The Need for Zero Trust Networking – Part 1

kelly-ahuja
By Kelly Ahuja
CEO, Versa Networks
October 18, 2023

This article is structured as a two-part blog series. The first part explores the evolving digital landscape. We’ll discuss the limitations of traditional security and networking models in the face of a hybrid environment that seamlessly interconnects WAN, LAN, Cloud, and Data Center.  

The second part introduces the concept of Zero Trust Networking – an approach to address the nuanced challenges of modern enterprises by seamlessly integrating security and networking components across WAN, LAN, Cloud, and Data Center. 

The Need for Zero Trust Networking

Digital transformation and an increased cyber threat landscape is rapidly evolving the needs of a cloud first, hybrid work-based modern enterprise. The need for business agility is accelerating shifts of workloads to multiple clouds and SaaS. This shift is revolutionizing not just where we store our data, but also the way we access it. Users and devices now seamlessly transition between home offices, remote locations, mobile / in-transit, shared facilities and traditional office workspaces.

The need for increased productivity has driven a dramatic rise in use of collaboration tools, proliferated a rapid shift to Bring Your Own Device (BYOD) and everything getting connected (IoT) in the workplace. This has heightened the importance and scope of connectivity from simple access to secure, conditional and reliable access with a good user experience.

Against this backdrop, our collective challenge is clear: capture the productivity and agility benefits that come with this transformation without compromising on security or performance. More specifically, establishing robust, adaptive connectivity that secures every point of connection across a complex interconnection of any-to-any connections.

The Edge is Everywhere

Historically, security and networking teams have leaned towards a “Do It Yourself” (DIY) model, sculpting bespoke silos of network and security tools for each place in the network. While this approach has brought a sense of control and customization, it is inherently mired in the cost and complexity from increased security vulnerabilities, performance inconsistencies for user-to-application experience and reliability challenges. Addressing these has necessitated the need for additional tools, making the problem even more pronounced – notably, troubleshooting user experience has taken longer and quickly evolving threats have taken advantage of a larger attack surface and blind spots born from increased complexity.

CLOUD

The rapid move to using private clouds and adopting Software as a Service (SaaS) has made businesses more agile. However, this has come at the cost of user experience – all remote locations were routed through a centralized perimeter firewall; and security teams have had to adopt new tools to protect against threats for workloads in different clouds and when accessing SaaS apps.

SD-WAN emerged as a new model for branch or office WAN. Yet, many businesses adopted it while still routing traffic through a centralized perimeter. As an example, one of our Fortune 500 customers had to route traffic from Latin America to the Bay Area before reaching a Salesforce instance in Brazil, leading to a poor user and application experience.

Many enterprises hoped to create a distributed cloud on-ramp using Internet access at the branch. This strategy did cut WAN costs, but it left the branch unsecured. While many added cloud security thinking it would solve the problem, in practice, they discovered that it only protected outbound traffic but left the inbound attack surface open. This situation forced businesses to add a firewall at every branch, significantly increasing the cost and complexity of managing hundreds of firewalls.

The pandemic forced everyone to work from home, turning each employee into their own branch office. Most companies saw a shift from a small percentage of employees using remote access part-time to all employees suddenly using it full time. This change required an immediate expansion of traditional VPN products. Some companies chose cloud-based Zero Trust Network Access (ZTNA) solutions for better remote access. However, the same problem persisted: routing traffic through a centralized point (hair-pinning) for internet and SaaS applications access. Businesses then had to use cloud-based access and data leakage prevention tools to limit access and prevent data leakage for remote users.

Is SASE the answer?

SASE has emerged as the solution to these problems. But it’s not enough as the world has become hybrid:

  • Users and devices are now hybrid, functioning from any location.
  • Workloads and applications are also becoming hybrid, functioning from multiple clouds and on-premises data centers.
  • Data is transitioning to a hybrid model as well.

Secure Access Service Edge (SASE) is mainly for remote work and locations. However, it doesn’t cover the full needs of modern enterprises including on-premise or hybrid work, IoT, and various cloud application environments that include both data centers and public clouds.

Why not? The boundary or edge isn’t just outside the enterprise anymore. It has moved within the enterprise perimeter – into the office when a hybrid worker brings their own device or IoT devices; and into the data center, where workloads for a single application may be spread across multiple resources within one or more servers, data centers, or even in a private cloud.

<em>Perimeter based security creates gaps increases risk<em>

CAMPUS/BRANCH LAN

As the workforce becomes increasingly hybrid, new security challenges present themselves that traditional remote access solutions weren’t designed to solve. Threat actors know that VPNs are easily compromised while giving open access to the underlying network. Cloud-delivered Zero Trust Network Access (ZTNA) solutions are widely adopted to secure remote work but cannot deliver the application performance and inline policy enforcement needed for workers at the office.

And as we look into the network, many organizations connect IoT devices to their infrastructure without fully understanding the security risk. Because most IoT devices run on a minimal operating system and are programmed to perform a single task, you can’t apply the same embedded protections as you would with a laptop, mobile phone or tablet. Many aren’t even managed by Identity and access management (IAM) software suites, precluding the application of traditional policy-based controls. The broad nature of IoT/OT or network attached devices make them valuable targets for hackers. They are often at the center of controls for critical infrastructure, enabling manufacturing processes or used to deliver life critical healthcare. These factors contribute to the severe impact of breaches that begin with an IoT compromise.

DATA CENTER

As workloads and data also become hybrid, compute and storage resources must meet both business and regulatory needs for data sovereignty. Software Defined Networking (SDN) began in the data center to separate software and hardware, simplifying deployment, operation, and management of data center infrastructure; perimeter firewalls provided security at the edge.

In this architecture, Workloads are linked through virtual firewalls placed in each computing resource, with traffic hairpinning through multiple virtual machines in the same server, across servers, or exiting the data center. Although these virtual firewalls provide some security, the network remains unprotected. Any bad actor getting through can have unfettered access throughout the entire infrastructure.

Bolt-On Solutions

The current trend of “Bolted Together” solutions no longer sufficiently meets the needs of modern enterprises. Recognizing an imminent shift, incumbent security and networking vendors have increased acquisitions and integrations, attempting to provide a unified approach to address customer challenges.

<em>Fragmented Place in Network based approach<em>

Unfortunately, this strategy of combining various products under the same brand, each with different hardware, software architectures, and management systems, has not resolved the core issues. It has only merged network and security tools into a vulnerable perimeter where bad actors can easily infiltrate the network edges and roam freely until they encounter the security perimeter.

A new approach is needed.

Next week, this article will introduce the concept of Zero Trust Networking – an approach to address the nuanced challenges of modern enterprises by seamlessly integrating security and networking components across WAN, LAN, Cloud, and Data Center.

Check out Part 2 of this series:  Zero Trust Networking – Part 2.

Kelly Ahuja

CEO

Kelly Ahuja is a seasoned industry veteran with more than 20 years of experience in networking and telecommunications. He currently serves on the board of directors for two startups in Silicon Valley.

Kelly spent 18 years at Cisco rooted in the design and deployment of telecommunications networks. He was most recently SVP of Service Provider Business, Products and Solutions at Cisco where he was responsible for developing and managing the service provider segment strategy and portfolio. Kelly held several other senior executive roles at Cisco, including SVP and GM of the Mobility Business Group, Chief Architect for the Service Provider business, and SVP and GM of the Service Provider Routing Technology Group.

Earlier in his career, Kelly served as VP of Marketing at optical networking startup BlueLeaf Networks and product management leader at Stratacom. He also managed the design and deployment of data and voice networks for AT&T Canada, Bank of Canada and Telesat Canada.

Kelly holds a Bachelor of Science in Electrical Engineering from the University of Calgary.

Topics





Recent Posts








Top Tags


Gartner Research Report

2023 Gartner® Critical Capabilities for SD-WAN

Versa Networks has been positioned in the highest ranked three vendors for all five Use Cases in the 2023 Gartner® Critical Capabilities for SD-WAN Report.