SASE Model

SASE Model | Zero Trust Identity

SASE Model | Zero Trust Identity

In today's ever-evolving digital landscape, the need for robust cybersecurity measures is more critical than ever. Traditional security models are being challenged by the growing complexity of threats and the increasing demand for remote work capabilities. This blog post delves into the SASE (Secure Access Service Edge) model, highlighting its significance in achieving zero trust identity and enhancing overall security posture.

The SASE model combines network security and wide-area networking (WAN) capabilities into a unified cloud-based service. It integrates security functions like secure web gateways, data loss prevention, firewall-as-a-service, and more, with WAN capabilities such as SD-WAN (Software-Defined Wide Area Networking). This convergence allows organizations to simplify their security architecture while ensuring consistent protection across all endpoints.

Zero trust is an essential principle within the SASE model. Unlike traditional security models that rely on perimeter-based defenses, zero trust operates on the assumption that no user or device should be inherently trusted. Instead, access is granted based on dynamic factors such as user behavior, device health, and contextual data. This approach minimizes the attack surface and strengthens overall security.

Identity as the New Perimeter: In the SASE model, identity becomes the new perimeter. By adopting zero trust principles and leveraging technologies like multi-factor authentication, biometrics, and continuous monitoring, organizations can ensure that only authorized users with verified identities gain access to sensitive resources. This shift from network-centric security to identity-centric security enables a more granular and robust approach to protecting critical assets.

Strengthening Security with SASE and Zero Trust Identity: Bringing together the SASE model and zero trust identity strengthens an organization's security posture in multiple ways. By integrating security and networking functions into a unified service, organizations can enforce consistent security policies across all endpoints, regardless of their location. This approach enhances visibility, mitigates risks, and allows for more efficient incident response.

Implementing the SASE model with zero trust identity brings several benefits. These include improved threat detection and response capabilities, reduced complexity in managing security infrastructure, enhanced user experience through seamless and secure access, and increased agility to adapt to changing business needs. Furthermore, the consolidation of security functions in the cloud reduces operational costs and simplifies maintenance.

The SASE model, with its focus on zero trust identity, revolutionizes the way organizations approach cybersecurity. By shifting the security paradigm from perimeter-based defenses to identity-centric protection, businesses can adapt to the evolving threat landscape and ensure a higher level of security. Embracing the SASE model and zero trust identity is a proactive step towards safeguarding critical assets and empowering secure digital transformation.

Highlights: SASE Model | Zero Trust Identity

Understanding the SASE Model

– The SASE model, coined by Gartner, combines network security and wide area networking (WAN) capabilities into a unified, cloud-native platform. It revolves around converging networking and security functions, enabling organizations to simplify their infrastructure while enhancing security and performance. By consolidating various security services like secure web gateways, firewall-as-a-service, data loss prevention, and more, the SASE model offers a holistic approach to protecting networks and data.

– To implement the SASE model effectively, it is crucial to understand its key components. These include secure access, network security functions, cloud-native architecture, and global points of presence (PoPs). Secure access ensures that users can connect to resources securely, regardless of location.

– Network security functions encompass various security services, including firewalling, secure web gateways, and zero-trust network access. The cloud-native architecture leverages the scalability and agility of the cloud, while global PoPs enable organizations to achieve optimal performance and low latency.

Key SASE Model Benefits:

A. The adoption of the SASE model brings many benefits to organizations. First, it simplifies network architecture, reducing the complexity and costs of managing multiple security appliances.

B. Second, regardless of location, it provides consistent and robust security across all users and devices. This is particularly valuable in today’s remote work and mobile workforce era.

C. Additionally, the SASE model enhances performance by leveraging cloud-native technologies and global PoPs, ensuring seamless connectivity and reduced latency.

**Challenge: Traditional Security Devices**

Firewalls and other security services will still have a crucial role, but we must modernize the solution, especially regarding encrypted traffic and applying policies on an enterprise-wide scale. It’s a good idea to start offloading functions to the SASE solution and replacing them with Umbrella SASE. The SASE model is more of a journey than a product you can switch on and could take 3 – 5 years.

**Challenge: New Cloud Locations**

The enterprise data center’s virtual private network (VPN) must remain. Even though most applications are SaaS-based, on-premise applications will still be around for compliance and security, or they will be more complex to offload to the Internet. This could be partner resources. We need a solution to satisfy all these access requirements: cloud and on-premises application access. So, we need VPN access to the enterprise data center’s enterprise application and protected DIA for SaaS-based applications.

Cisco SASE with Cisco Umbrella

Once you have a SASE solution, you need to evolve it. The SASE model is unlike installing a firewall and configuring policies; you can add and enhance your SASE technology in many ways to increase your security posture. With Umbrella SASE, we are moving our security to the cloud and expanding this with the Cisco Umbrella platform and Zero Trust Identity from Cisco Duo. First, Cisco Umbrella provides the core SASE technology security functionality, such as DNS-layer filtering, and then Cisco Duo focuses on the Zero Trust Identity side.

Example SASE Technology: IPS IDS

Understanding Suricata

Suricata is an open-source Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) that offers real-time threat detection and prevention capabilities. It employs robust signature-based detection, protocol analysis, and behavioral monitoring to identify and block malicious network traffic.

Suricata seamlessly integrates with Security Information and Event Management (SIEM) solutions to enhance its effectiveness. This integration enables centralized log management, correlation of security events, and streamlined incident response. By aggregating and analyzing Suricata’s alerts within a SIEM, security teams gain valuable insights into potential threats and can swiftly mitigate risks.

Understanding Zero Trust Identity

Zero-trust identity is a security framework that operates on the principle of “never trust, always verify.” It challenges the traditional perimeter-based security model by assuming that no user or device should be inherently trusted, regardless of location or network environment. Instead, zero-trust identity emphasizes continuous authentication and authorization processes to ensure secure resource access.

**Key Zero Trust Identity Points**

Several key components need to be in place to implement zero-trust identity effectively. These include multi-factor authentication (MFA), robust identity and access management (IAM) systems, risk-based access controls, and comprehensive visibility and monitoring capabilities. Each component plays a crucial role in establishing a solid zero-trust identity framework.

The adoption of zero trust identity offers various benefits to organizations. Firstly, it significantly reduces the risk of data breaches and unauthorized access by implementing strict access controls and authentication methods.

Secondly, zero trust identity enhances visibility into user activities, enabling quick detection and response to potential threats. Lastly, this approach allows for organizations to have a more flexible and scalable security infrastructure, accommodating the needs of a distributed workforce and cloud-based environments.

Identity-centric Focus

The identity-centric focus of zero trust uses an approach to security to ensure that every person and every device granted access is who and what they say they are. It achieves this authentication by focusing on the following key components:

  1. The network is always assumed to be hostile. 
  2. External and internal threats always exist on the network. 
  3. Network locality needs to be more sufficient to decide trust in a network. As discussed, other contextual factors must also be taken into account.
  4. Every device, user, and network flow is authenticated and authorized. All of this must be logged.
  5. Security policies must be dynamic and calculated from as many data sources as possible.

Example: Security Scan with Lynis

Lynis is an open-source security auditing tool that assesses the security of Linux and Unix-based systems. It performs a comprehensive scan, analyzing various aspects such as configuration settings, software packages, file integrity, and user accounts. By conducting an in-depth examination, Lynis helps identify potential vulnerabilities and provides recommendations for remediation.

Zero Trust Protection with Vault

**Authentication: Proving Your Identity in the Digital World**

Authentication is the process of verifying who you are before granting access to any system. With Vault, this process is streamlined through a variety of methods, ranging from username and password combinations to more sophisticated options like multi-factor authentication (MFA) and token-based systems. By integrating with LDAP, OAuth, and other identity systems, Vault ensures that the right people have access to the right resources without compromising security.

**Authorization: Controlling Access with Precision**

Once authentication is confirmed, the next step is authorization—determining what an authenticated user is allowed to do. Vault employs policies to manage permissions effectively. These policies are written in a high-level language that allows administrators to specify precise access controls. Whether it’s read-only access for certain users or full administrative privileges, Vault’s policy-based approach ensures that users only interact with the data and systems they are permitted to, minimizing risks and enhancing security.

**Identity: The Cornerstone of Secure Access**

Identity management is more than just usernames and passwords; it’s about ensuring that every entity, whether human or machine, is uniquely identified and managed. Vault’s identity features allow for seamless integration with existing identity providers, creating a unified access management system. By leveraging identity, Vault can simplify access management across diverse environments, making it easier to audit and manage security policies and ensuring that every access request is legitimate.

Vault

**What is Identity-Aware Proxy?**

Identity-Aware Proxy is a Google Cloud service that verifies user identities and provides secure access to applications running on Google Cloud Platform (GCP). Unlike traditional security models that rely solely on network-level controls, IAP adopts a zero-trust approach. This means it considers identity as the primary perimeter, ensuring that only authenticated users can access your applications, regardless of their location or device.

**How Does IAP Work?**

At its core, IAP functions as a gatekeeper, intercepting requests to your applications and checking if the user has the necessary permissions. It leverages Google’s comprehensive identity and access management (IAM) infrastructure to authenticate users and enforce access policies. When a user attempts to connect to your application, IAP verifies their credentials, checks their assigned roles, and evaluates any conditional access policies before granting or denying access.

**Key Benefits of Using IAP**

1. **Enhanced Security:** By focusing on user identity rather than network location, IAP reduces the risk of unauthorized access. This zero-trust approach is especially critical in today’s landscape, where remote work is increasingly common.

2. **Simplified Access Management:** IAP integrates seamlessly with Google Cloud IAM, allowing you to define and manage user roles and permissions from a centralized location. This simplifies the process of granting or revoking access as your team changes.

3. **Cost-Efficiency:** Since IAP operates at the application layer, it eliminates the need for complex VPN configurations and reduces the overhead associated with managing traditional network security measures.

**Implementing IAP in Your Environment**

Setting up IAP requires a few straightforward steps. First, ensure your applications are deployed on GCP and accessible through HTTPS. Next, configure OAuth 2.0 credentials to enable IAP to authenticate users. Finally, define your access policies using Google Cloud IAM, specifying which users or groups have permission to access each application. Google provides detailed documentation and support to guide you through the setup process.

Identity aware proxy

Google Cloud IAM

## Understanding Google Cloud’s IAM

Google Cloud’s IAM is a powerful tool that allows organizations to manage access control by defining who (identity) has what access (roles) to which resources. It operates on the principle of least privilege, ensuring that users have only the permissions necessary to perform their jobs. With IAM, administrators can granularly control access, monitor permissions, and audit activities, thereby enhancing security and compliance.

## The Role of Zero Trust in IAM

Zero Trust is a security framework that challenges the traditional perimeter-based security model. It operates on the principle of “never trust, always verify,” meaning every request to access resources is authenticated and authorized, regardless of its origin. Google Cloud’s IAM plays a crucial role in implementing a Zero Trust architecture by enforcing strict identity verification, using multi-factor authentication, and constantly monitoring user activities to detect and respond to anomalies.

## Key Features of Google Cloud’s IAM

Google Cloud’s IAM offers several features that align with Zero Trust principles:

– **Role-Based Access Control (RBAC):** Assign roles based on job functions, ensuring users only have access to what they need.

– **Fine-Grained Access Control:** Define access at a detailed level, including specific resources and actions.

– **Audit Logs:** Maintain comprehensive logs of all access and changes, providing transparency and aiding in compliance.

– **Integration with Identity Providers:** Seamlessly integrate with various identity providers to manage identities and access from a central point.

Google Cloud IAM

Starting Endpoint Security 

Understanding Endpoint Security

Endpoint security protects individual devices or endpoints that connect to a network. These endpoints include desktop computers, laptops, servers, and mobile devices. The primary goal of endpoint security is to prevent unauthorized access, detect potential threats, and respond to any security incidents promptly.

Address Resolution Protocol (ARP) plays a vital role in endpoint security. It maps an IP address to a corresponding MAC address within a local network. By maintaining an updated ARP table, network administrators can ensure that communication within the network remains secure and efficient.

Proper route configuration is another critical aspect of endpoint security. Routes determine how data packets are transmitted between different networks. By carefully configuring routes, network administrators can control traffic flow, prevent unauthorized access, and mitigate the risk of potential attacks.

Netstat, a command-line tool, provides valuable insights into network connections and statistics. Using Netstat, network administrators can monitor active connections, identify potential security threats, and take appropriate measures to safeguard their endpoints. Regularly analyzing Netstat output can help detect suspicious activities or abnormal behavior within the network.

Detecting Authentication failures in logs

Understanding Syslog

Syslog is a standard protocol for message logging. It enables various devices and applications to send log messages to a central syslog server. The server is a centralized log repository, facilitating easy management and analysis. By tapping into syslog, security analysts gain access to a wealth of information about system events, network traffic, and potential security incidents.

Auth.log, short for authentication log, is a file specific to Unix-based systems. It records all authentication-related events, such as successful and failed login attempts, password changes, and user authentication errors. Analyzing the auth.log can provide crucial insights into potential security breaches, unauthorized access attempts, and suspicious user behavior.

Understanding User Authentication

User authentication is the cornerstone of identity security in Linux. By implementing robust authentication protocols, such as password-based authentication or public critical infrastructure (PKI), users can validate their identities and gain access to the system. Multifactor authentication (MFA) adds an extra layer of security by combining different authentication methods, further fortifying the system against unauthorized access.

Access Controls: Securing Identity

Access controls play a vital role in securing identity within Linux. By utilizing mechanisms like file permissions, ownership, and access control lists (ACLs), administrators can regulate user privileges and restrict unauthorized access to sensitive files and directories. Furthermore, the least privilege (PoLP) principle should be applied, granting users only the necessary permissions to perform their designated tasks and minimizing potential security risks.

Understanding SELinux

SELinux, short for Security-Enhanced Linux, is a security module integrated within the Linux kernel. It provides a robust framework for mandatory access controls (MAC) and fine-grained access control policies. Unlike traditional Linux access control mechanisms, SELinux goes beyond simple user and group permissions, enabling administrators to define and enforce highly granular policies.

Enforcing Strong Access Control

SELinux plays a vital role in enhancing zero-trust endpoint security. Enforcing MAC policies and implementing strong access controls ensures that each endpoint adheres to the principle of least privilege. SELinux helps mitigate the potential damage by limiting the attacker’s capabilities even if an endpoint or credentials are compromised.

Related: Before you proceed, you may find the following posts helpful:

  1. SD WAN SASE
  2. Zero Trust SASE
  3. SASE Definition
  4. SASE Visibility

SASE Technology with Zero Trust Identity

**Centralized Security Stack**

When you think about it, surface challenges must be solved by examining recent trends. For a start, historically, most of the resources lived in the data center, and we could centralize our security stack. However, with users accessing the network anywhere, we have public cloud apps with different connectivity metrics to understand. In addition, we now have an internet/cloud-centric connectivity model. So, we need to re-think to facilitate these new communication flows.

As a first step, you don’t need to throw out all your network and security appliances and jump to the SASE model. For an immediate design, you can augment your on-premises network security appliance with Umbrella SASE DNS-layer security. DNS-layer security is a good starting point with Cisco Umbrella. It would be best if you made some slight changes to this.

This way, you don’t need to make any significant architectural changes to get immediate benefits from SASE and its cloud-native approach to security.

SASE Technology with Zero Trust Identity

You can then further this SASE model to include Zero Trust Identity with, for example, Cisco Duo. With Cisco Duo, we are moving from inline security inspection on the network to securing users at the endpoint or the application layer. An actual Zero Trust Identity strategy changes the level of access or trust based on contextual data about the user or device requesting access.

**Identity – New Perimeter**

Now, we are heading into identity as the new perimeter. Identity, in its various forms, is the new perimeter. The new identity perimeter needs to be protected with other mechanisms you may have in your existing environments.

We have identity sprawl with potentially unprecedented access, making any of the numerous identities a high-value target for bad actors to compromise. For example, in a multi-cloud environment, it’s common for identities to be given a dangerous mix of entitlements, further extending the attack surface area security teams need to protect.

**Challenge: Identity attacks are hard to detect**

Nowadays, bad actors can use even more gaps and holes as entry points. With the surge of identities, including humans and non-humans, IT security administrators face the challenge of containing and securing the identity sprawl as the attack surface widens. 

What makes this worse is that security teams’ primary issue is that identity-driven attacks are hard to detect. How do you know if a bad actor or a sys admin uses the privilege controls? 

Security teams must find a reliable way to monitor suspicious user behavior to determine the signs of compromised identities. For this, behavioral analysis must happen in the background, looking for deviations from baselines. Once a variation has occurred, we can trigger automation, such as with a SOAR playbook that can, for example, perform threat hunting.

Zero Trust & Port Knocking

Understanding Port Knocking

Port knocking is a clever security technique that involves a series of connection attempts to predefined closed ports on a server. These connection attempts act as a secret knock, effectively “opening” the desired port for subsequent communication. By hiding the open ports, port knocking reduces the visibility of services to potential attackers, making it harder to exploit vulnerabilities.

One significant advantage of port knocking is its ability to mitigate brute-force attacks. Since the ports are closed by default, unauthorized access attempts are futile. Port knocking adds an extra layer of obscurity, making it challenging for attackers to identify open ports and devise attack strategies. This technique can be beneficial in environments with impractical or insufficient traditional firewalls.

Example: Social-Engineering Toolkit. 

**Credential Attacks**

Credential harvester or phishing attacks aim to trick individuals into providing their sensitive login information through fraud. Attackers often create deceptive websites or emails resembling legitimate platforms or communication channels. These masquerading techniques exploit human vulnerabilities, such as curiosity or urgency, to deceive unsuspecting victims.

**Fake Login Pages**

To execute a successful credential harvester attack, perpetrators typically utilize various methods. One common approach involves creating fake login pages that mimic popular websites or services. Unaware of the ruse, unsuspecting victims willingly enter their login credentials, unknowingly surrendering their sensitive information to the attacker. Another technique involves sending phishing emails that appear genuine, prompting recipients to click on malicious links and unknowingly disclose their login details.

**Gain Entry to other Platforms**

The consequences of falling victim to a credential harvester attack can be severe. From personal accounts to corporate networks, compromised login information can lead to unauthorized access, data theft, identity theft, and financial fraud. Attackers often leverage their credentials to gain entry into other platforms, potentially compromising sensitive information and causing extensive damage to individuals or organizations.

**Mitigating the Risks**

Thankfully, several proactive measures can mitigate the risks associated with credential harvester attacks. First and foremost, user education plays a crucial role. Raising awareness about the existence of these attacks and providing guidance on identifying phishing attempts can empower individuals to make informed decisions. Implementing robust email filters, web filters, and antivirus software can also help detect and block suspicious activities.

One highly effective strategy to fortify defenses against credential harvester attacks is implementing two-factor authentication (2FA). By requiring an additional verification step, such as a unique code sent to a registered mobile device, 2FA adds an extra layer of security. Even if attackers obtain login credentials, they would still be unable to access the account without secondary verification.

Example Technology: Scanning Networks

Understanding Network Scanning

Network scanning analyzes a network to detect active hosts, open ports, and potential security weaknesses. It provides a comprehensive view of the network infrastructure and aids in identifying possible entry points for malicious actors. By performing network scans, organizations can proactively strengthen their cybersecurity defenses.

A: Port Scanning: Port scanning is one of the fundamental techniques used in network scanning. It involves probing a target system for open ports essential for establishing network connections. Tools like Nmap and Zenmap are commonly employed for port scanning, allowing security professionals to identify vulnerable services and potential attack vectors.

B: Vulnerability Scanning: Vulnerability scanning identifies weaknesses, flaws, or misconfigurations within network devices and systems. This technique provides valuable insights into potential security risks that attackers could exploit. Tools like Nessus and OpenVAS are widely used for vulnerability scanning, enabling organizations to prioritize and remediate vulnerabilities effectively.

Evolution to a SASE Model

The Internet: New Enterprise Network

We are stating that there has been a substantial evolution. The Internet is the new network, and users and apps are more distributed; the Internet is used to deliver those services. As a result, we have a greater dependency on the Internet, but the Internet’s reliability could be more consistent around the globe. For example, BGP is unreliable, and we always have BGP incidents. We need to look at other tools and solutions to layer on top of what we have to improve Internet reliability.

BGP operates over TCP port 179. BGP TCP Port 179 serves as the channel through which BGP routers establish connections and exchange routing information. The linchpin facilitates the dynamic routing decision-making process across diverse networks. However, due to its criticality, BGP Port 179 has become an attractive target for malicious actors seeking to disrupt network operations or launch sophisticated attacks.

Common Threats Targeting BGP TCP Port 179

BGP TCP Port 179, the backbone of internet routing, faces various security threats. From route hijacking to Distributed Denial of Service (DDoS) attacks, the vulnerabilities within this port can have severe consequences on network stability and data integrity. Understanding these threats is essential in implementing effective countermeasures.

Also, the cloud is the new data center. So, we no longer control and own the data and apps in the public cloud. Instead, these apps communicate to other public clouds and back to on-premises to access applications or databases that can’t be moved to the cloud. Not to mention the new paradigm to try and solve. We also reduce the types of applications on our enterprise network.

Most are trying to minimize custom applications and streamline SaaS-based applications. We can implement many SaaS-based applications. These applications are hosted in public and private clouds and accessed online. The service model is now accessible only via the public Internet. We also want the same experience at home as in the office. When I return to the office, all the network and security functions at home stay the same.

**How To Approach The SASE Model**

How do you do this? Well, there are two ways. You can facilitate this with a bespoke platform, which can be self-managed with many on-premise network and security stacks, sticking the product together and then building your own PoPs. However, you can get away from this and consume this as a service from a SASE provider, so we have a cloud consumption model for all network and security services. This is the essence of the SASE model. Why not offload all the complexity to someone else?

A. Required SASE Technology: Encryption Traffic.

We have inline security services that inspect traffic and try to glean metadata about what is happening. The inspection was easy when we connected to a web page on port 80, and everything was in clear text. Inspection and seeing what the user was doing can be done with standard firewall monitoring. But now we have end-to-end encryption between the user device and the applications.

The old IDS/IPS and firewalls need help gaining insights into encrypted traffic. We need complete visibility at the endpoint and the application layer to have more context and understand if there is any malicious activity in the encrypted traffic. Also, appropriate visibility of encrypted traffic is more important than having control. 

Example DLP Technology: Sensitive Data Protection

Sensitive data protection

B. Required SASE Technology: SIEM with Splunk and Machine Data

You will also need a SIEM tool. Splunk can be used as the primary SIEM tool and log collection from various data sources to provide insights and traffic traversing the network. Remember that machine data is everywhere and flows from all the devices we interact with, making up around 90% of today’s data. Harnessing this data can give you powerful security insights.

The machine data can be in many formats, such as structured and unstructured. As a result, it can be challenging to predict and process. There are plenty of options for storing data. Collecting all security-relevant data and turning all that data into actionable intelligence, however, is a different story.

Example Solution: Splunk

This is where Splunk comes into play, and it can take any data and create an intelligent, searchable index—adding structure to previously unstructured data. This will allow you to extract all sorts of insights, which can be helpful for security and user behavior monitoring. In the case of Splunk, it helps you quickly know your data. Splunk is a big data platform for machine data. It collects raw unstructured data and converts them into searchable events.

C. Required SASE Technology: Network Connectivity & Network Security

You want an any-to-any connectivity model, even though your users and applications are highly distributed. What types of technology do you need to have to support this? You need two essential things: network connectivity and security services. Network connectivity, such as SD-WAN for branch locations. With everything, you start with network connectivity, and then you can layer security services on top of this stack.

These services include BGP sinkhole, DNS protection, secure firewall, WAN encryption, web security, and Cisco Duo with zero-trust access. Many components need to work together, and you will use and manage many infrastructure components.

**1.End Visibility & Policy Maintenance**

We also need to have good visibility into the full end-to-end path. You can use your SASE technology with Cisco ThousandEyes for end-to-end visibility and tools to orchestrate all of this together. This has many challenges, such as building and operating these components together.

A better way is to have all these services available via one unified portal. For example, we can have network and security as a service, where you can add services you need on-demand to each Umbrella SASE PoP that is outsourced to a SASE provider. Some PoPs can filter the DNS layer, while others have the entire security stack. They turn functions on and off at will.

This should be wrapped up with policy maintenance so you can implement policy at any point, along with good scalability and multi-tenancy. Lowering the cost and employing the SASE can help, not to mention the skills used. With the SASE model, you can export it to experts and consume it.

**2.The Issue of Provisioning**

With the umbrella SASE PoP architecture, you can bring users closer to the application. Also, we can access a more modern and diverse toolkit by employing SASE technology. Remember that a big issue with on-premise hardware appliances is that we always overprovision, which can result in high management for handling traffic spikes that may only happen occasionally. When it comes to hardware-based solutions, we always overprovision them.

With SASE, we have the agility of a software-based model where we can scale up and down, which you can’t do with a hardware-based model. If you need more scale, you or your Umbrella SASE provider can introduce another Virtual Network Function (VNF) and scale this out in software configuration instead of a new hardware appliance.

Umbrella SASE – Starting

Start with DNS Protection

As a first SASE model step, we need DNS protection. This is the first SASE technology to be implemented with a SASE solution. Cisco Umbrella can be used here. Cisco umbrella is a recursive DNS service; you can get a lot of information from DNS requests, and a great place to start security. You can learn to see attacks before they launch, have the correct visibility to protect access anywhere, and block and stop threats before the connection.

Below is a recap on DNS. DNS, by default, uses UDP and works with several records.

**DNS and TTL** 

DNS can be updated dynamically and has very little TTL. If you can interact with that traffic at a base level regardless of where the user is, you can see what they are doing. For example, you can see what updates happen if a malware attack occurs. DNS is very lightweight; we can protect the endpoint and block malware before attempting the connection.

Suppose someone clicks on a phishing link or malware calls back to a C&C server for additional attack information. In that case, that connection does not happen, and you don’t need to process this traffic across a firewall or other security screen stack that can add latency.

Connecting to Umbrella SASE does not cause latency issues. We can offload the hardware used to protect this and now put it into the cloud, and you don’t need the additional hardware to accommodate traffic spikes and growth protection at a DNS layer. Cisco Umbrella gives you accuracy at the DNS layer without any overhead. You can control this traffic and see what is going on to see who is and where. All of the traffic can be identified with DNS.

**Gaining Insight: DNS** 

Point the existing DNS resolver to Cisco Umbrella, then connect users and get insight into DNS requests for on or off-the-network traffic. We start with passive monitoring, and then we go to deploy blocking. It would help if you did this without re-architecting your network with the ability to minimize false positives. Therefore, pointing your existing DNS to Umbrella, a passive change, is a good starting point. Then, enable blocking internally based on policy.

There is an enterprise network, and endpoints must point to internal DNS servers. You can modify existing internal DNS servers to have their traffic go to the Cisco Umbrella for screening. So the DNS query goes to Cisco Umbrella for internet-bound traffic, and then Cisco Umbrella carries the recursive DNS queries to the Authoritative DNS servers.

**The Role of Clients and Agents**

It would help to get an Umbrella client or agent on your endpoint. An agent on the endpoint will give you additional visibility. What happens when the users go home from the office? You want to maintain visibility, which can be achieved with an agent. What I like about SASE is that you can have an enterprise-wide policy in a few minutes. You can also increase your DNS performance by leveraging the SASE PoPs. The SASE PoPs should be well integrated with an authoritative DNS server. 

In summary, there are two phases. First, you can start with a network monitoring and blocking stage with DNS-layer filtering and then move to the endpoint, gaining visibility and lowering your attack surface. Now, we are heading into the zero-trust identity side of things.

Starting Zero Trust Identity: Cisco Dou

For additional security, we can look at Zero Trust Identity. This can be done with Cisco Dou, which provides Zero Trust Identity on the endpoint and ensures the device is healthy and secure. We need to trust the user, my endpoint, and the network they are on. In the past, we just looked at the IP as an anchor for trust. With zero trust, we can now have adaptive policies and risk-based decisions, enforce the least privilege with, for example, just-in-time access, and bring in a lot more context than we had with IP addressing for security.

Cisco Duo Technologies for Umbrella SASE

Duo’s MFA (multi-factor authentication) and 2FA (two-factor Authentication) app and access tools can help make security resilience easy for your organization with user-friendly features for secure access, strong authentication, and device monitoring. The following are some of the technologies used with Cisco Duo.

a. Multi-factor Authentication (MFA): Multi-factor authentication (MFA) is an access security product that verifies a user’s identity when logging in. Using secure authentication tools adds two or more identity-checking steps to user logins.

b. Adaptive Access: With adaptive access, we have security policies for every situation. Now, we can gain granular information about who can access what and when. Cisco Duo lets you create custom access policies based on role, device, location, and other contextual factors, so we can use much contextual information to make decisions.

c. Device Verification: Also, verify any device’s trust, identify risky devices, enforce contextual access policies, and report on device health using an agentless approach or by integrating your device management tools.

d. Single-Sign-On: Then we have single sign-on (SSO): Single sign-on (SSO) from Duo provides users with an easy and consistent login experience for any application, whether on-premises or cloud-based. With SSO, we have a platform that we connect to for access to all of our applications. Not just SaaS-based applications but also custom applications. CyberArk is good in this space, too.

Zero Trust Identity Technologies

a) Adaptive policies

First, adaptive policies. Cisco Duo has built a cloud platform where you can set up adaptive policies to check for anomalies and then give the user an additional check. This is like step-up authentication. Then, we move towards conditional access, a step beyond authentication. Conditional access goes beyond authentication to examine the context and risk of each access attempt. For example, contextual factors may include consecutive login failures, geo-location, type of user account, or device IP to either grant or deny access. Based on those contextual factors, it may be granted only to specific network segments. 

b) Risk-based decisions 

The identity solution should be configurable to allow SSO access, challenge the user with MFA, or block access based on predefined conditions set by policy. It would help if you looked for a solution that can offer a broad range of requirements, such as IP range, day of the week, time of day, time range, device O/S, browser type, country, and user risk level. 

These context-based access policies should be enforceable across users, applications, workstations, mobile devices, servers, network devices, and VPNs. A key question is whether the solution makes risk-based access decisions using a behavior profile calculated for each user.

c) Enforce Least Privilege and JIT Techniques

Secure privileged access and manage entitlements. For this reason, many enterprises employ a least privilege approach, where access is restricted to the resources necessary for the end-user to complete their job responsibilities with no extra permissions. A standard technology here would be Just in Time (JIT). Implementing JIT ensures that identities have only the appropriate privileges, when necessary, as quickly as possible and for the least time required. 

A technology to enforce the least privilege is just-in-time (JIT) techniques that dynamically elevate rights only when needed. The solution allows for JIT elevation and access on a “by request” basis for a predefined period, with a full audit of privileged activities. Full administrative rights or application-level access can be granted, time-limited, and revoked.

Summary: SASE Model | Zero Trust Identity

Organizations face numerous challenges in ensuring secure and efficient network connectivity in today’s rapidly evolving digital landscape. This blog post delved into the fascinating world of the Secure Access Service Edge (SASE) model and its intersection with the Zero Trust Identity framework. Organizations can fortify their networks and safeguard their critical assets by understanding the key concepts, benefits, and implementation considerations of these two security approaches.

Understanding the SASE Model

The SASE Model, an innovative framework introduced by Gartner, combines network security and wide-area networking into a unified cloud-native service. This section explores the core principles and components of the SASE Model, such as secure web gateways, data loss prevention, and secure access brokers. The SASE Model enables organizations to embrace a more streamlined and scalable approach to network security by converging network and security functions.

Unpacking Zero Trust Identity

Zero-trust identity is a security paradigm emphasizing continuous verification and granular access controls. This section delves into its fundamental principles, including the concepts of least privilege, multifactor authentication, and continuous monitoring. By adopting a zero-trust approach, organizations can mitigate the risk of unauthorized access and minimize the impact of potential security breaches.

Synergies and Benefits

This section explores the synergies between the SASE Model and Zero Trust Identity. Organizations can establish a robust security posture by leveraging the SASE Model’s network-centric security capabilities alongside the granular access controls of Zero Trust Identity. The seamless integration of these approaches enhances visibility, minimizes complexity, and enables dynamic policy enforcement, empowering organizations to protect their digital assets effectively.

Implementation Considerations

Implementing the SASE Model and Zero Trust Identity requires careful planning and consideration. This section discusses key implementation considerations, such as organizational readiness, integration challenges, and scalability. Organizations can successfully deploy a comprehensive security framework that aligns with their unique requirements by addressing these considerations.

Conclusion: In conclusion, the SASE Model and Zero Trust Identity are two powerful security approaches that, when combined, create a formidable defense against modern threats. Organizations can establish a robust, scalable, and future-ready security posture by adopting the SASE Model’s network-centric security architecture and integrating it with the granular access controls of Zero Trust Identity. Embracing these frameworks enables organizations to adapt to the evolving threat landscape, protect critical assets, and ensure secure and efficient network connectivity.