Sachin Jain, Global CIO & CISO, Evalueserve, in a fireside chat with Kalpana Singhal, Editor-in-Chief, Techplus Media, evaluates the architectural approaches of Zero-trust network access (ZTNA) and Secure Access Service Edge (SASE) and how they might work together to enhance organization’s cyber security posture.
The core operating principle of zero trust is no user or device should ever be granted access based on location and network, how do you think zero trust network is helping build cyber resilience across the eco system?
The thought of working from anywhere and any device started much before the Zero Trust came into picture. If we look at how people were accessing applications, data and consuming services from the organizational networks, the entire focus of enhancing the security posture was mostly driven around enterprise network. The whole mobility concept also evolved around the enterprise network concept where organizations gave flexibility to their employees to increase efficiency and productivity. Earlier, if one was a part of an organisation then automatically the device comes in a trusted network zone, hence there were no restrictions imposed. Having said that, when we look at some of the large-scale breeches, it so happened that the privileges of access were exploited by the hackers. Hence, the Zero Trust cocept came in where businesses verify what users are doing, what data they are accessing, and whether they need that kind of access. The whole principle around managing identity is something which is very relevant in the Zero-Trust architecture.
From a security leader perspective, how do you see the buzz around Secure Access Service Edge (SASE)?
Whether it is security or any part of IT, we see new terms arising every year; however some of them are relevant. SASE is all about the cover that you need to give to the growing needs of the organization which is going digital. As you move towards digital transformation and adopt cloud in a big way, then the network becomes perimeter-less where people are accessing the networks from any device. When we shift to the cloud and the data is not residing within the enterprise then all the enterprise level controls will not be sufficient. SASE is more oriented towards cloud delivered services and organizations that are moving their workforce to the cloud whether it’s pure public or a hybrid cloud.
What are the things CISOs must consider when evaluating SASE architecture for their businesses?
Though there are multiple guides which talk about the best way to implement these architectures, testing the current environment and understanding the processes that needs to be followed, what I personally feel it to be a step-by-step approach. Security is a dynamically changing field; the nature of threats is quite dynamic along with the development around the security terminologies. We need to take the step-by-step approach to figure out what we need to do and how much? Figure out a plan by when we want to achieve some of these security principles within your own framework.
Please talk about common SASE and ZTNA use cases; and tactical and strategic approach to implementing the frameworks.
One of the very relevant cases that we understand these days is the remote work environment. With people working from home, we talk about the whole enterprise network in terms of capacity, accessibility and security has taken aback many organizations which weren’t prepared for remote working. Especially right after the pandemic were people were mostly in reactive mode and there have been many cases where they didn’t even have any means to enforce security policies for remote work. These are the cases where we can define the whole SASE and Zero Trust architecture.
Further, the implementation depends on the organization’s maturity related to cloud. This is not about a product that you can buy and deploy; this is all around building an approach probably a change in mind set around security. More importantly, the change in approach is more around users and identity where the focus is not location or device but figuring out the identity of the people who need access and how much access they require. There are also newer terms like just-in-time access, for example, if I need access to an application for just half an hour that’s the allotted time for it. In case my account gets compromised the time limit restricts exploration of my identity.