Welcome, everyone. Hope you're having a good afternoon.
So far, the, the title originally was Sassy versus Zero Trust, but I want to talk about how sassy and zero trust go together. Really, you can't have sassy without zero trust. I'll start off and talk about zero trust architecture and then go into what is sassy, and then make some observations based on the research that I'm working on right now and working on a leadership compass on secure Access Service Edge. So first up, zero trust architecture.
You know, looking at the building blocks, we like to say identity is at the center. Really, it starts at the very beginning here. So we need zero trust needs to encompass notions of identity, not just user identity, but also the devices that users originate from, whether they be smartphones or computers.
It also needs to have a notion of, you know, the zero trust network access access to the network needs to be governed by, you know, the attributes from users and devices that they originate from in a runtime evaluation to get to the systems that they need to access the applications that are running on those systems. And then the underlying data resource objects that they're trying to access. So at every step along the way, there needs to be policy based access control decisions.
And again, identity is kind of the most important element that sort of infuses all of that zero trust as you can see spans, you know, all the different areas in it that we're responsible for. And when we talk about zero trust network access specifically, it's about this continuous risk evaluation. We'll dive into that in a bit more detail in the next few slides.
So a couple of years ago, this published the SP 802 0 7 0 trust architecture document. And you know, I, I like to refer to this quite often.
I think it, it really encapsulates the architecture well, Plus, as you'll see it, it gives the sort of an update to the, the exact reference architecture also. So, tenant number one, you know, all data sources and computing services are considered resources that that need to, you know, have strict access control policies in place. All the communication, regardless of where it's originating or where it's going to, has to be secured. This means transport layer encryption, hopefully things like, you know, modern, modern transport level encryption, like TLS 1.3 is fortunately becoming more common.
Access to each individual resource needs to be granted on a per session basis. That is good to, to reiterate, and I will do that again later. The need to not just grant access, you know, for a long period of time, or not periodically check it, it has to be done pretty much continuously. Access to the resources need to be determined by dynamic policies that cover all those factors that we were talking about.
User identity, device identity, network application, the systems that they live on, plus behavioral, environmental attributes, the context, you know, which can include things like location, time of day, enterprise needs, ongoing monitoring, not just of the nature of the request, but the associated security policy of all the assets that make up the environment. And then resource authentication and authorization must be dynamic before access is allowed.
And then lastly, the enterprise needs to collect as much information as it can about the, the access attempts, you know, apply user behavioral analysis, look at the current state of assets.
This includes things like vulnerability management, patch management, and then the state of network communications too.
So it's, it's a pretty comprehensive look at zero trust architecture. What is this being driven by?
You know, regulations sometimes are the, the motivators in glass resort, we might say, and, and privacy leads that, you know, whether it be GDPR in the EU or many other privacy regulations worldwide, they all require data security as a part of privacy. We also see the finance industry with multiple regulations and standards that need to be enforced. Things like PSD two, the revised payment service directive in the eu, 3D S 2.0 or two X globally.
And then other countries and states have specific cybersecurity requirements that more or less mandate strong authentication for end users, which aligns with zero trust. And we see this in healthcare too, you know, GDPR for patient records as well as, you know, other regulations that are specifically about personal health information require strict access controls is, you know, export control is not something that we hear about as often as some of these other industry drivers.
But, you know, many countries have regulations that say, who can get access to what kinds of information? Where do they have to be located in order to get that?
And, you know, may impose other kinds of attribute requirements for access to information national security. This is, you know, the old classification, clearance mapping.
So, you know, some types of data in a national security setting might be classified as confidential secret or top secret. You need to ha make sure that individuals with the appropriate clearance can get to that is to, is obviously a case for zero trust. It may be a little bit more fuzzy on the intellectual property side, but these are things like your trade secrets in industry.
You know, how you make something, what gives you a competitive advantage. And, you know, zero trust access and a zero trust architecture certainly can help mitigate the risks around loss of trade secrets. And then lastly here, industry trade associations. They may not issue regulations themselves, but they do try to help their supply chain members comply with regulations by building frameworks and, you know, adopting standards for collaboration.
And again, zero trust I think can be at the heart of many of these.
This graphic also comes as have been adapted from the NIST s P 802 0 7. I like it because this is the, the graphic kind of embodies the exact reference architecture. It separates, you know, the control plane where decisions happen from the data plane where information lives, the resources that, that we're trying to get access to would be found.
And here in the data plane you see the resource policy enforcement point being the thing that mediates access between the users, the devices that they come from, which are untrusted policy enforcement point, just enforces the decision that's based on the decision from the policy. Decision point comes from the risk engine data access policy that had been input by the policy administrator in the control plane. Then you see on the sides, I think a good representation of all the other principles like the continuous diagnostics and monitoring systems here on the left.
Different industry compliance regulations, threat intelligence, activity logs, moving to the right activity logs off and flow into the SIM system. Security information and event management ID management, again, identity sort of at the center here of all of zero trust, including credential management, many of which are based on PKI certificates of keys.
And again, the data access policy that goes into the decision form.
So why, why, why do we wanna do zero trust? I think it enhances defensive capabilities primarily, you know, prevent access from untrusted devices.
You know, one of the things I like to say about zero trust is it's a good way of enforcing the principle of least privilege. And then if you look at the rest of the points here, it's really about how to foil attacks, you know, that you might find like in minor attack or the old Lockheed Martin kill chain. So try to contain the attack if it happens, prevent credential discovery and and misuse, prevent reconnaissance lateral movement inside your network. Stop data exfiltration, discover or de decrease risks of spreading ransomware, even more theft of data or the destruction of data.
And then really this can be very useful for facilitating incident response and mitigation as well.
So I said ran somewhere. I think that is another thing that's really motivating interest in zero trust architecture for the notion of containment as well as the industrial espionage, talking about trade secret theft and then data breaches involve in pii. So moving on to sassi. SASSI is kind of a newer term, it's been around for a couple years. Vendors are sort of moving into how do they meet the needs of this emerging market. So it's really meant to address two major use cases.
This is number one. You know, providing consistent and secure access from all the different locations that your organization has. Workers or contractors, you know, this can be branch offices, kiosks, you know, remote sales facilities, partner facilities, manufacturing and warehouses, even even conference facilities.
And then as we learn, you know, even prior to the pandemic, people were working from home, worked from anywhere has gotten to be, you know, sort of the defacto that all organizations have to learn how to accommodate.
You know, so workers, you know, can work from home, can work from the hotel wherever they need to be. And we need to provide consistent network experience as well as security for users in all these different situations.
With this, I kind of wanted to say, you know, there are three major categories of places that Sassy needs to address then at the network level, whether that be, you know, on premises data centers or these remote facilities that I mentioned, the cloud, whether that be infrastructure as a service or even SAS applications.
And then at the top, you know, it really kind of starts with the endpoint, you know, and the endpoint can be users on their laptops, their phones in lots of different locations, and you may or may not have as much control over the endpoint in accessing these different kinds of resources. So sasi can be a very large, you know, almost all-encompassing paradigm here.
So let's look at what makes up to different network layers and then the security layers fors.
First up is sdwan, and this is for, you know, providing that better networking experience between, you know, different locations, you know, whether they be the remote offices or remote facilities, corporate headquarters. This is the software defined wide area networking, and it's designed to kind of replace or, you know, do better than previous types of connectivity, leveraging modern kinds of connectivity with, with ISPs and telcos. There's micro segmentation.
This is, you know, dividing up your network into, you know, smaller, logical pieces. And then granting access based on the resources that are contained within.
And again, this can apply to the cloud as well. We see more and more direct access for 4G and 5G support needed. Sasi also needs to include notions of traffic acceleration. This is often, you know, made possible by TCP proxies or proxies of different kinds, you know, in different locations around the world.
This may also require TCP optimization. This can be sort of changing out the network stack a little bit to optimize it for, you know, being able to deliver packets more consistently in a case of failures, you know, you have a proxy in the middle that that can deliver.
The packets can store them up for a while and then deliver them. So a customer gets a, a more consistent experience path. Redundancy, smart routing and quality of service all kind of go hand in hand there. Making sure that users aren't trapped at the end of a a single path. And that routing is, is taking the most efficient path amongst those protecting, you know, all the different assets from, you know, distributed denial of service attacks or, you know, DNS protection as well.
Vpn, vpn, I mean, this is, VPN is a subject we could go into more depth about with regards to Stassi. It's often listed as a primary driver, but upgrading vpn, making it more efficient, you know, adding authentication and better routing. SASSI is often delivered as a gateway appliance or virtual appliance for on premises networks to get to the cloud.
They have, you know, the edge. These are points of presence.
It it, you know, closer to where the end users happen to be. It's also about, you know, improving the customer experience by having link status, dashboards, monitoring for, you know, what the, the customer actually perceives and delivering this as a managed service. On the security side, there are a bunch of different components here. Firewall is a service next generation firewall, network detection and a response. This is looking for attacks at the network level.
Secure web gateway for applying, you know, corporate or enterprise policy.
All kinds of accesses resources, users could access browser isolation. This is about, you know, protecting users as they're browsing online. You use a centralized service, it brings back, you know, kind of in an representation of what they see. So they're protected from malware endpoint security and unified endpoint management. I think these are stretch goals for sassi. None of the vendors really have that bundled in yet, even though they do. Some of the vendors have these as separate products. DLP and casb, this is, you know, access control at the endpoint and at the cloud.
Zero trust is, is OB obviously foundational for sassi user behavioral analysis. This again can help, you know, prevent unauthorized network access, unauthorized resource access and SASSI tools should be able to inter-operate with your sim, your source security orchestration, automation and response, as well as your I t SM ticketing systems. All fed by cyber threat intelligence and delivered as a managed service.
With this slide, I was just trying to show, you know, here again, all the different kinds of locations that can be served by sassy architecture.
They all come into the edge, which can be delivered through, you know, points of presence. They may be co-location facilities and depending on where you're operating, that would help drive your vendor selection if they have points of presence in your locations. So wrapping up here, what I've seen so far in market research is not all the vendors that I've looked at have all these different functions built in, especially epd R and em. They're not really there yet.
The vendors that don't have a complete offering, some of them partner with other vendors that do, others really don't address it and kinda leave it up to the customer.
The pros, you know, it can, it can provide more coverage and more areas. It can provide, you know, potentially performance gains and cost savings. But on the the con side, you know, it's not best of breed. So some components probably will be weaker than others. The sassy implementations are somewhat incomplete.
You know, some of the vendors don't have everything that we believe that they need and you might be left with vendor lock in. So wrapping up, I, I'd say zero trust is a necessity. Sassy is something to consider and stick with us. We'll continue to monitor and publish on the, on the subject as well.
You know, if you have any questions or if we're out of time, feel free to email me
For such an insightful presentation. Any questions from the audience here?
Well, there's an online question. It says serial trust have benefits to enhance security there.
Oh, I'm not sure what that was referring to, but anyway, perhaps a question from my side, which type of organizations would you say would benefit from implementing a sasi?
I would say, you know, larger organizations definitely have the most to gain from it, especially with locations and various places around the world.
You know, a large remote workforce, anybody who has, you know, a large contractor workforce and then you know, SMBs small to mid-size businesses, I think can, will begin to benefit from it as well because it reduces the amount of management and will probably provide cost savings in the contract by bundling all the different capabilities into a single package. So I think it really will apply to, in about small business all the way up to the global enterprises.
Okay, Thank you John. Any questions? We have one minute left. One question.
Yes,
Would it be, I didn't find it on
The app. Okay.
To find it.
Would you be sharing the slides, John, to so people
Yeah, yeah, the slides should be available.
Okay. I'll get back to you on that word to find them. Yeah. Okay. Well thank you John, please. I run applause. Thanks.
