- Many IT and security leaders struggle to cope with the challenges associated with an hybrid workforce and how best to secure it.
- Understanding the main principles of zero trust: never trust, always verify, assume breach, and verify explicitly.
- How to go about achieving a zero trust framework.
- Understanding the premise of SASE as it pertains to a hybrid workforce.
Our Advice
Critical Insight
Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will assist you determine which of the options is a good fit for your organization.
Impact and Result
Every organization's strategy to secure their hybrid workforce should include introducing zero trust principles in certain areas. Our unique approach:
- Assess the suitability of SASE/SSE and zero trust.
- Present capabilities and feature benefits.
- Procure SASE product and/or build a zero trust roadmap.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
10.0/10
Overall Impact
$26,030
Average $ Saved
50
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Job and Family Services
Guided Implementation
10/10
$26,030
50
Secure Your Hybrid Workforce
SASE as a driver to zero trust.
Analyst Perspective
Consolidate your security and network.
Remote connections like VPNs were not designed to be security tools or to have the capacity to handle a large hybrid workforce; hence, organizations are burdened with implementing controls that are perceived to be "security solutions." The COVID-19 pandemic forced a wave of remote work for employees that were not taken into consideration for most VPN implementations, and as a result, the understanding of the traditional network perimeter as we always knew it has shifted to include devices, applications, edges, and the internet. Additionally, remote work is here to stay as recruiting talent in the current market means you must make yourself attractive to potential hires.
The shift in the network perimeter increases the risks associated with traditional VPN solutions as well as exposing the limitations of the solution. This is where zero trust as a principle introduces a more security-focused strategy that not only mitigates most (if not all) of the risks, but also eliminates limitations, which would enhance the business and improve customer/employee experience.
There are several ways of achieving zero trust maturity, and one of those is SASE, which consolidates security and networking to better secure your hybrid workforce as implied trust is thrown out of the window and verification of everything becomes the new normal to defend the business.
Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group
Executive Summary
Your Challenge
CISOs are looking to zero trust to fill the gaps associated with their traditional remote setup as well as to build an adaptable security strategy. Some challenges faced include:
- Understanding the main principles of zero trust: never trust, always verify, assume breach, and verify explicitly.
- Understanding how to achieve a zero trust framework.
- Understanding the premise of SASE as it pertains to a hybrid workforce.
Common Obstacles
The zero trust journey may seem tedious because of a few obstacles like:
- Knowing what the principle is all about and the components that align with it.
- Knowing where to start. Due to the lack of a standardized path for the zero trust journey, going about the journey can be confusing.
- Not having a uniform definition of what makes up a SASE solution as it is heavily dependent on vendors.
Info-Tech's Approach
Info-Tech provides a three-service approach to helping organizations better secure their hybrid workforce.
- Understand your current, existing technological capabilities and challenges with your hybrid infrastructure, and prioritize those challenges.
- Gain insight into zero trust and SASE as a mitigation/control/tool to those challenges.
- Identify the SASE features that are relevant to your needs and a source guide for a SASE vendor.
Info-Tech Insight
Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will assist you in determining which of the options is a good fit for your organization.
Turn your challenges into opportunities
Hybrid workforce is the new normal
The pandemic has shown there is no going back to full on-prem work, and as such, security should be looked at differently with various considerations in mind.
Understand that current hybrid solutions are susceptible to various forms of attack as the threat attack surface area has now expanded with users, devices, applications, locations, and data. The traditional perimeter as we know it has expanded beyond just the corporate network, and as such, it needs a more mature security strategy.
Onboarding and offboarding have been done remotely, and with some growth recorded, the size of companies has also increased, leading to a scaling issue.
Employees are now demanding remote work capabilities as part of contract negotiation before accepting a job.
Attacks have increased far more quickly during the pandemic, and all indications point to them increasing even more.
Scarce available security personnel in the job market for hire.
Reality Today
The number of breach incidents by identity theft.
Source: Security Magazine, 2022.
IT security teams want to adopt zero trust.
Source: Cybersecurity Insiders, 2019.
Reduce the risks of remote work by using zero trust
$1.07m |
$1.76m |
235 |
---|---|---|
Increase in breaches related to remote work |
Cost difference in a breach where zero trust is deployed |
Days to identify a breach |
The average cost of a data breach where remote work was a factor rose by $1.07 million in 2021. COVID-19 brought about rapid changes in organizations, and digital transformation changes curbed some of its excesses. Organizations that did not make any digital transformation changes reported a $750,000 higher costs compared to global average. |
The average cost of a breach in an organization with no zero trust deployed was $5.04 million in 2021 compared to the average cost of a breach in an organization with zero trust deployed of $3.28 million. With a difference of $1.76 million, zero trust makes a significant difference. |
Organizations with a remote work adoption rate of 50% took 235 days to identify a breach and 81 days to contain that breach – this is in comparison to the average of 212 days to identify a breach and 75 days to contain that breach. |
Source: IBM, 2021.
Network + Security = SASE
What exactly is a SASE product?
The convergence and consolidation of security and network brought about the formation of secure access service edge (SASE – pronounced like "sassy"). Digital transformation, hybrid workforce, high demand of availability, uninterrupted access for employees, and a host of other factors influenced the need for this convergence that is delivered as a cloud service.
The capabilities of a SASE solution being delivered are based on certain criteria, such as the identity of the entity (users, devices, applications, data, services, location), real-time context, continuous assessment and verification of risk and "trust" throughout the lifetime of a session, and the security and compliance policies of the organization.
SASE continuously identifies users and devices, applies security based on policy, and provides secure access to the appropriate and requested application or data regardless of location.
Current Approach
The traditional perimeter security using the castle and moat approach is depicted in the image here. The security shields valuable resources from external attack; however, it isn't foolproof for all kinds of external attacks. Furthermore, it does not protect those valuable resources from insider threat.
This security perimeter also allows for lateral movement when it has been breached. Access to these resources is now considered "trusted" solely because it is now behind the wall/perimeter.
This approach is no longer feasible in our world today where both external and internal threats pose continuous risk and need to be contained.
Determine the suitability of SASE and zero trust
The Challenge:
Complications facing traditional infrastructure
- Increased hybrid workforce
- Regulatory compliance
- Limited Infosec personnel
- Poor threat detection
- Increased attack surface
Common vulnerabilities in traditional infrastructure
- MITM attack
- XSS attack
- Session hijacking
- Trust-based model
- IP spoofing
- Brute force attack
- Distributed denial of service
- DNS hijacking
- Latency issues
- Lateral movement once connection is established
TRADITIONAL INFRASTRUCTURE |
||||
---|---|---|---|---|
NETWORK |
SECURITY |
AUTHENTICATION |
IDENTITY |
ACCESS |
|
|
|
|
|
Candidate Solutions
Proposed benefits of SASE
- Access is only granted to the requested resource
- Consolidated network and security as a service
- Micro-segmentation on application and gateway
- Adopts a zero trust security posture for all access
- Managed detection and response
- Uniform enforcement of policy
- Distributed denial of service shield
SASE | ||||
---|---|---|---|---|
NETWORK | SECURITY | AUTHENTICATION | IDENTITY | ACCESS |
|
|
|
|
|
ZERO TRUST |
|
---|---|
TENETS OF ZERO TRUST |
ZERO TRUST PILLARS |
|
|
Proposed benefits of zero trust
- Identify and protect critical and non-critical resources in accordance with business objectives.
- Produce initiatives that conform to the ideals of zero trust and are aligned with the corresponding pillars above.
- Formulate policies to protect resources and aid segmentation.
Info-Tech Insight
Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will help you determine which of the options is a good fit for your organization.
Measure the value of using Info-Tech's approach
IT and business value
PHASE 1
PHASE 2 Assess the benefits of adopting SASE or zero trust |
Vendors will try to control the narrative in terms of what they can do for you, but it's time for you to control the narrative and identify pain points to IT and the business, and with that, to understand and define what the vendor solution can do for you. |
---|---|
PHASE 2 Assess the benefits of adopting SASE or zero trust |
Vendors will try to control the narrative in terms of what they can do for you, but it's time for you to control the narrative and identify pain points to IT and the business, and with that, to understand and define what the vendor solution can do for you. |
Short-term benefits
- Gain awareness of your zero trust readiness.
- Embed a zero trust mindset across your architecture.
- Control the narrative of what SASE brings to your organization.
Long-term benefits
- Identified controls to mitigate risks with current architecture while on a zero trust journey.
- Improved security posture that reduces risk by increasing visibility into threats and user connections.
- Reduced CapEx and OpEx due to the scalability, low staffing requirements, and improved time to respond to threats using a SASE or SSE solution.
Determine SASE cost factors
IT and business value
Info-Tech Insight
IT leaders need to examine different areas of their budget and determine how the adoption of a SASE solution could influence several areas of their budget breakdown.
Determining the SASE cost factors early could accelerate the justification the business needs to move forward in making an informed decision.
01- Infrastructure |
|
---|---|
02- Administration |
|
03- Inbound |
|
04- Outbound |
|
04- Data Protection |
|
06- Monitoring |
|
Info-Tech's methodology for securing your hybrid workforce
1. Current state and future mitigation |
2. Assess the benefits of moving to SASE/zero trust |
|
---|---|---|
Phase Steps |
1.1 Limitations of legacy infrastructure 1.2 Zero trust principle as a control 1.3 SASE as a driver of zero trust |
2.1 Sourcing out a SASE/SSE vendor 2.2 Build a zero trust roadmap |
Phase Outcomes |
Identify and prioritize risks of current infrastructure and several ways to mitigate them. |
RFP template and build a zero trust roadmap. |
Consider several factors needed to protect your growing hybrid workforce and assess your current resource capabilities, solutions, and desire for a more mature security program. The outcome should either address a quick pain point or a long-term roadmap.
The internet is the new corporate network
The internet is the new corporate network, which opens the organization up to more risks not protected by the current security stack. Using Info-Tech's methodology of zero trust adoption is a sure way to reduce the attack surface, and SASE is one useful tool to take you on the zero trust journey.
Current-state risks and future mitigation
Securing your hybrid workforce via zero trust will inevitably include (but is not limited to) technological products/solutions.
SASE and SSE features sit as an overlay here as technological solutions that will help on the zero trust journey by aggregating all the disparate solutions required for you to meet zero trust requirements into a single interface. The knowledge and implementation of this helps put things into perspective of where and what our target state is.
The right solution for the right problem
It is critical to choose a solution that addresses the security problems you are actually trying to solve.
Don't allow the solution provider to tell you what you need – rather, start by understanding your capability gaps and then go to market to find the right partner.
Take advantage of the RFP template to source a SASE or SSE vendor. Additionally, build a zero trust roadmap to develop and strategize initiatives and tasks.
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Zero Trust and SASE Suitability Tool
Identify critical and vulnerable DAAS elements to protect and align them to business goals.
Zero Trust Program Gap Analysis Tool
Perform a gap analysis between current and target states to build a zero trust roadmap.
Key deliverable:
Secure Your Hybrid Workforce With Zero Trust Communication deck
Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.
Phase 1
Current state and future mitigation
Phase 1 | Phase 2 |
---|---|
1.1 Limitations of legacy infrastructure 1.2 Zero trust principle as a control 1.3 SASE as a driver of zero trust | 2.1 Sourcing out a SASE/SSE vendor 2.2 Build a zero trust roadmap |
This phase will walk you through the following activities:
- Introduction to the tool, how to use the input tabs to identify current challenges, technologies being used, and to prioritize the challenges. The prioritized list will highlight existing gaps and eventually be mapped to recommended mitigations in the following phase.
This phase involves the following participants:
- CIO
- CISO
- CSO
- IT security team
- IT network team
Secure Your Hybrid Workforce
1.1 Limitations of legacy infrastructure
Traditional security & remote access solutions must be modernized
Info-Tech Insight
Traditional security is architected with a perimeter in mind and is poorly suited to the threats in hybrid or distributed environments.
Ensure you minimize or eliminate weak points on all layers.
- SECURITY
- DDoS
- DNS hijacking
- Weak VPN protocols
- IDENTITY
- One-time verification allowing lateral movement
- NETWORK
- Risk perimeter stops at corporate network edge
- Split tunneling
- AUTHENTICATION
- Weak authentication
- Weak passwords
- ACCESS
- Man-in-the-middle attack
- Cross-site scripting
- Session hijacking