Part 1

Help Prevent Data Breaches with SSE

Posted: April 20, 2023

Introduction

Is there anything scarier than the idea of seeing your business making headlines as the victim of the latest data breach? Perhaps the price tag?

According to the 2022 IBM Cost of a Data Breach report, 83% of organizations have had more than one data breach at an average cost of $4.35M for each instance; this increases by another $1M when you add remote work to the mix.

One way to help keep your business out of the headlines is to take the first steps in the journey to a Zero Trust Architecture using SSE.

I’ve heard of SSE and Zero Trust Architecture; what are they?

Gartner coined the term SSE, or Security Service Edge, in 2021, representing the combination of four technologies typically sold independently as a single platform. These technologies include:

  • ZTNA—Zero-Trust Network Access
  • CASB—Cloud Access Security Broker
  • SWG—Secure Web Gateway
  • FWaaS—Firewall as a Service

In SSE, a foundational strategy called Zero Trust Architecture underlies the construction of all these technologies. This is fully documented in NIST 800-207; however, to partially quote the summary, “Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location…“. Whether someone is in the office on a corporate asset or in a coffee shop on their personal mobile device, they’re treated as untrusted until proven otherwise.

What do the parts do, and how do they help prevent data breaches?

An SSE combines technologies that have existed for several years into a single, cohesive platform, usually managed from a single pane of glass. In this section, we’ll dig into the four major components and look at how they help secure your data.

Zero-Trust Network Access (ZTNA)

Zero-Trust Network Access (ZTNA) serves as the foundation for a robust SSE, and all top-performing platforms build upon it. While many people view ZTNA as a glorified, always-on VPN replacement, it offers more than just connectivity similar to a VPN (which may connect to the vendor’s cloud rather than your VPN infrastructure).

ZTNA acts as the gatekeeper for all traffic accessing your on-premises enterprise resources. It facilitates a Zero Trust Architecture by authenticating and authorizing all sessions, and enforces the Principle of Least Privilege. With proper implementation, the potential damage from a data breach is confined to the data and systems the compromised user or asset can access. ZTNA achieves this at the network level.

Cloud Access Security Broker (CASB)

If ZTNA is the gatekeeper for remote access to on-premises resources, a Cloud Access Security Broker (CASB) is Big Brother for cloud SaaS applications. Unlike ZTNA, which sits between the end user and the corporate network, CASBs can perform in-line controls via remote browser isolation (RBI) or reverse proxy with URL rewriting. In addition, they offer out-of-band controls by connecting to the SaaS application’s management API. Modern CASBs offer app governance, configuration visibility (CSPM/SSPM), and information protection services to ensure that sensitive data is not transferred or stored improperly.

As with ZTNA, when a CASB is properly implemented and tied into the enterprise SSO (single sign-on) system, the Zero Trust Architecture and Principle of Least Privilege are enforced for supported cloud apps. This allows only fully authenticated users to access the data and services they need to use to perform their jobs and limits exposure in the case of a compromise or insider threat to just the SaaS services and data the user has access to.

Secure Web Gateway (SWG)

As not all user access is limited to corporate resources or SaaS platforms, protection also needs to extend to the rest of the Internet. Secure Web Gateway (SWG) provides this service and behaves like a “traffic cop” for the World Wide Web. It is typically implemented as a standard web proxy and performs traffic inspection on both inbound and outbound web traffic.

Some notable services provided by SWG include:

  • URL filtering to control the nature of the content employees can access
  • Security inspection for malicious files/code or malware
  • Information Protection services to ensure sensitive data isn’t exfiltrated

As with the other services, SWG implements Zero Trust Architecture by not allowing access to the web until the user has been authenticated. The user’s access is then limited based on their profile, thereby limiting the opportunity to exfiltrate data by only allowing access to sanctioned sites.

Firewall as a Service (FWaaS)

Firewall as a Service (FWaaS) extends enterprise firewall protections to the end user. Virtual firewalls are implemented as a cloud service, are centrally managed, sit between the user and the Internet for all non-web traffic, and typically all share a common ruleset. This ensures all users have a consistent set of next-gen firewall protections for both inbound and outbound traffic.

While there is some overlap with SWG, the usual services offered by FWaaS are:

  • URL Filtering
  • Intrusion Detection/Prevention
  • Advanced Threat Prevention
  • Sandboxing
  • DNS Security

Advanced security services such as those listed above ensure that end users receive the same protection no matter where they are or what they are accessing. By providing both inbound and outbound protection, the likelihood of a compromise being successful is greatly reduced over protections normally offered by an end user’s home router.

In the next installment, we will discuss the advantages of adopting SSE, its alignment with compliance requirements, and how it can contribute to a safer and more secure enterprise environment.

***

This blog was written by Brett Wyer, Michael Morrison, and Jamie Zolan