CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » Archives for October 2021

Security Service Edge (SSE) Implementation Guide for Enterprises

by | Oct 29, 2021 | Improve Network Security, Security Service Edge (SSE)

shutterstock_1771738652

Security Service Edge (SSE) is an emerging network security model that rolls up technologies like zero trust network access (ZTNA), cloud access security broker (CASB), secure web gateway (SWG), and next-generation firewalls/firewall as a service (FWaaS) into a cloud-centric security stack.

With these cloud security services, you can provide secure access to the cloud and software as a service (SaaS) resources for both on-premise and remote workers. This blog will dive into the essential technologies to achieve security service edge. We’ll also discuss the benefits these technologies can provide to your enterprise, as well as tips and best practices for streamlining your SSE implementation.

SSE implementation guide for enterprises

Enterprises may choose to implement SSE by purchasing an all-in-one solution that includes the core components of security service edge. Other teams prefer to buy each security technology separately so they can select the best vendor for their particular use case, or because they already have some SSE capabilities with their existing security stack and only need to supplement with one or two additional solutions.

Let’s take a look at the key security service edge technologies that you need to implement to achieve SSE for your enterprise.

Zero trust network access implementation

ZTNA, or Zero Trust Network Access, is a remote access security solution based on the zero trust security model and follows the principle of “never trust, always verify.” Unlike a VPN, which gives authenticated remote users full access to an enterprise network, ZTNA only allows remote users to access specific resources one at a time. With ZTNA, you can create contextual access control policies that limit a user’s privileges depending on the relative risk of that specific request. So, for example, a user connecting at 1 PM from their home office may get more ZTNA privileges than a user connecting at 1 AM from their mobile device in another country.

A ZTNA solution needs identity and access management (IAM) capabilities to authenticate users and dynamically assess their trustworthiness. For instance, ZTNA typically uses multi-factor authentication (MFA) to provide an extra layer of verification before a user can access enterprise resources. User and entity behavior analytics (UEBA) are also commonly used by ZTNA because these can track account and device behavior on the enterprise network to spot anomalous behavior and provide analyses of a user’s trustworthiness.

ZTNA can be deployed as physical appliances in data centers, or you can choose an entirely cloud-based solution. Using ZTNA as a cloud service will save you from needing to purchase, configure, deploy, and manage more physical hardware, plus you’ll be closer to achieving an ideal SSE implementation by keeping more infrastructure in the cloud. In addition, purchasing IAM and ZTNA capabilities as one solution is not needed if you already have an existing IAM (or a particular vendor you wish to use)—just make sure your ZTNA and IAM support integrations with each other. Implementing ZTNA for SSE helps you bring zero trust security to your cloud and remote traffic.

Cloud access security broker implementation

A CASB, or Cloud Access Security Broker, is essentially a software gatekeeper that sits between enterprise users and cloud services. It provides visibility into how enterprise users interact with your cloud services, using technology like UEBA to detect unusual behavioral patterns and assess risk.

CASB serves numerous vital cloud security functions, including:

  • Implementing enterprise policies to cloud resources to enforce the same level of security on all your on-premises and cloud infrastructure equally.
  • Auto-discovering all cloud applications, data, and services in use so you can identify risk factors and prevent shadow IT (technology in use by your enterprise that your IT teams might not know about).
  • Extending data loss prevention (DLP) and data governance policies to your cloud data, to prevent the exfiltration of sensitive and proprietary data, and ensuring your enterprise complies with data privacy regulations.

As part of an SSE implementation, there are two CASB deployment modes to choose from, depending on your enterprise’s unique needs. You can use a proxy-based CASB, which is an HTTP proxy that sits between remote users and the cloud to monitor and direct traffic. Or you can use an API-based CASB, which interfaces directly with cloud and SaaS providers to inspect traffic.

Each deployment has pros and cons that need consideration with your enterprise’s goals and requirements in mind. Generally, a proxy-based CASB may cause network slowdowns because all your remote, cloud-destined traffic is funneled through a single device. Regardless, it’s still flexible considering it can work with any vendor or application. On the other hand, An API-based CASB often suffers from vendor lock-in since it integrates with a specific provider (like Microsoft 365 or Salesforce), but it causes less latency. It doesn’t require any physical or hosted hardware. Either way, deploying CASB for your SSE implementation helps monitor and protect traffic to and from your cloud services.

Secure web gateway implementation

An SWG, or Secure Web Gateway, is precisely what it sounds like—a secure gateway between your enterprise and the web. It filters malicious content from the internet and blocks dangerous user activity (like clicking unsafe links or downloading files from untrusted websites). Enterprise IT teams have been using traditional SWGs for years in physical appliances or as software running on proxy servers.

For SSE, an SWG is a cloud-based solution that can route all remote and branch office traffic to bypass your data center altogether. That means you don’t need to backhaul remote traffic through the SWG at a data center. However, you still get to apply enterprise web filtering, acceptable use policies, and internet security. Implementing an SWG for SSE allows you to treat your remote web traffic the same way as your on-premises traffic, providing consistent security across the board.

Next-generation firewall/Firewall as a service implementation

An NGFW, or next-generation firewall, improves the capabilities of a stateful firewall by providing features like cloud threat intelligence, integrated intrusion prevention, and application awareness plus control. An NGFW can be a physical appliance you deploy at the data center. Still, for an ideal SSE implementation, you should look for NGFW technology as a cloud-based service known as FWaaS or firewall as a service.

FWaaS delivers all the functionality of an NGFW, including:

  • Breach prevention, which uses technology such as integrated intrusion prevention, URL filtering, and built-in sandboxing to analyze viruses and other malware.
  • Complete network and cloud visibility with monitoring, UEBA, and automated threat analysis and remediation.
  • Deep packet inspection (DPI) to comprehensively analyze every data packet that passes through your network.

One of the most significant benefits of FWaaS for SSE implementations is that you won’t need to deploy many physical appliances to branch offices and data centers. Plus, you can route remote and cloud-destined traffic through a cloud firewall instead of backhauling it through a physical device, which reduces network latency. FWaaS for SSE provides all the security functionality of a physical next-generation firewall, but as a convenient cloud service.

Zero trust network access, cloud access security brokers, secure web gateways, and firewall as a service are the four key technologies needed to deploy and achieve the SSE model. However, to use SSE technology, you need to route the remote and branch office traffic to those services. This is what’s known as an access onramp, which turns SSE into SASE—secure access service edge.

Access your SSE implementation with Nodegrid

It would be best to have an access solution that seamlessly integrates with your security service edge implementation and simplifies the management of your remote network architecture, like ZPE Systems’ Nodegrid. The Nodegrid SR family of edge routers delivers vendor-neutral orchestration of your remote infrastructure so you can easily spin up and manage your SSE solutions from anywhere in the world.

Learn more about how to access your SSE implementation with Nodegrid.

Contact ZPE systems online or call 1-844-4ZPE-SYS.

Contact Us

Top Security Service Edge Use Cases & Benefits for Enterprises

by | Oct 22, 2021 | Security Service Edge (SSE)

shutterstock_1608251770

Security service edge (SSE) is an emerging network security model, first announced by Gartner in their 2021 Hype Cycle, that stems from the need to retool the industry’s thinking about SASE (secure access service edge). SSE protects your network edge by combining cloud-based security technologies, including:

  • Firewall as a Service (FWaaS), which rolls up firewall technology into a cloud-based service
  • Zero Trust Network Access (ZTNA), which applies zero trust security principles to remote traffic
  • Cloud Access Security Broker (CASB), which applies enterprise security controls and policies to traffic between the cloud and on-premise networks

Several use cases are driving enterprises to adopt SSE, including securing traffic from remote workers. This allows the migration to cloud and SaaS platforms while applying the same level of security as on-premises, and simplifying the security of an SD-WAN architecture. Let’s dive into the top SSE use cases and benefits for enterprises.

Top SSE use cases and benefits for enterprises

The top use case driving SSE adoption, and the most relevant to many enterprises right now, is the need to provide secure and reliable access for remote employees. We’ll also touch upon how SSE enables secure adoption of cloud and SaaS solutions and how you can combine SSE with SD-WAN technology to achieve the SASE model.

SSE use case #1: Securing remote access for remote employees

The pandemic forced many enterprises to adopt new remote access technologies—or upgrade existing ones—so their employees could safely work from anywhere without affecting productivity. However, even pre-pandemic, many organizations were recognizing the limitations of VPNs (virtual private networks) for a workforce that might need access to enterprise resources from anywhere in the world at any time. VPNs present numerous security challenges for enterprises:

  • To secure remote traffic, you need to route it through a firewall or security appliance at your headquarters or data center. This can create significant bottlenecks on your enterprise network and affect performance for both remote and on-premises users.
  • Typical VPN solutions don’t provide any mechanism for centrally managing your deployments or monitoring the devices that remotely connect to your network. For an enterprise setting, it means you could be allowing hundreds or thousands of remote VPN connections to your primary enterprise network, from devices that may or may not have adequate security controls without verifying the identity or trustworthiness of the person connecting.
  • In addition, once a user or device connects via VPN, they can freely move about your enterprise network just as if they were in the office. If a hacker compromises a privileged account with VPN access, they could jump from system to system, exfiltrating data and causing financial and reputational damage in the process.

SSE benefits for securing remote connections of enterprises, cloud, and SaaS services

Enterprises can significantly reduce bottlenecks by bypassing their headquarters since most remote traffic is destined for services outside the network. SSE eliminates the need for remote, cloud, or web-destined traffic to route through the enterprise network firewall, because it provides security as a cloud-based service. That means you’re routing remote traffic through an SSE solution in the cloud, rather than a physical device through the office or data center, reducing the enterprise network’s load.

SSE uses technology like ZTNA to provide granular visibility, control, and verification of all the remote users and devices connecting to the enterprise resources. For example, with ZTNA, you can apply specific access control policies that grant remote users access to only the specific resource they need for the task at hand. Once a remote user authenticates, ZTNA creates a secure, encrypted tunnel to that application or resource, removing the need for a VPN.

SSE also provides a unified, cloud-based security stack that you can access and manage from anywhere at any time. Through components like FWaaS, you can monitor and track all remote devices from one control panel. For instance, you can ensure all laptops are running the latest security definitions and create rules that block connections from a device that isn’t up-to-date.

In addition, SSE restricts lateral movement on your network, following what’s known as the “dark cloud” principle (also known as software-defined perimeter) to prevent remote users from seeing or interacting with anything except the specific application they’ve been authenticated for. If a remote user needs to access a different resource, their privileges and trustworthiness can be re-verified using specific security policies for that new resource.

SSE addresses VPNs’ security concerns, by providing an alternative way for remote users to securely access the cloud, SaaS, and web services they need without contacting your enterprise network. Using technologies like ZTNA and FWaaS, SSE allows you to centrally manage the remote users and devices, apply highly precise security policies, and restrict lateral movement on the network, while still providing secure and reliable access to enterprise resources. That’s why you should consider replacing VPN with SSE for the work-from-anywhere user base.

SSE use case #2: Public cloud and SaaS adoption without sacrificing security

Security is one of the primary concerns when migrating workloads or services to the cloud. For example, you may find it challenging to apply enterprise security and access control policies to your SaaS or cloud platform, leading to inadequate policy enforcement in the name of convenience.

Another example is when you process regulated data for healthcare or financial systems; you may need to enforce specific data governance policies about who can access what information for which reasons. It can be challenging to gain visibility on how your users are accessing data in the cloud, mainly if you rely on the monitoring functionality provided by individual cloud vendors.

SSE benefits for securing public cloud and SaaS implementation

Cloud and SaaS services need the same level of security as your enterprise network, and SSE makes that possible. SSE uses an integrated CASB to apply enterprise security, access, governance, and compliance policies across all cloud and SaaS platforms. The CASB also uses an API integration to automatically discover data, both at rest and in transit, across all cloud services so you can easily see who is accessing it and how it’s being used. This API integration allows the CASB to scan for malware and policy violations, send alerts, and automatically remediate threats.

SSE doesn’t just benefit remote workforces. Using an integrated CASB, SSE also allows enterprises to migrate from on-premises data centers to cloud and SaaS platforms while applying the same security, access, and data governance policies. We recommend adopting SSE if you’re migrating any critical or sensitive resources to the cloud.

SSE use case #3: Combining SSE with SD-WAN to achieve SASE

Secure access service edge, is a popular network security model introduced by Gartner in 2019. SASE combines a cloud-based security stack with software-defined wide area network (SD-WAN) technology to provide an integrated solution for accessing and securing your network edge.

The SASE stack includes the same technologies as SSE, and you’ve probably noticed the names are very similar. That’s because SASE is essentially SSE plus access—which is provided by an SD-WAN backbone.

Benefits of combining SSE with SD-WAN to achieve the SASE model

There are numerous benefits to implementing both SD-WAN and SSE to achieve the SASE model. For one, SSE doesn’t provide any mechanism to connect your remote and branch office users to the cloud and SaaS resources it’s protecting. SD-WAN’s intelligent and application-aware routing lets you send remote traffic directly to your cloud and SaaS platforms and bypass your enterprise network.

In addition, SD-WAN technology doesn’t come with any mechanisms for security—you still need to use firewalls and other appliances at all your data centers and branch offices to protect that traffic. The more remote locations you add to your SD-WAN implementation, the more security appliances you need to manage. SSE simplifies things by consolidating all your SD-WAN security into a single cloud-based stack.

SSE and SD-WAN complement each other well, and when you combine them, you end up with a comprehensive SASE implementation. If you have an existing SD-WAN architecture and want to simplify and streamline your network security, then you should add SSE to achieve full SASE. And the reverse is also true—if you’re going to implement SSE but don’t have the existing architecture for enabling remote and branch office access, then you should consider SD-WAN technology.

Accelerate your SSE deployment with Nodegrid

If you’re looking for a better way to secure remote traffic, cloud resources, and SD-WAN architecture, then your enterprise may benefit from a security service edge. Suppose you don’t already have an SD-WAN backbone on which to build SSE implementation. In that case, consider a vendor-neutral platform that works with a security service edge provider. ZPE Systems’ Nodegrid partners with top SSE providers, including Palo Alto, to provide a seamless SD-WAN onramp to your security service edge functionality. The Nodegrid SD-WAN platform for enterprise networks is key to making SSE work for your enterprise.

Want to learn more about how Nodegrid can help support your SSE use case?

Contact us online or call 1-844-4ZPE-SYS today.

Contact Us

Understanding Key Components of SSE (Security Service Edge)

by | Oct 20, 2021 | Improve Network Security, Security Service Edge (SSE)

shutterstock_1463056847

Modern network management involves a wide variety of distributed technologies. Because of this, enterprises have progressively moved towards the Security Access Service Edge (SASE) model to provide remote users with secure cloud-based services. Even though these services came together to form a comprehensive network and security stack, several providers made inaccurate claims that their products offered an all-in-one solution.

Consequently, the SASE model has undergone a rebranding. The new and improved focus on Security Service Edge (SSE) programs has confused those interested in transitioning to a remote structure. This article will help you understand SSE, its components, and how SSE differs from SASE.

In addition, we will discuss how you can implement SSE into networks and start your journey towards the SSE architecture suited for your enterprise.

What is Security Service Edge (SSE)?

SSE is a combination of cloud-based security technologies designed to protect your edge network. With all its programs combined, it forms half of the SASE framework. SSE provides cloud-based security and SaaS programs to the edge network perimeter, allowing remote users to access these services without being in the office.

What are the key SSE components?

To understand how SSE works, you need to understand its components and how they come together to form a more cohesive edge computing architecture.

Let’s dive deeper into each SSE component to understand them better.

sse components

Zero Trust Network Access (ZTNA)

Zero trust is one of the most important aspects of a robust SSE architecture. Zero trust is a security framework that operates on the central principle that “no device is trustworthy.” This includes devices within a company’s perimeter, which traditional “castle and moat” models ignore.

While zero trust exists as a general security architecture involving a variety of principles, zero trust network access (ZTNA) is the practice of applying zero trust principles to a  comprehensive SSE security stack. When applied correctly, ZTNA uses features such as:

  • Uniform security policies
  • Identity-based authentication
  • Centralized visibility
  • Granular access
  • Threat monitoring following access

ZTNA emphasizes “granular” access since it limits who can access and to what. In this way, it helps prevent the possibility of cyberattacks and minimizes their effects if they happen.

Cloud Access Security Broker (CASB)

CASB works as a form of cloud-based security. Whereas ZTNA focuses on the granular task of monitoring individual points of access, CASB focuses on tracking data transference from one cloud environment to another. When we talk about CASB, it is essential to specify that we mean integrated CASB instead of traditional CASB, which only offers piecemeal security protocols that solely cover data already in the cloud.

Integrated CASB uses an API-based security system that communicates between various SaaS applications commonly used by SSE networks. The significant advantage of taking this approach towards cloud security is updating and automatically possessing integration capabilities as new SaaS programs are introduced. With the rise of SaaS usage by large and small enterprises alike, CASB is undoubtedly a central need for any strong SSE network.

Secure Web Gateway (SWG)

As SSE networks exist almost entirely on the premise of edge computing, it makes sense that users want to emphasize a well-secured access terminal. The purpose of SWG is to provide this terminal in a remote location that exists on the edge of the security perimeter. Secure web gateways protect user access by:

  • Limiting website access once accessed
  • Enforcing security policies
  • Protecting data transfer

By limiting and restricting access, remote users will be less likely to access materials that could contain malware or ransomware, for which Palo Alto cites the ransom amounts having climbed by 82% in the first half of 2020. SWG makes up an integral part of the SSE security stack, providing the access terminal through which users begin to interact with the other programs.

Firewall as a Service (FWaaS)

FWaaS uses a SaaS service structure to provide firewall services for clients. FWaaS offers large and small enterprises with cloud-based firewalls, which they can customize to work around company applications or cloud-based services; without needing to route traffic through a physical firewall appliance at a data center.

The main advantage of FWaaS is adaptability—since it is constantly updated to integrate with new and existing services commonly used in SSE networks. With FWaaS, you avoid all the hassle of deploying and managing hardware at every branch office or the performance issues that come from backhauling remote traffic through a single appliance at the primary data center.

SSE vs. SASE: What is the Difference?

The transition to SSE networks might seem confusing for network administrators who have been working on the SASE model in recent years. This is an understandable confusion, but the differences between them are significant and merit some studies. The basic breakdown is as follows:

  • SASE = Secure Access Service Edge
  • SSE = Security Service Edge

This distinction seems odd on its face. The difference between the two is just the element of access. That essentially means SASE=SSE+Access. The access portion of SASE is also a collection of several components itself. SD-WAN, routers, and gateway all play essential roles in granting remote users access to the programs offered by the SSE stack. Together, the two create the comprehensive SASE architecture, which has become the benchmark for remote access over the last few years.

Why Does “Access” Matter as an SSE Component?

It’s easy to look at the equation above and think that enterprises are losing something with the move to SSE, since SASE seems to have something (access) that SSE does not. This is why it’s important to remember that SASE is a collection of programs and is not offered as an all-in-one system anywhere. This has not stopped various SD-WAN network providers from claiming to provide a SASE connection, confusing the market and necessitating the move in distinction to SSE.

What SSE components can do for your organization

Whether you plan on switching over to an SSE network entirely, the fact remains that many SSE components are good tools to have in your security stack. Even if your company has not gone remote and operates using a traditional “castle and moat” model, things like ZTNA, CASB, and SWG still have a lot to offer in making your business more secure.

For enterprises wishing to switch over to a SASE framework, ZPE’s Nodegrid series of routers offers options for both SD-WAN solutions and Zero Trust Network Access, making it the perfect start on your SASE journey.

Want to learn more?

Contact us for more information on how we can help get your enterprise on the right track.

Contact Us

How to Implement Zero Trust: Technologies to Shield You From Million-Dollar Losses

by | Oct 19, 2021 | Data Logging, Improve Network Security, SD-WAN, Secure Access Service Edge (SASE), User Management, Vendor Neutral Platform, Zero Trust Security

Staff on laptop with zero trust security in place.

How to implement zero trust security is a growing focus of organizations across the globe. With cyber attacks frequently hitting some of the largest companies and threatening entire economies, it’s no wonder why comprehensive network security is a top priority among public- and private-sector entities.

In this post, we’ll show you what you need to implement zero trust security, from big-picture items to individual technologies.

But first, here’s a recap of zero trust security and why your business won’t be safe without it.

Why you need Zero Trust Security

Imagine bringing in a new hire to your department. Soon after, you notice suspicious computer slowdowns and applications that don’t respond as usual. You dive into your program files and discover an unknown .exe file, and you dive deeper to discover attackers actively exploiting your resources. You quickly pull your team together to lock down your network, sanitize every computer and connection, and send out a company-wide instruction to have every employee reset their password.

It turns out, your newest employee unknowingly clicked a bad link and opened the door for a trojan horse attack. But because of your quick response, no significant damage was done and you can rest easy again.

Months later, you come in for your normal workday only to find all your systems locked and unresponsive. Dave, a senior engineer, retired on the day of the attack and never reset his password. The hackers stole his credentials and have gone unnoticed for months. Now your company and its customers are compromised, and the consumer markets you serve are in a frenzy due to a shortage of goods. You can’t help but feel somewhat responsible for the entire ordeal.

This example mimics recent real-world cyberattacks and highlights the importance of moving away from traditional security approaches.

Traditional architecture uses the castle-and-moat security approach. Once a user gains access (crosses the moat), they become trusted to use your organization’s resources (the castle). Aside from the occasional password reset or other authentication protocol, this approach leaves plenty of opportunities for outsider and insider attacks. Zero trust security, however, places a moat around every node and user. This means that no matter how often a system or user needs to access a resource, they always have to verify their identity and intent.

In other words: never trust, always verify. In our example above, implementing simple two-factor authentication could have alerted Dave to his stolen credentials, which would have prevented the attack.

The need for zero trust is due to the explosion of distributed networking. Communications used to be straightforward and centralized: a trusted user using a trusted device would connect from a trusted office location to the data center. Apps and data were securely transmitted between parties, and sealing out attackers could be as simple as deploying a new point solution or product. But user expectations changed all this; now, they need to connect from anywhere using a variety of devices, which means the modern network includes SaaS, cloud, and third-party platforms. This hybrid infrastructure means there are now more nodes and lines of communication than ever — and each is vulnerable to attack.

If the recent attacks on SolarWinds, Microsoft Exchange, and Colonial Pipeline aren’t convincing enough, consider the latest hack involving Kaseya, an American company that specializes in IT and network management software. By exploiting the virtual systems/server administrator (VSA), attackers were able to compromise up to 1,500 of Kaseya’s customers, shutting down educational services, law firms, and an outpatient surgical center in South Carolina.

Pervasive attacks like these have prompted political action, with the President signing a cybersecurity executive order this past May. Read our breakdown of the legislation and how it aims to improve cybersecurity across public and private sectors.

Now that you know why you need better security, how do you implement zero trust?

How to implement Zero Trust: The big picture

Zero trust is merely a concept, however implementing Zero Trust Network Access (ZTNA) means putting this concept to work. Implementing ZTNA involves two parts:

  • The processes, which we covered in a previous post, and
  • The technologies, which we’ll talk about in this post

At a high level, this diagram shows the components you need when considering how to implement zero trust.

A high level diagram of the three main components of zero trust security, including the enterprise resource, policy enforcement point, and policy decision point.

There are three major components to look at in the big picture of zero trust security:

  1. Enterprise resource — This includes all the IT stuff you need to protect and that your business relies on, like hardware, software, and network equipment. In simple terms, this is like the gold that you keep carefully guarded in the center of your castle.
  2. Policy enforcement point — This is the datapath element that enables, monitors, and terminates connections between users / devices / applications and enterprise resources. Simply put, this is like the guard that accompanies those wishing to access your gold.
  3. Policy decision point — This is the layer that decides who / what is safe and grants / revokes access accordingly. In other words, this is the gatekeeper who determines who is allowed into your castle.

To better understand these, here’s a closer look at each:

Enterprise resource

This component is pretty straightforward, and consists of elements you need to operate and manage IT environments. These elements can include hardware like computers and data storage devices; software such as web servers, content management systems, and operating systems; and network equipment like servers, routers, firewalls, and out-of-band devices.

 

Policy enforcement point

This component consists of the datapath elements that enable, monitor, and terminate connections between subjects (users / devices / applications) and your enterprise resources. Though this is represented as one component, it is comprised of two parts that are both typically used in deployments. These parts are:

  • A client-side agent, usually deployed on a laptop or server.
  • A resource-side gateway, which controls access in cases where a client-side agent is not used. Examples where gateways are used include regulated healthcare equipment, ATM machines, and operational technology equipment.

 

Policy decision point

This component is the management and orchestration layer. This layer essentially checks identities to verify who is safe, and assigns policies to determine who gets access and to what. This is also represented as one component but is comprised of two parts:

  • Policy engine — This is the engine that decides whether a machine or web traffic is safe. To accomplish this, the engine uses a variety of data sources when making its determination, such as PKIs and identity management providers, CDM systems, and activity logs.
  • Policy administrator — This administrator uses the policy engine’s determination to grant or revoke access to a machine or web traffic.

There are many tools available to help you monitor and visualize traffic, so you can create policies and configure your policy decision point to meet your zero trust outcomes.

In order to create your zero trust configuration, you need to deploy several essential technologies.

How to implement Zero Trust: Essential technologies

Zero trust is a complete re-imagining of network security and can be a daunting task. But when you add its fundamental technologies to your toolkit, you can effectively build the three components described above and achieve Zero Trust Network Access (ZTNA). Here are the essential technologies you need to accomplish this.

 

Identity and access management

Such a big part of zero trust security relies on verifying that a device or user really is who they say they are. For this, you need an identity management solution from a trusted provider and public key infrastructure (PKI). This allows you to essentially create and issue a digital fingerprint for every user, and includes information such as their username, role, and other unique data. Multi-factor authentication is a critical component of identity verification, which requires users to present two or more pieces of identification/verification before granting access.

Additionally, access management is an important piece that determines a user’s authorization level, or in other words, which resources they can access. Identity and access management both feed information into your zero trust model’s policy engine.

 

Policy management

Another essential technology to have is a policy management solution. This is integrated into your security stack and serves as a single policy creation point. This allows you to define access and authentication policies for your entire organization.

You can specify data access rules for users, devices, and roles, which is vital to achieving micro-segmentation, limiting lateral movement, and enforcing least-privilege access. All of these feed into your policy engine and are used by your policy enforcement point to validate whether a session is allowed to continue.

 

Zero trust equipment and applications

Tying everything together requires equipment and applications that are able to enforce your policies. These are physical or virtual solutions that sit in front of servers and serve as your enforcement points. For example, this could be your next-gen firewall (NGFW) that initiates the multi-factor authentication protocol, verifies a user’s identity, and uses your defined policies to restrict the user’s access to a specific segment of your network.

Where can you get these essential Zero Trust technologies?

When considering how to implement zero trust, keep in mind that there are many vendors who can provide you with the essential technologies.

  • Obtaining an identity and access management solution is the easiest task when implementing zero trust. Many organizations offer an identity store, such as Azure Active Directory or Google Cloud Identity. You can also use companies dedicated to identity management, such as Duo, Okta, or Ping Identity. Keep in mind that if you need to control third-party access, such as for customers or equipment management contractors, you’ll need a solution that can access multiple identity stores simultaneously.
  • Obtaining a policy management solution requires careful consideration and should be part of your overall security stack. Look for a solution that allows you to create policies and set up datapath enforcement points. An adequate framework enables you to create authentication and post-authentication access rules, with an enforcement point that segments your network and continuously authenticates sessions. This security stack can be an on-prem NGFW, or delivered via the cloud using a Secure Access Service Edge (SASE) model, both of which are available from trusted providers like Palo Alto Networks.
  • Regardless of whether you use an on-prem or SASE model, you need an edge infrastructure platform to sit in front of servers and host the enforcement point. For on-prem, this platform must be able to host an NGFW to secure network segments and VLANs. For SASE, this platform must be able to create VPN tunnels to your SASE platform, which can be used for inline inspection and policy enforcement. Either approach requires powerful computing capabilities and a flexible operating system to accommodate workloads for detecting, analyzing, and automatically responding to threats, which few vendors offer.

Here are examples of what proper zero trust implementations look like, with ZPE Systems’ Nodegrid as the edge infrastructure platform:

Implementation diagram showing how to implement ZTNA at the data center using Nodegrid.

In this diagram, you can see where ZTNA and Nodegrid fit into the scheme at the data center. The user connects via Internet, and the Nodegrid SR device serves as the Policy Enforcement Point hosting a VM. This VM communicates with the Policy Engine to authenticate the user, and then grants access to the data center application.

Implementation diagram showing how to implement ZTNA at a branch, edge, or other distributed location.

In this diagram, the user tries to connect to an application at a branch, edge, or other distributed location. The user connects via Internet, where SASE and ZTNA provide secure connectivity. The Nodegrid SR device connects via VPN to the Policy Engine for authentication, and then grants access to the branch application.

How to implement Zero Trust: A recap

To protect your organization, implementing zero trust requires you to build out the main components. With the policy decision point and policy enforcement point in place, you can secure your enterprise resources from outsider and insider attacks. Ensuring these components work like a well-oiled machine means you need the proper identity and access management tools, a complete policy management solution built into your security stack, and equipment and applications that can enforce your zero trust security policies.

Because user expectations have caused infrastructure to become incredibly distributed and complex, the attack surface has increased dramatically. The traditional castle-and-moat approach to security is no longer adequate, and recent newsworthy cyberattacks showcase the network vulnerabilities that even the largest companies still struggle to address. The President’s latest cybersecurity executive order is a step in the right direction to bolster infrastructure protection for public and private sector entities, and you can use this blog as a starting point to begin your zero trust journey.

Don’t get caught without these 5 security must-haves

Watch our webinar, Cyberattacks: 5 Security Must-Haves for Hybrid Infrastructure Gateways, and learn how to lay a solid foundation that makes implementing zero trust easier. Our experts will talk you through how to:

  • Keep edge networks and users fully protected
  • Make smart buying decisions
  • Get complete security and control for years of serviceability

Watch now to protect your business from growing cybercrime.

Virtual Customer Premises Equipment with Palo Alto Networks and Nodegrid

by | Oct 19, 2021 | Explainers & How-To’s

Home » Archives for October 2021

Explainers & How-to’s

GO TO Explainers & how-to's

Virtual Customer Premises Equipment with Palo Alto Networks and Nodegrid

What is Virtual Customer Premises Equipment?

Virtual customer premises equipment makes use of virtualization to deliver network services. This approach essentially uses a virtual environment that consists of software-based functions. These functions can include routing, security/firewalls, VPNs, and much more.

Read more here

ZPE Systems delivers innovative solutions to simplify infrastructure managment at the datacenter, branch, and edge.

Learn how our Zero Pain Ecosystem can solve your biggest network orchestration pain points.

Watch a Demo Contact Us

Video Gallery