When it comes to implementing a zero trust approach to network security, Secure Access Service Edge (SASE) solutions provide essential connectivity and access controls. SASE is a product category with a variety of different security and networking capabilities, but at the bare minimum, all true SASE solutions must have the capability to secure access to network resources.
Regardless of which approach to SASE you choose, your outcome will only be as good as the implementation. As network security experts, we’ve compiled a list of best practices to follow when rolling out SASE and Zero Trust Network Access (ZTNA).
To fully gauge what your SASE implementation entails, you need to first have the full picture of what you’re dealing with. You must know the limitations of your network, as well as everything inside it. It’s important to understand the extent of your network, where your edge is, what resources need to exist where, etc.
You’ll also want to evaluate what technologies you already have in place, such as DNS protection and firewall appliances. Take this time to also dig into any pain points. For example, you may be paying a lot for that firewall, but 80% of your workforce doesn’t even operate behind it. Armed with this knowledge, you can compare the capabilities of your SASE solution of choice. That way, you know exactly what needs to be incorporated into your SASE rollout so you can do so efficiently.
Now that you understand your needs, starting small before scaling is best. Deploy your SASE out to several machines and get a canary test of how it will work in practice. You can also take this time to start configuring and customizing your deployment. Doing so ensures your network controls are fine-tuned before they are rolled out across the organization at large. You’ll want to check items such as your DNS resolution and access to critical resources first before a large-scale rollout.
Identity-driven authentication and access controls are key cornerstones of ZTNA. SASE is purpose-built to require an authenticated identity to provide trust and gain access to the network. It does, however, rely on a core Identity Provider (IdP) to authenticate said identities.
Some SASE solutions have an IdP built right in, so you can upload your users and move forward. Otherwise, you will need to integrate your identities from your current IdP, be it Azure AD, Google Workspace, Okta, or otherwise.
Another major aspect of zero trust is the ability to limit users’ access to only what they require, a concept known as the principle of least privilege. With a SASE solution, you can configure which employees have access to which network resources. This limits north-south traffic within the network, keeping people like Sales and Marketing out of mission-critical resources like data centers that they have no business accessing.
By controlling access with SASE, you can ensure that end users are only capable of seeing/touching the resources pertinent to their specific role. You can also keep the “crown jewels” of the business under further lock and key to prevent all unauthorized access whatsoever. Access controls like these ensure that, in the case of a breach, a compromised set of user credentials will mean an attacker has limited impact to your business.
An excellent way to control access even further is to segment your networks and incorporate resources that pertain to users who would be using that specific segment. Users then can only access the resources allotted in their segment, so you can lock down east-west traffic.
Beyond controlling access, network segmentation gives you the ability to create a quarantine in the event of a security threat. Be it malware, ransomware, or otherwise, you can isolate the infected system to its own segment, where it can be properly addressed without spreading its infection to other parts of the network. The caveat here is you will need additional solutions in your stack to quickly identify an infection so you can act accordingly to address the issue.
With internal network movement configured, now you must focus on external traffic. You can introduce other features to address this, including:
Beyond these features, take this time to also configure your SASE’s visibility engine to give you insights into network activity. The best SASE solutions also provide deep packet inspection features, so be sure it’s also in place to improve your overall network security posture.
With an initial picture of your network in place, it’s time to understand anything else you’ve missed during your implementation. You will also need to investigate what needs to happen to expand your SASE to the entirety of your network, including devices, infrastructure, and other appliances. With SASE, you are, in essence, moving aspects of your corporate network to the Internet, so you need to make sure that you are completely prepared to do so. This is also a great opportunity to think ahead and lay the groundwork for what you’ll need to have in place as you grow.
Now that you’ve gotten this far, it’s time to roll out SASE across the entirety of your environment:
It will be important to start with user devices before moving on to servers and other infrastructure. As infrastructure is both accessed by more users and contain more sensitive information, it needs to be treated with more care than endpoints.
This is also your opportunity to create secure tunneling for users to access critical resources. You can opt to create one-to-one or one-to-many tunnel options depending on what users need to access.
With careful planning and focused execution, deploying SASE and ZTNA will help strengthen your security posture. It will also give you more centralized control and visibility over your network at large and cut down on non-business internet usage to boot.
If you want to learn more, download our SASE eBook to better understand the role SASE plays in zero trust security and how to use it to secure your network.
