your ABAC-tagged data remains under your control, whether it’s in motion or at rest, and whether it’s shared internally or externally. A strong SASE strategy, combined with selecting vendors that deeply integrate those principles, including ZTDA, will give your teams flexibility and control without introducing hurdles or roadblocks.

Finally, don’t attempt to choose between taking a Zero Trust or SASE route. You can and should have both: Zero Trust is a strategy that strengthens data protection while SASE is the overall security framework that should be approached with a Zero Trust mindset. This should guide your data security decisions, and a data-centric approach is the most granular and effective way to ensure your data remains protected regardless of what network it lives on - even after it’s been shared with an external third party. By assessing the scope of sensitive data your enterprise manages and ensuring it’s properly secured will allow you to confidently handle vital assets in an increasingly challenging threat landscape. 

“Only then can we convincingly say we have moved beyond a perimeter-based approach. This is because enterprise risk changes, and usually increases, as data moves. That movement creates risks because there is no assurance that the protection and access intent is accurately applied and equally enforced where the data travels”