The security needs of modern businesses have evolved significantly in recent years. While digital transformation and cloud migration have helped improve productivity, flexibility, and mobility, they have also seen more and more data moving off premises and far beyond the reach of traditional security tools. In order to address this, businesses need to adopt a new mentality towards security, leveraging relevant controls designed for specific needs that will keep data safe wherever it goes. This article discusses the growing importance of cloud-first security solutions that are designed to provide consistent, comprehensive protections for any interaction in any use case in our cloud-first world.
A modern approach to cloud security is needed
The proliferation of cloud computing, mobile devices, and remote working is rapidly rendering legacy on-premises security solutions like firewalls obsolete. Today, effective security measures must be delivered for and from the cloud, securing any interaction and addressing any use case. The need to simultaneously secure access to cloud services, block cyber threats like malware, prevent data leakage, enable secure remote work, and comply with regulatory frameworks is enough to give any security team a major headache.
How can vendors and end users ensure cloud security?
Fortunately, there are highly effective cloud security platforms now available that integrate complementary technologies in order to defend data wherever it goes — any app, device, web destination, on-premises resource, or infrastructure. These are known as secure access service edge (SASE) platforms, and three of the main technologies that they unify are those of cloud access security brokers (CASBs), on-device secure web gateways (SWGs), and zero trust network access (ZTNA).
1. Multi-mode cloud access security brokers
Businesses typically use multiple public cloud applications every day, including Office 365, G Suite, Salesforce, and Box. While these application providers are responsible for securing their underlying infrastructure, the applications themselves are freely accessible to any user, on any device, from anywhere in the world. As such, it is the customers themselves who must ensure the security of any data that is stored and accessed within the apps.
(CASBs) provide robust, real-time controls for how and when users can access applications, and deliver visibility and control over data at rest and how it is shared. This is accomplished through what is known as a multi-mode CASB, which boasts proxies for security at access, and API integrations for security over data at rest. CASB technology allows SASE platforms to encrypt cloud data, prevent leakage through DLP capabilities like redact and quarantine, and defend against malware at upload, at download, and at rest in the cloud.
2. On-device secure web gateways
The web is simultaneously an indispensable asset and a breeding ground for threats. Every time they go online, users can easily wander into domains where they can be infected with malware, become victims of credential compromise, or leak sensitive data. Unfortunately, traditional security solutions like “VPNing into” the corporate firewall for traffic inspection can create an increasingly cumbersome bottleneck, particularly when there are large numbers of remote users involved. On-premise solutions require the use of appliances that are expensive to maintain and challenging to scale effectively. Likewise, backhauling traffic to a cloud proxy SWG introduces a latency-inducing network hop and invades user privacy because all user content is inspected at the proxy, including personal login credentials.
Kaspersky provides its 10 tips for security and privacy when using Zoom
With an on-device SWG, all cloud traffic is decrypted and inspected locally (directly on users’ devices), and only security events are uploaded to the cloud. Not only does this enable the solution to preserve user privacy, but it also eliminates latency and delivers thorough web security. Threat URLs and unmanaged applications are blocked before they can be visited, and employee access to content is controlled by variables like category, destination trustworthiness, user group, device type, and location. On-device SWGs are core components of SASE offerings and boast a modern architecture that is perfect for growing, mobile, and remote workforces. Forgoing the use of hardware appliances and performing SWG functionality on devices themselves provides maximum scalability, uptime, and performance.
3. Zero trust network access
While the vast majority of businesses have migrated to the cloud and embraced SaaS apps to some extent, most continue to maintain some on-premises applications as well. These internal resources typically house organisations’ most sensitive information and require strict access control. Some firms enable remote access to these applications via traditional VPNs. However, once a user has entered a network via VPN, they gain full access to everything therein, violating the core principles of zero trust. Instead, a more secure approach would be to only give users access to specific applications as needed.
How to start a SaaS business in 8 steps
As the old adage goes, ‘trust must be earned.’ ZTNA takes the approach that no one is trusted by default as they access on-premises apps, meaning verification is required from everyone trying to gain access to sensitive resources. Leading SASE platforms provide agentless ZTNA for browser apps (a perfect fit for BYOD), as well as more standard agent-based ZTNA for securing thick client apps like SSH and remote desktops. Once users are authenticated via SSO and their traffic is being proxied, secure access to sensitive apps and files is enabled; real-time protections like DLP and ATP are enforced in real time. Users who are not authenticated or deemed trustworthy are simply denied access.
Legacy network security solutions built around on-premises appliances simply cannot support the evolving demands of modern cloud-based business operations. Digital transformation of IT requires transforming security and adopting solutions designed for a variety of use cases in our cloud-first world. Fortunately, SASE platforms provide the needed, comprehensive data and threat protection capabilities that provide complete peace of mind wherever your data goes.