As more and more organizations deploy external, mobile and temporary workers, the elements of business continuity planning evolve, forcing IT professionals to scrutinize the operation of connectivity.
CISO and its teams face new challenges every day, many of which are the result of digital transformation and the introduction of other performance-enhancing technologies.
An example of this is the rapidly evolving need to support external and mobile users as companies change the way they interact with their employees.
For example, the recent COVID 19 crisis has forced most companies around the world to support employees working at home or in other remote locations.
Many organizations face many challenges in connection reliability and the difficulty of evolving rapidly to meet the needs of a growing number of employees in remote locations.
Add to this the issues of security and confidentiality and it becomes clear that CIS can be a potentially insurmountable challenge to maintain its operation and security.
It is the potential for disruption that puts Business Continuity Planning (BCP) at the forefront of many discussions about information technology. In addition, many IT professionals quickly conclude that a continuous connection to the WAN and the Internet forms the basis for an effective business continuity plan.
VPN does not deliver
Virtual Private Networks (VPNs) are often the first choice when it comes to establishing secure connections to the corporate network from the outside world.
Originally, however, VPNs were designed to allow an external endpoint to connect to the internal LAN and access data and applications stored on the network.
For an occasional connection, with an emphasis on user-friendliness.
However, VPNs quickly reveal their limitations when asked to support a rapidly deployable staff member remotely.
One of the most important issues related to VPNs relates to scalability; in other words, it can be difficult to scale up a VPN quickly.
In most cases, VPNs are licensed over a connection and are supported by a network-side device to encrypt and decrypt traffic. As the number of VPN users increases, more licenses and computing power are needed, resulting in unexpected costs and additional network latency.
Finally, VPNs can come under pressure, resulting in a business continuity problem. Simply put: If the VPN is overloaded due to increased data traffic, the connection can fail and employees can access the network, the concept of business continuity suffers.
VPNs are also used for site-to-site connections, where bandwidth can be shared not only between the branch and head office, but also with remote users. Such a situation can completely destroy a company’s ability to do business if these VPNs fail.
Cybersecurity may be an even bigger problem with VPNs. VPNs used to provide access to the network to remote users are no more secure than the credentials provided to those users.
In some cases, users may share passwords and credentials with other users or inadvertently expose their systems to intrusion or theft. Ultimately, VPNs can pave the way for attacks on the corporate network by giving bad actors access to systems.
ZTNA goes beyond VPN
Now that VPN technology is suspected by the rapid growth of remote workers, CISOs and IT professionals are looking for alternatives to ensure reliable and secure network connections for remote workers.
The desire to combine safety and reliability is due to both continuity and operational problems. CISO strives to reduce costs and provide a level of security without sacrificing performance, while ensuring predictable growth.
Many companies believed that the answer to the VPN dilemma could be found in SDP (Software Defined Perimeters) or ZTNA (Zero Trust Network Access), two abbreviations that have become interchangeable in the field of cyber security.
The ZTNA was created for the cloud as a solution that shifts security from the network to the applications. In other words: The ZTNA is application-oriented, which means that users have access to applications instead of the entire network.
Of course the ZTNA does a lot more. The ZTNA can hide applications while authorized users have access to these applications. Unlike VPNs, ZTNA technology does not transmit authentication information outside the network, while VPN hubs are located at the edge of the network, making them visible to everyone and a target for attackers.
In addition, the ZTNA uses internal connections, so that IP addresses never reach the Internet. Instead of providing network access in the form of a VPN, the ZTNA uses a microsegmentation approach that creates a secure segment between an end user and a named application.
The ZTNA creates an access environment that gives an individual user private access to an application and grants the user only the lowest rights.
ZTNA technology enables access to network applications and creates a new connection paradigm. ZTNA-based solutions also capture much more information than a VPN, which is useful for security analysis and planning.
While a VPN can only track IP addresses, port data, and device protocols, ZTNA solutions collect data related to user identification, application name, time, location, and so on, which can be used to identify the user. It creates an environment that enables administrators to be more active and to consume and analyse information more easily.
Although ZTNA can represent a monumental advance over conventional VPN systems, its solutions are not without problems. ZTNA’s solutions do not address performance and scalability issues and may not include important continuity elements such as failover and automatic traffic routing.
In other words: The NAZA may require the inclusion of these additional third party solutions in the mixture to support CAC.
Resolving ZTNA and VPN problems with SASE
This new technology, called SASE (Secure Access Service Edge), can address the security, continuity and scalability dilemmas posed by NAZAs and VPNs in the network comparison.
The Secure Access Service Edge (SASE) model was presented by leading security analysts Neil MacDonald, Lawrence Orans and Joe Skorupa of Gartner. Gartner presents SASE as a way to transform the security stacks of networks and WAN SDs into a fully integrated offering that is easy to implement and manage.
Gartner sees SASE as a turning point in the world of WAN and cloud computing. The research centre predicts that 40% of companies will switch to SASE by 2024. However, a serious problem remains: network and cyber providers continue to expand their SASE offerings and few providers are currently available.
One of these suppliers is Cato Networks, which offers a fully developed SASE solution and has been identified by Gartner as one of the leading suppliers in the field of SASE.
SASE differs significantly from the VPN and ZTNA models by using its own cloud architecture based on SD-WAN (Software-Defined Wide Area Network) concepts. According to Gartner, SASE is an identity-based connectivity platform that uses a proprietary cloud architecture to support secure connections at the edge of a globally distributed network.
SASE offers organisations access to a predominantly private backbone network that operates on the global Internet. SASE also includes automatic failover, AI-based performance tuning and multiple secure paths to the private backbone.
SASE is used at the edge of the network, where the local network is connected to the public internet to access the cloud or other services. And as with the other SD-WAN proposals, the edge must be connected to something outside the four walls of the private network.
In the case of Cato, the company has created a global private backbone connected through multiple network providers. Cato has built a private cloud that is accessible via the public internet.
SASE also offers the possibility to combine the advantages of SDP with the fault tolerance of SD-WAN without disadvantages for the VPN.
An example of this is the direct access of Cato, a clientless connection model that uses Software-Defined Perimeter (SDP) to provide authorized users with secure remote access to cloud applications.
Instant access provides multi-factor authentication, single sign-on, low-precise access and is integrated into the combined network and security stacks. Because it is built on SASE, full administrative visibility is a reality, as well as simplified implementation, direct scalability, integrated performance management and automated failover.
Cato Networks Product demonstration for remote access
In the case of Cato, the continuous threat protection protects both employees in remote locations and the network from network threats. The Cato Security Stack includes NGFW, SWG, IPS, Advanced Malware Protection and Managed Threation and Response (MDR) Service. Of course, Cato is not the only player in the SASE game; other vendors pushing the SASE area include Cisco, Akamai, Palo Alto Networks, Symantec, VMWare and Netskope.
SASE Troubleshooting in VPN, ZTNA – and over
As the number of VPNs decreases and the ZTNA lacks essential features such as scalability and performance management, it soon becomes clear that CISO may need to work long and hard with SASE.
SASE solves the common problems VPNs bring to the rapidly evolving teleworking paradigm, while providing application-oriented security with an emphasis on ZTNA.
In addition, SASE offers improved security, visibility and reliability, which will significantly improve business continuity and potentially reduce costs.