When deploying SASE, don’t overlook network privacy

Founder of NetAbstraction. Retired CIA technical expert with decades of experience in cybersecurity and telecommunications technologies.

To protect “anywhere, anytime” access to digital assets, including applications and data, organizations are increasingly adopting SASE (Secure Access Security Edge) architectures. This emerging approach combines comprehensive network security features with wide area network (WAN) capabilities to support organizations’ dynamic and secure access needs.

Many businesses mistakenly assume that their WAN is secure when in fact any network segment or connection is a potential attack vector. This is partly because network operations and security have traditionally been handled as separate silos with different teams and skill sets. SASE is designed to integrate these two disciplines and increase the agility of organizations to adapt to rapidly changing network and security conditions.

In a related development, over the past few years the industry has seen a massive shift from legacy firewalls and traditional virtual private networks (VPNs) to a zero-trust network, which is based on an integrated security approach that assumes that the corporate network or WAN is compromised or otherwise porous.

Rather than trying to maintain a traditional “castle wall” perimeter, zero trust requires each user to authenticate for each new request to access the service. This architecture assumes that no device, user, or network connection can be trusted until verified. Zero trust has even been recognized by the US government, which recently issued guidance to all federal agencies to begin creating plans to adopt this approach as a key part of their cybersecurity strategy.

As organizations migrate to a more distributed architecture that uses cloud-based functionality, zero-trust networking augments and replaces traditional VPN techniques by providing an additional layer of security. For this reason, network access based on zero trust plays a central role in SASE deployments and is usually gradually implemented as part of digital transformation projects.

When planning a SASE implementation, it is important to include network privacy features that prevent the infrastructure from being publicly detected, mapped, and traced by attackers. This is a new and often overlooked concept: an organization’s right and need to protect its identity, intellectual property and customer data when doing business on the Internet. Network Privacy addresses this requirement by protecting the business and its SASE infrastructure with an additional layer of security through obfuscation, making it significantly more difficult for would-be attackers to locate, target and attack assets as well as sensitive data.

Network privacy concerns the two most common types of attacks: those that are passive in nature, where an intruder captures data as it traverses the network, and active threats, which occur when an adversary takes measures to sabotage the normal functioning of the network or performs reconnaissance and moves laterally inside the organization to discover and compromise protected assets.

When planning a SASE deployment, consider whether your network design will meet the following three risk management pillars:

1. Security, or data backup.

2. Confidentiality, or the safeguarding of user identities and associated data.

3. Governance, which refers to policies, processes and controls that manage risk.

SASE and Zero Trust provide an effective new architecture for the pillars of security and governance by protecting resources inside the enterprise against cyberattacks and data breaches. But they don’t address the privacy of adversaries who are able to locate your outdoor infrastructure, perform reconnaissance, and punch holes in your attack surface. When developing your deployment, you will need to pay special attention to privacy.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?

Leave a Reply

Your email address will not be published.