1 Introduction
In an age of ever-increasing cyber-risks, with a growing number of attacks and increasing sophistication of targeted attacks, organizations are under constant pressure of improving their cyber-attack resilience. On the other hand, access is becoming increasingly heterogeneous. Mobile employees, customers, connected devices, applications, APIs, and business partners access the internal network remotely, while more and more data is shifting to the cloud.
Protecting data in these environments, where the traditional perimeter around the internal network is no longer the single area of protection, has become a challenge. Many vendors are pushing technologies that they position as Zero Trust solutions, be it Zero Trust Networking or Zero Trust Security. The principle behind the Zero Trust buzzword is that organizations should never trust any entity and should always verify before giving it access to anything on the internal network or in the cloud. Those working with or for an organization should be able to work successfully from an untrusted network or unmanaged device without compromising the organization's resources etc. Basically, the idea is that there must not be a single source of trust such as the firewall at the network perimeter, but a constant verification of entities and their access request by different measures.
There are many approaches to improving the overall security posture of an enterprise. Taking a network-centric approach may involve an enterprise to redesign their network by splitting it into subnetworks in an effort to increase the security level of each network segment based on the sensitivity of resources that a given network segment contains. Although network segmentation is a valid layer of security when achieving defense in depth, it can also be expensive and difficult to justify on its return on investment (ROI). A more data-centric approach may involve data discovery and classification, then securing the data at rest and monitor its usage. This approach is again a good layer of defense in depth but can be costly in time and effort to find and then have the subject matter experts available to property classify all the data. Given that the majority of attack vectors are identity-related and often stem from a weak or stolen password or compromised privileged credentials as examples, a case can be made that an access first approach may be the better first line of defense.
Again, there are many ways for enforcing such approaches. Amongst these, we find different types of gateway-based security solutions. At the application level, these range from long-established Web Access Management and Web Application Firewalls to CASB (Cloud Access Security Brokers). While the first two are focused on protecting internal applications, CASBs run in the cloud and protect access to cloud services.
Commonly, such approaches combine some sort of identity services such as adaptive authentication capabilities with access or data usage control at the application level, plus added reporting features. Gateway-based approaches require data to pass a certain component, the gateway. While such gateways allow controlling and managing access, they, on the other hand, require access be configured in a way that it passes the gateway. That can happen at the edge if there are edge components that are mandatorily passed. This is a common approach for Web Application Firewalls, that filter incoming traffic as an edge component. It might require configuration of target applications to only accept requests coming in via the gateway. That approach is commonly found in CASBs, where the target cloud services are configured to accept tenant access only via a defined CASB gateway. Configuration also can happen at the client devices, e.g. requiring the web browser to pass a certain proxy.
Factually, all such approaches impose some challenges and limitations. Thus, flexibility in implementation and use is a key criterion for selecting solutions, aside of the added level of security. The more transparent such solutions work, the broader their use cases.
Israeli software vendor Safe-T Data (www.safe-t.com) delivers a platform that helps organizations in restricting uncontrolled data / application access and usage by passing users through the Safe-T Secure Application Access solution. The solution covers a broad range of different data access and usage, protocols and use cases, making it an interesting element specifically for environments with high data security requirements.