Protecting Distributed Businesses Requires Combining SASE and ZTNA

Today’s businesses run on applications, whether they are used by customers or employees. Applications enable collaboration, improve productivity, and enable workers to do their jobs and customers to purchase solutions and access their personal accounts remotely. Top of mind issues for IT teams include developing user-friendly applications, maintaining optimal performance for business-critical services, monitoring user experience, and ensuring access to essential resources.

Of course, because applications run inside an organization’s network and have access to critical information, they are an enticing target for cybercriminals. By surreptitiously monitoring traffic moving in and out of home offices, cybercriminals are able to detect applications in use. And by targeting and exploiting vulnerabilities in home networks, these same cyber adversaries are increasingly doing things to get access to internal applications. This allows them to break and exploit critical applications, gain access to critical data and resources, and find opportunities to breach networks.

To prevent this sort of behavior, organizations need to do three things. They need to ensure that all connections to and from networked resources are secured, they need to ensure that applications are properly hardened, and that access to applications is restricted to only those who need to use them.

Zero trust network access (ZTNA) is an evolution to VPN designed to create logical access boundaries around applications. By verifying the identity and context of users and devices, ZTNA is not only able to restrict access to applications, but also prohibit lateral movement across the network by those who have been granted application access. And it can also be used to hide applications from discovery, thereby reducing the potential attack surface for those organizations that are increasingly relying on applications to conduct business.

For those organizations with a highly distributed workforce, it is becoming increasingly important to combine ZTNA with a secure connectivity solution, such as a secure access service edge (SASE) network architecture. SASE helps to protect data, workflows, and applications moving to and from the cloud by combining tools like VPN and SD-WAN with cloud-native security functions, such as secure web gateways, cloud access security brokers, and next-gen firewalls, to establish and maintain flexible and secure connectivity between remote users and devices and the cloud-based applications they need to use.

When used together, ZTNA and SASE ensure that both applications and remote users are protected from those cybercriminals increasingly targeting home offices and their largely unsecured personal networks to gain access to business applications and critical resources.

However, there are a few challenges that organizations need to be aware of when designing a secure connectivity/secure access strategy based around ZTNA and SASE.

First is that few networks today are entirely cloud based. Because of this, SASE and ZTNA solutions also need to seamlessly integrate with edge security solutions, such as edge security, SD-WAN, and zero-trust access (ZTA) solutions to ensure consistent, end-to-end protection. Whatever security and connectivity solutions are being deployed in the cloud need to be able to see and interoperate with security solutions deployed at every network edge, including the data center, the head office, branch and home offices, and on endpoint devices. If not, policy enforcement can become inconsistent, visibility can become fractured, and cybercriminals are able to find and exploit the natural security gaps that will inevitably arise between isolated security deployments.

Second, most hybrid networks now span multiple clouds, and not every SASE solution can say the same. It is essential, therefore, that the policies in place in one segment of the network are identical to those deployed in others, including those that are part of a SASE solution or deployed in every cloud instance in use by the organization. Rather than deploying unique security solutions at each edge, security needs to be able to follow data and workflows as they move back and forth across the network. One common policy, one common management profile, and one common enforcement strategy needs to span the entire distributed network. This requires ZTNA, SASE, and other networking and security tools to function as part of a single, unified security platform that can be deployed anywhere, communicate between environments, provide unified visibility, and enable consistent, synchronized responses to detected threats.

And finally, SASE and ZTNA solutions are an amalgamation of integrated technologies. Few vendors are able to provide a full suite of enterprise-grade solutions that can address networking, connectivity, and security issues. And that number gets smaller as you add additional cloud, data center, branch and home office, application, and end user environments and devices. To find a solution designed to support and secure dynamic and expanding network environments, organizations need to rely on third-party testing and validation, analyst and customer reviews, and the track record of vendors. This will help them to find solutions that not only work as advertised, but that can scale and grow as their networks continue to evolve. Because the goal is not to protect the network of today. It is to enable organizations to continue to confidently develop the networks they will need tomorrow as well.

Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.

Nirav Shah is vice president of products and solutions at Fortinet. He has more than 15 years of experience working in the enterprise networking and security industry. Nirav serves as the products and solutions lead for Fortinet’s Security-Driven Networking portfolio with a focus on SD-WAN, network firewall, SASE, segmentation, and NOC products. Prior positions include senior software developer and senior product manager for enterprise networking and security solutions at Cisco.