CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » Archives for September 2021

SASE & Zero Trust: How They Come Together to Improve Network Security

by | Sep 30, 2021 | Improve Network Security, Secure Access Service Edge (SASE), Zero Trust Security

shutterstock_1908952546

How do secure access service edge (SASE) and zero trust work together to improve network security? Simply put, SASE works by deploying security via the cloud, and zero trust deploys security in the least privileged access method.

Networking trends have heavily shifted in favor of SASE following the shift to remote work. Gartner predicts that 60% of businesses will adopt or begin to adopt a SASE-oriented model for their company by 2025. Let’s discover more about how SASE and zero trust work together to benefit large enterprise networks.

SASE and zero trust defined

The rise of SASE has made it one of the most talked-about terms in the world of networking, but defining it in simple terms has proved challenging for some. Palo Alto Networks defines SASE as a convergence of several protocols into a cloud-based interface, including wide area networking (WAN), cloud access security broker (CASB), firewall as a service (FWaaS), data loss protection (DLP), and zero trust. 

SASE uses edge computing to solve the inherent bandwidth issues caused by the in-and-out traffic of proxy connections to SaaS programs via the company data center. SASE allows companies to apply their security measures to these programs, preventing possible security leaks and mitigating them when they do happen.

SASE’s emphasis on applied proxy security is due to zero trust architecture, which has recently gained popularity. Traditional models have used a “castle & moat” approach, installing firewall protection around a business’s network perimeter. These models assume, however, that devices within the network are inherently trustworthy. Zero trust architecture never changes these protocols to make such an assumption, demanding that the user or device provide credentials regardless of circumstance. Learn more about the SASE model’s key use cases and benefits and the zero trust security benefits for large companies. 

How SASE and zero trust work together

The new focus on proxy connections is what truly defines both SASE and zero trust. Whereas the company data center used to act as the nerve cluster of business operations, that role has now been fundamentally decentralized and relegated to many smaller data paths coming from remote locations. 

SASE: Zero Trust, SD-WAN, CASB, FWaaS, Routing, and SaaS Acceleration.This decentralization means an increased reliance on programs found in the cloud, as it offers the most convenient access for employees working from home. This is the ultimate goal of SASE; the use of edge computing to redirect traffic from the data center to the cloud, easing the traffic flow.

2020 saw a rise in cybercrime due to an increased dependency on unprotected (or poorly protected) cloud and remote access programs during the pandemic—the FBI reported a 75% increase in daily cybercrimes by June. This exposed a dire need for protocols that offer security rules. Zero trust architecture provided precisely this opportunity, using SASE’s emphasis on edge computing to issue company protections from proxy locations onto cloud-based services.

However, zero trust security doesn’t just provide multiple checkpoints for potential users in a network; it also restricts user access once checkpoints have been cleared. Think of your enterprise network like a concert—the ticket gets you into the venue, but if you want to access the VIP or backstage areas, you need to clear additional checkpoints with an ID badge or backstage pass. With zero trust security, users and devices only gain access to the specific resources they’ve authenticated to—they’ll need to prove their identity and verify their privileges if they want to move to any other area of your network.

These security protocols are critical to successful SASE implementation, as it allows companies to implement their security protocols for SaaS programs and mitigate potential leaks when they do happen. Together, they provide the best of both worlds, allowing for a decentralized network model that still provides the security needed for such a model to exist. It is precisely this balance between access and safety that makes SASE and zero trust what you need to shield your business as you continue to accommodate remote work and distributed users.

Why does my company need both SASE and zero trust?

A SASE network implementation lacking zero trust principles is left drastically exposed to potential cyberattacks. For example, the lack of internal protection ensures that a more extensive information leak could happen.

Consider what would happen if you implemented SASE without zero trust, and a hacker used a compromised account to connect to one of your cloud applications. In addition to stealing the data available in that cloud app, they could potentially jump to other edge resources using the same username and password, or even find an access point to your primary enterprise network. The more lateral movement that account has on your network, the more sensitive data they could exfiltrate. Additionally, the absence of intensive logs ensures that these leaks will consume a great deal of time and energy as network managers attempt to locate and neutralize threats when they arise.

On the other hand, while it’s never a bad idea to put extra measures in place to secure your data, the purpose of zero trust is to handle edge computing access to cloud-based SaaS applications. Zero trust is a welcome addition to your existing security stack and removes the necessity of having a centralized model.

Talking about SASE and zero trust individually makes the two of them sound as though they are mutually exclusive; they aren’t. Zero trust security is one of many programs integral to the successful implementation of SASE. This listing of the key SASE components gives more context regarding how these systems work together.  

Implementing SASE and zero trust protocols

The advantages these two protocols offer companies stem from the way they are used together. When combined, SASE and zero trust allow companies to recenter their business models around a proxy structure. This new model gives employees the flexibility of working from home while ensuring that sensitive information remains safeguarded against ransomware and cyber attacks. Palo Alto Networks cites that the advantages of combining SASE & zero trust are: 

  • Stronger network security
  • Streamlined network management
  • Reduced costs of deploying security at scale
  • A single, holistic view of the whole network

The final benefit listed above is worth further consideration. Instead of viewing your company’s systems as individual pieces, conversion to the SASE model allows you to view your company’s network through a single lens. This helps to streamline your business model even further, making you that much more competitive in the workplace of tomorrow.

We encourage you to read Gartner’s roadmap for SASE convergence for more information. 

Ready to begin your conversion to SASE?

Our products page boasts several options to get you started. Contact us for further questions and get started today! 

Contact Us

DigiCert: improving critical network infrastructure for 50% less work

by | Sep 29, 2021 | Case Studies, Pillar 2 - Critical Remote

DigiCert Inc logo

Critical network infrastructure drives business. Like a system of roadways, it determines how efficiently communications move to and from your organization. This affects everything such as the speed of customer banking transactions, to the reliable access IT support teams have to maintaining enterprise resources.

The problem is, complexity can easily bog down your critical network infrastructure. When this happens, user experiences can lag at ATMs and checkout lines, and IT teams can be cut off from providing off-site support. When you’re a company such as DigiCert, who serves nearly 90% of Fortune 500 companies, slowdowns and failures simply aren’t an option.

In this post, we’ll discuss some of the challenges of critical network infrastructure, and show you why DigiCert chose Nodegrid to streamline operations.

Critical network infrastructure challenges

One of the overarching challenges to critical network infrastructure is the volume of complexity. When you have several data center locations and many branch sites distributed globally, even a little bit of complexity can scale out of control. So what contributes to this? Having so many devices and solutions.

For DigiCert, every location required a large stack of essential devices. These included servers, switches, routers, out-of-band hardware, and cellular failover boxes. Managing these proved slow, as each came from a different vendor and had its own management protocols and interface. When support tickets came in, backlogs mounted as teams struggled with Mean Time To Innocence (MTTI) and root cause analyses. Licensing, updating, and maintaining their most important systems was a major time sink at the data center and branch. In short, DigiCert’s critical network infrastructure was demanding too much time and too many resources to be sustainable.

This inflated infrastructure also brought more points of failure, which were difficult to pinpoint and resolve. DigiCert lacked a centralized management solution, so they had to devote more effort to troubleshooting whether the current issue lied within a bad server configuration, an overheating device, or a faulty router.

The company also lacked peace of mind regarding remote out-of-band management access. Occasionally, support teams would be unable to troubleshoot and resolve problems remotely. This typically resulted in on-site visits to the data center, where the only solution would be to gain direct console port access to specific devices. This only added to their IT burden and grew the complexity of their operations.

How Nodegrid radically improved DigiCert’s critical network infrastructure

Eliminating critical network infrastructure complexity can seem like a daunting bridge to cross. Consolidating your physical infrastructure can be an enormous task all by itself, much less implementing centralized management and reliable out-of-band.

But for DigiCert, ZPE Systems’ Nodegrid and ZPE Cloud made it simple to achieve all this — while helping the company maintain an impenetrable security posture. They were able to deploy multiple services on a single Nodegrid device, which reduced their hardware footprint by a 4-to-1 ratio. They hosted their Palo Alto security solutions directly on the Nodegrid appliance, and set up 4G/LTE for connection redundancy. In total, they achieved a redundant configuration by using two Nodegrid devices at each location, instead of the 6-8 that they previously required.

To learn more about this implementation, download the full case study. You’ll explore the all-in-one Nodegrid solution that exceeded DigiCert’s requirements, slashed their workload 50%, and helped them achieve near 100% network uptime.

SASE vs Security Service Edge: What’s the difference?

by | Sep 28, 2021 | Improve Network Security, SD-WAN, Secure Access Service Edge (SASE), Vendor Neutral Platform

Employee tapping into cloud services such as security service edge

Security Service Edge. Is it just another fancy networking term? After all, we’ve already got SASE (Secure Access Service Edge), so why throw another buzzword into the mix?

The truth is, there’s a big difference between Security Service Edge (SSE) and SASE. SSE is a foundational element of SASE, but there’s another necessary component you need to be aware of. In this article, we’ll break down the differences between these two acronyms so you can understand how to achieve better security for your distributed users and devices.

But first, let’s quickly recap why networking and security have become decentralized.

Security Service Edge: An evolving need

The modern workforce is increasingly distributed. In fact, Gartner research shows that demand for remote work will increase 30% by 2030, as Gen Z fully enters the workforce. Another factor is the ongoing coronavirus pandemic, which has forced companies worldwide to accommodate off-site staff.

But the need for distributed networking goes back much earlier than the previous 18 months.

Connectivity and network architectures used to be simple. In the 1990s and 2000s, companies centralized data in the data center, connected branch offices to the data center, and set up simple security measures in between. Most staff worked from the office, which made it easy to provide secure access to and from these enterprise locations and resources.

Network architecture showing simplicity of data center connected via MPLS to branch office

As technologies advanced, companies and their employees discovered that it was becoming easier to work outside of the office. Cloud, SaaS, and edge offerings emerged to create a hybrid infrastructure, as everything moved from being centralized to highly distributed. Now data, security, networking, and computing are everywhere and comprise a complex web of services — owned by enterprises themselves as well as third parties. Securing it all has been an impossible feat for more than a decade.

Network architecture showing complexity of data center, CDN, remote user, branch office, all connected via many paths

Fortunately, Security Service Edge and SASE are models that can address this challenge.

SASE vs Security Service Edge (SSE)

Security Service Edge is a main component of SASE. In the simplest terms, SASE is the architecture that organizations strive to build. It involves delivering networking and security via the cloud, directly to the end user, device, office, etc. instead of having to backhaul through the company’s data center. Aside from SSE, the other main component of SASE is the access portion, which allows the edge services to be deployed and managed. This access portion includes the physical hardware required to connect ‘network’ the edges and services.

Therefore, SASE breaks down into two main components:

  • Security Service Edge, and
  • Access

Keep reading for a detailed explanation of each and why they have been separated out into two pieces now.

Security Service Edge

Security Service Edge (SSE) is the security component of SASE. As Gartner states, SSE ensures secure access to the web, cloud services, and applications. SSE is delivered via the cloud and offers several capabilities, including threat protection, security monitoring, and data security.

Security Service Edge capabilities are available from companies who provide NGFWs (next generation firewalls), SWGs (secure web gateways), and CASBs (cloud access security brokers).

  • NGFWs: Next generation firewalls are implemented to not only secure networking components and services, but also to protect against modern threats that exploit weaknesses in applications.  This type of service secures all the traffic even traffic that’s UDP and also non web based applications including malware exploits.
  • SWGs: Secure web gateways are self explanatory. They are placed between the user and the web, serving as a gateway that provides secure access to the web. Basic functions of SWGs include blocking access to certain websites, preventing unauthorized transfers of data, and inspecting for malicious content.  As its name implies this type of service is limited to web traffic and is used in specific use cases.
  • CASBs: Cloud access security brokers are software that sit between cloud users and cloud applications, to monitor activity and enforce security policies. This software keeps a close eye on data as it moves between cloud environments, SaaS, and users, and enforces security policies to block malware, protect sensitive data, and maintain compliance.  This type of service also has a specific use case of only examining specific cloud applications as its name suggests.

Access for Security Service Edge

In order to use the capabilities of Security Service Edge, you need the physical hardware to deploy services at your locations. This hardware is the access component, and includes SD-WAN capabilities. When deployed, it connects your location to a variety of services (NGFWs, SWGs, CASBs mentioned above) in order to make those services available to your location.

SASE = Security Service Edge + Access

A simple way to think about the SASE concept and its components is to imagine a skyscraper.

Imagine SSE capabilities live in the clouds, and you’d like to bring them down to your enterprise. You’ve got the blueprints to build a skyscraper (SASE) that can connect you to these cloud-based capabilities. But before you can do any of that, you need a sturdy foundation (the access portion) on which to build it all. In other words, your investment in cloud services needs a solid access onramp to those services.

With the right access component, your employees can shuffle in and out of your skyscraper, and easily perform their job functions using SSE capabilities in the cloud. And if you deploy a more robust access solution such as ZPE Systems’ Nodegrid, you’ll be able to maintain your SASE architecture no matter how the clouds change.

How to implement SASE: Focus on Access

When you’re considering implementing SASE architecture, you might be inclined to go to a SASE company to buy everything. But Gartner states that companies that offer the two segments have more mature offerings. 

Therefore, you should focus on purchasing the right solution for the access portion, since it serves as the foundation of your infrastructure at the edge, and then marry this to the right SSE solution for your company. This separation of vendors gives you flexibility to manage several IT systems, and eliminates vendor tie in.

Nodegrid puts the Access in SASE

The Nodegrid SR family of edge routers serves as the access portion in your SASE architecture. A single Nodegrid SR device is a powerful, cost-effective solution to connecting sites to Security Service Edge providers.

The onboard Intel CPU and Linux-based Nodegrid OS offer speed and flexibility. Orchestrate freely across vendors to activate service licenses, spin up VMs, and get your SSE solutions up and running automatically. Additional RAM and storage also help you deploy edge computing for data thinning, de-duplication, monitoring, and other edge workloads.

On top of this, Nodegrid gives you out-of-band management capabilities so you can remotely manage your SASE architecture from anywhere. If you need to optimize bandwidth, investigate data logs for security, or simply power cycle an edge device, you don’t have to get out of your pajamas. Nodegrid gives you secure access to everything via your web browser.

To summarize, the reason SSE has been separated from SASE is that many SD-WAN vendors began to confuse the market by advertising that they offered SASE. This prompted Gartner to point out that there are security-savvy companies that give you more mature security solutions, and to consider such solutions from vendors like zScaler, Netskope, and Acreto, for example. Regarding the Access component, vendors like ZPE Systems provide more capable and robust solutions for connectivity to cloud services, when compared to SD-WAN companies that claim to offer SASE.

Don’t miss out on valuable SSE content. Make sure to sign up for our newsletter using the form below.

If you have questions or would like to speak with an expert, feel free to contact us.

 

 

 

 

3 Tips to Improve Edge Network Resilience

by | Sep 22, 2021 | Failover Connectivity, Out of Band Management, Remote Network Management

ZPE Systems and Palo Alto Networks

When it comes to improving edge network resilience, traditional WAN architectures can easily get in your way.

Suppose you’re setting up an electrical substation, cellular base station, or other distributed remote infrastructure to incorporate cloud-based networking. To deploy, you need to configure a slew of cloud-enabled devices, from IoT sensors, to routers, firewalls, SD-WAN boxes, and out-of-band and cellular failover appliances. The physical footprint alone is intimidating, and is rife with points of failure. On top of all this, you need the right management tools to ensure everything runs smoothly. You might need visibility on power grid sampling, application performance, or user experience, with management software that lets you troubleshoot individual components of your infrastructure.

It’s not just your network or your business riding on your shoulders — it’s people’s livelihoods, whether they rely on you for delivering essential utilities or keeping them connected to the world.

That’s why it’s so important to boost edge network resilience and shield your customers from outages. And it’s why ZPE Systems now hosts Palo Alto Networks’ Prisma SD-WAN offering. Read the full press release, and download the brief below for details.

But before you do, here are three tips to help you improve edge network resilience.

How to improve edge network resilience

1. Respond fast with out-of-band

It’s 8pm, and suddenly a surge of customer tickets crowds your support desk. You quickly scan the issues and realize that one of your towers is offline, causing an outage for many of your rural customers. One of your on-call technicians is standing by for dispatch, but the hour-long drive means your teams will be fielding complaints for at least 60 minutes. Meanwhile, customer satisfaction begins to drop and one star reviews pour into your online channels.

This is all too common with edge network support, and it highlights why out-of-band management can be a life saver. Instead of having to dispatch IT support technicians to establish a physical connection and allow HQ to remote-in for troubleshooting, what if you could respond instantly from anywhere? With out-of-band, you get an isolated management network that’s separate from your production network, and you can establish a connection using cellular, broadband, DSL, or even phone lines. This means you can quickly gain access to your infrastructure, and with an advanced out-of-band solution like Nodegrid, you can simply open your web browser to troubleshoot and resolve issues — whether you need to reboot a network switch, reconfigure a firewall, or analyze and adjust traffic flows.

No matter your deployment, out-of-band is essential to improving edge network resilience.

2. Stay connected with cellular backup

Part of boosting edge network resilience involves diversifying the types of connections at each location. But this doesn’t mean adding more layers of physical connections.

Although T1, T3, and MPLS links can serve as reliable backups, these physical connections most likely follow the same path as your main connection. So when a flood sends currents your way or a construction crew sinks a thousand-pound excavator bucket into your main line, chances are your physical backups will go down, too.

Backhoe digging a large trench, putting underground communication lines at risk.

If you have 5G/4G LTE cellular, you can keep your locations online through all this. Your cellular connections can serve as failover paths, but also provide reliable backup for out-of-band networks. Download the joint solutions brief below and see how Nodegrid’s failover helped a large oil and gas company eliminate the majority of their continuity issues at the edge.

3. Go vendor-neutral to centralize control

One of the biggest drawbacks to managing traditional WAN architecture is vendor lock-in. When you purchase one provider’s SD-WAN or security solution, you’re limited to using their unique management tools and integrating only pre-approved solutions (usually from them as well). This can make edge network resilience difficult to maintain, since you’ll have to learn several different systems, protocols, interfaces, commands, etc.

When you centralize control, however, you get access to all the tools you need, using a single gateway. The best platforms for this feature a vendor-neutral operating system and rich API library that can accommodate your custom and third-party integrations.

Imagine no longer needing to log in and out of every solution in your stack, and instead using single sign-on to gain access to your SD-WAN’s cloud controller, next-gen firewall, application performance monitoring app, and every part of your edge infrastructure. For a major digital security company, this meant cutting resolution times in half using a single tool that helped them provide continuous monitoring and achieve instant response times.

See how Palo Alto Networks and ZPE Systems boost edge network resilience

Prisma SD-WAN and Nodegrid help companies streamline deployment, configuration, and management of their edge networks. Download the brief for full details.

SASE Implementation: A Step-by-Step Guide for Businesses

by | Sep 17, 2021 | Secure Access Service Edge (SASE)

shutterstock_1902760141

SASE—which stands for secure access service edge—is a relatively new framework that converges wide-area networking with security into one cloud-based service stack. SASE uses software-defined wide area network (SD-WAN) technology to directly connect branch offices and remote users to the cloud and software-as-a-service (SaaS) resources without backhauling traffic through the primary firewall. 

SD-WAN traffic can bypass a firewall because SASE enables the application of enterprise security policies, traffic filtering, and other controls to that remote traffic. By using cloud-based security features like firewall-as-a-service (FWaaS), cloud access security brokers (CASBs), and zero trust network access (ZTNA).

SASE provides numerous benefits to businesses to simplify, optimize, and secure their network edge, including:

  • SASE reduces network latency for both enterprise and remote traffic. SASE separates remote, cloud-destined traffic from the rest of your SD-WAN traffic, so a branch office user doesn’t need to go through an HQ firewall just to access a web service like Office 365. SASE increases the security of the network edge by allowing you to implement the same enterprise security policies and controls to all remote traffic.
  • SASE simplifies and optimizes network administration by consolidating SD-WAN management and edge security controls into one unified platform.

A successful SASE implementation requires a lot of planning, as well as a comprehensive understanding of your existing infrastructure, requirements, and pain points.

SASE implementation: A step-by-step guide for businesses

Each SASE implementation is unique to the business it serves. However, there are six basic steps that most successful SASE deployments follow:

Step 1: Define SASE goals and requirements

During the planning phase of the SASE implementation, the first step is defining the project’s business goals. Identify SASE use cases: What problems need a solution, and what benefits does your organization hope to gain? These use cases will inform how to conduct the following steps—once the goals are clear, developing plans for reaching them is what follows.

For example, you may want to use SASE to secure and optimize SD-WAN traffic. In this case, you already have SD-WAN technology, so the primary goal is to add SASE’s cloud-based network security stack to protect that traffic. 

The following steps determine whether the existing SD-WAN architecture can support SASE and ensure preferred SASE vendors integrate with your existing infrastructure. Once you know why SASE is essential, decide what technologies, processes, and training to implement to reach those goals.

Step 2: Assess the environment and identify gaps

Next is to conduct a thorough assessment of your existing network infrastructure and resources to identify any gaps in the ability to achieve your SASE goals. Use the following questions as a checklist:

  • Do the critical staff members have the knowledge and skills to implement and manage a SASE deployment?
  • Do you need an access on-ramp to the SASE service provider (e.g., an SD-WAN backbone)?
  • Can any existing infrastructure be used with SASE implementation, or do you need to purchase new hardware for your edge?

Review technical documentation and network diagrams, interview key staff about their requirements and training, and examine the security and network configurations to assemble a complete picture of your current environment. Choosing this before defining SASE requirements is vital because a thorough understanding of existing infrastructure can make it much easier to identify pain points and business goals.

With a clear picture of where you are now and what you hope to achieve with SASE in the future, you can start choosing SASE vendors and solutions.

Step 3: Choose SASE vendors and solutions

There aren’t any fully mature, single-solution SASE providers yet. Some vendors provide access via SD-WAN and related technologies, while others offer security service edge via cloud-based network security features. If you have an existing SD-WAN backbone that provides all networking functionality, then a single vendor for a cloud-based security stack is only needed. Otherwise, combine a security service edge solution with an SD-WAN solution to complete SASE implementation.

SD-WAN and cloud security solutions need to work well together. Security service edge providers often partner with SD-WAN vendors to create fully integrated solutions managed from one unified platform. For example, ZPE Systems partners with Palo Alto Networks to provide an SD-WAN on-ramp to the Prisma Access security service edge solution. Enterprises should prioritize integration when evaluating potential vendors.

Step 4: Stage and test SASE deployment

The exact steps to configure services will vary depending on the provider, environment, and requirements.

We recommend creating a staging and testing environment separate from the production environment, so you can perform thorough integration and user acceptance testing before going live with SASE deployment. Test how cloud security stack integrates with an SD-WAN solution, as well as other applications and tools like security information and event management (SIEM), role-based access control (RBAC), and security orchestration, automation, and response (SOAR).

Additionally, perform user acceptance testing with real users and workloads to accurately picture how these changes will affect the people using your systems every day. This will help identify bugs and issues, determine what kind of user training is needed at the cutover time, and optimize the overall user experience to make the transition to SASE easier for your organization as a whole.

Step 5: Cutover, troubleshoot, and support

Even the most meticulously planned deployments can go awry, so companies should have support staff ready to handle any user complaints and technical staff on hand to troubleshoot any configuration or deployment errors. After cutover, your support staff also needs to provide training and documentation for the user base to ensure they know how their daily processes will change and what to do if they encounter any problems.

Step 6: Continuously optimize SASE implementation

Once your SASE implementation is live, you should constantly monitor it and look for ways to improve and optimize. Infrastructures will evolve, as will the technology offered by SASE vendors. As adding new cloud infrastructure, SaaS platforms, branch offices, and other edge computing requirements, you should evaluate the SASE technology to see if additional functionality is needed or desired.

You should plan and implement a SASE deployment that addresses a unique environment, requirements, and business goals by practicing these six steps.

Discover more on how to simplify SASE implementation

A successful SASE implementation requires in-depth planning and preparation, robust testing, comprehensive training and support, and continuous monitoring and optimization. You can make this process easier by investing in SASE solutions that integrate and consolidate management tasks behind one pane of glass. 

For example, you can use Nodegrid’s innovative SD-WAN and remote branch management solutions as your on-ramp to secure service edge technologies. We partner with trusted SASE providers to deliver an integrated platform that consolidates and simplifies your SASE management and optimization.

Want to learn more about how ZPE Systems’ Nodegrid can help your business with SASE implementation?

Call 1-844-4ZPE-SYS or schedule a free demo.

Watch A Demo