CyberCompare

Security in the cloud: Security Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) for manufacturing companies?

Is it all hype, or old wine in a new bottle?

Security Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) are relatively new developments on the cybersecurity market for facilitating secure work on cloud applications.

Both technological approaches have very strong market growth, which is, of course, also driven via pandemic-related work-from-home work arrangements.

What exactly is behind these terms, and how are these technical approaches relevant for industrial companies?

Let’s take a short excursion into the network technology history books:

Most corporate networks for data communication are currently based on Multi Protocol Label Switching (MPLS), which was introduced some 20 years ago. The advantage of MPLS versus older technology (traditional topology; routing protocol; and Interior Gateway Protocol technology, such as Open Short Path First) was a higher transmission speed and usable capacity of the available router. Instead of hopping from one router to the next (hop-by-hop), and having to make a new decision each time with regard to where to send the data next, a path is set at the beginning. This means that there are fewer routers required per user or application.

Software is eating the world

Around ten years ago, the first Software Defined Wide Area Networks (SD-WANs) were introduced. SD-WAN technology often has cost advantages over MPLS, especially for distributed applications, dynamic adaptation of network and data volume (e.g., the spontaneous setup of home workstations), and cloud usage. Why?

With MLPS, all connections are routed through a central data center (hub-and-spoke model). Here, the routers, switches, and connections have higher data volumes than if direct connections were possible. In addition, the feasible data volume is specified with the architecture. Either one builds in enough of a buffer for peak loads (and pays for what usually amounts to unused capacity), or one must live with the fact that the network’s performance suffers when data volume is higher.

With SD-WAN, among other things, prioritization of specific applications is possible via the network capacity available. This means there is no judder or interference in team or Zoom meetings if a colleague downloads a video.

Ultimately, with SD-WAN, fewer routers and data volume is needed per user than with MPLS.

SD-WAN use is on the rise, and market estimates predict a quadrupling of implementations around the world, along with revenues of EUR 7 to 8 billion over the next 5 years.

Among most SD-WANs, routing algorithms are, however, not optimized for data security. Therefore, at most companies, data traffic is routed through a centralized firewall.  Logging into the corporate network when using the Internet (when working from home, for example) is usually possible only via a Virtual Private Network (VPN).

What is a VPN again? Ah, right, that was that thing on my work laptop.

With VPNs, our data traffic is encrypted and a VPN server is provided as a source (rather than our own IP address). This means that our data traffic can no longer be readily read or hacked from the outside ─ not even by our Internet service provider. With VPN services, there are, of course, graduated levels of security (e.g., kill switches, multi-factor authentication, and cookie encryption). Practical implementation from a user perspective can also vary (client-to-server VPNs for many of us who dial in from a corporate computer; SSL VPNs primarily for BYOD devices; and, sometimes, site-to-site VPNs for connected sites of large organizations).

With a VPN, however, access to the corporate network is either granted or denied digitally. After a successful login to the network, users are typically no longer subject to more-sophisticated access restrictions. This then allows hackers to make so-called lateral movements. The status of the user end device is not checked by the VPN application itself. If the user (or his computer or cell phone) has already been compromised, hackers can use this to gain access to what should be a secure corporate network.

With conventional SD-WAN, the network technology is therefore separate from security solutions.

And here it is: SASE

SASE platforms, on the other hand, connect network optimization and security functions from one source, and they do it all from the cloud.

SASE service providers offer SD-WANs as a service from the cloud, and they also allow integration of functionalities such as:

  • Secure cloud access for data and applications in the cloud
  • Secure web gateways for access to local data and applications (normally “virtual appliances,” too, and pure software)
  • Firewall as a service
  • Identity checks for users via multi-factor authentication (MFA)
  • Assignment of individual access rights for files and usage rights for programs to employees and other users (also context-dependent)

SASE platforms will also, in all likelihood, become a billion-dollar market for IT vendors in the near future.

Or at least that is what the “usual suspects” are hoping: Cisco, Uniper, Akamai, Checkpoint, Fortinet, Sophos, ZScaler (security as a service), Cloudfare, and PaloAlto. In parallel, there are also many small providers with (sometimes) very high-performance solutions, such as ColorToken, CounterTack, Tempered, Zenlayer, and Censys, to name just a few.

An example overview of SASE products:

https://www.cisco.com/c/en/us/products/security/sase.html

https://www.juniper.net/us/en/products-services/what-is/sase/

https://www.cloudflare.com/de-de/teams/sase/

Finally, an increasing number of companies use cloud applications. Data volumes used are rising continuously, and ever more companies carry out online transactions with business partners.

SASE unifies the security architecture, enabling the number of security vendors used to be reduced. Changes in the network architecture should also be easier to carry out.

However, not all market observers are convinced that SASE platforms will prevail as a concept. This is perhaps grounded in self-interest. And, of course, no one has said that individual platforms can actually replace the multitude of specialized solutions that exist today.

Why do people still need Zero Trust Network Access (ZTNA)?

Alone, ZTNA is not a solution or a software package; rather, it exists to establish the concept of zero trust (no trust by default, mutual authentication, application-based access control) as a component of comprehensive SASE platforms.

In the future, SASE platforms with ZTNA should offer the following:

  • Increased security against attacks, since only access to a subset of the enterprise network is granted
  • Flexible data capacity based on actual need, and, with that, improved network performance
  • A reduced need for capital for on-premise structures and software licenses (linked to higher ongoing expenses)
  • Reduced maintenance and care expenses/effort
  • Efficient operation with greater specification automation
  • Secure single sign-on, even for BYOD devices (the device, patch status, and location can be checked prior to the allocation of user rights, and limits can be set)
  • Defense from data theft, cloud phishing, malware, ransomware, DDoS attacks, and other attacks
  • Limits on access to data via identity checks ─ independent of whether users are in the corporate network or outside the network ─ and, with that improved protection against insider attacks 
  • Review of data traffic (independent of protocols) in layer 7 (content inspection)

How relevant is that for companies with in-house logistics centers and plants?

What does this all mean for manufacturing companies with operating technology, industrial automation technology, and networked devices at customers (OT, IoT, and ICS)?

The following already applies today: When using a cloud connection, the possibility of (a) malicious code being introduced from the cloud and (b) data migrating to the cloud that should not be there should be taken into account. One recommended option is therefore that the local server for cloud communication be in a separate DMZ that is protected by firewalls All traffic from the cloud should terminate on this server. In parallel, this server should be able to communicate (possibly via a VPN tunnel) only with selected production controllers (levels 0-2 in the Purdue model) The cloud DMZ should be created separately from the other DMZ (DMZ between the corporate network and the OT network, DMZ for remote attacks).

The trend in the OT and IOT environments is also increasingly to move toward the cloud. Thus, sooner or later, SASE platforms with ZTNA will also be widely used by OT and IOT device operators (probably even sooner in the case of networked devices and plants, where large amounts of data are typically collected and processed). Eventually, additional solutions such as data diodes will also see use.

As VPN implementation often comes with security loopholes (particularly in the OT environment), an increase in the security level is conceivable via SASE/ZTNA.

Challenges that remain in the industrial environment:

  • Real-time requirements
  • Limited options for patching
  • Non-secure protocols and devices at the field level (“insecure by design”), with no option for encryption or user authentication

Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.