SASE, Zero Trust, and Microsoft Office 365 Security

Jeremy Wittkop, CTO

06.10.2020

Learn more about this topic in our on-demand webinar.

Microsoft and Data Protection: What’s the Story?

Click Here to View

 

In 2014, Google launched a security framework called Beyond Corp, which introduced the concept of Zero Trust security. This approach is founded on the idea that trust should never be assumed for any reason and should be verified for every transaction, regardless of identity or location.

Most security leaders and practitioners agreed with Zero Trust in principle, but the concepts in Beyond Corp were very difficult to implement. In 2019, Gartner introduced the Secure Access Services Edge (SASE) framework. SASE defines a number of traditionally on-premises security and identity services that are moving to cloud-native architectures and converging into a suite of microservices. This consolidation is poised to redefine security architectures for the next 10 years, much like Next Generation Firewalls have defined security architectures for the past 10 years.

Many security companies are moving towards fulfilling the vision of SASE, but a select few have the necessary breadth of technologies to truly implement a SASE framework. Examples include Netskope, Forcepoint, Broadcom, Palo Alto Networks—and Microsoft.

Although Microsoft is not traditionally considered a security vendor, they have invested significantly in their security toolset over the past few years. Microsoft also has important elements of the SASE framework that few of the others possess, such as identity and access management controls.

InteliSecure believes that a SASE framework is the best way to protect data in the modern enterprise and achieve the objectives of Zero Trust. Our belief in the SASE framework is reflected in our strategic partnerships with technology vendors. Our partners are those that have significant capabilities to help organizations embrace the SASE vision.

In this blog, we will introduce our strategic partner, Microsoft, through the lens of Zero Trust Networking and SASE.

Zero Trust

The underlying concepts of Zero Trust are not new. Zero Trust is similar to the principle of Least Privilege and Need to Know, which are 30-year-old security concepts. In fact, before Zero Trust, no security practitioner would have openly accepted physical location as an official factor of authentication. However, many security programs relied on a “castle-and-moat” security strategy that granted a de facto level of trust to users inside a trusted zone. They put that zone inside a protected perimeter and organized their defenses and authentication mechanisms to ensure that only authorized users could access it.

For many years, systems and authentication methods have been built to reduce user friction, rather than limit privileges to only what users need and only when they need them. Virtual Private Networks (VPNs) are an example of that permissive approach. If I am a remote user, and I need to access an asset on the internal network, my authentication grants me access not just to that single asset, but to the entire network. That additional access doesn’t benefit me. But if an attacker gains that same access, he or she has significant freedom to cause major damage.

While allowing people more access than they need is easier for security teams, IT teams, and the users themselves, it is of no business value. And the practice introduces significant risk to the organization.

The result of the perimeter approach has been massive data breaches. Most of those breaches would not have been completely prevented with a Zero Trust architecture. But the damage would have been limited by upwards of 90% in most cases.

Technology providers like Microsoft are working to provide tools that limit over-permissive postures and enable the move toward Zero Trust. One example in the Microsoft ecosystem is just-in-time (JIT) privileges, which allow the organization to grant elevated permissions to users only when they need them—and for a limited time.

Traditional access models have never been secure, but they presented less risk when remote workers were a minority of the workforce. Today, a majority of workers are now remote, and the urgency to move towards a Zero Trust model has exponentially increased.

It should be noted that the Zero Trust ideal is a journey, not a destination. There is essentially a continuum and Zero Trust sits on one side. Granting everyone in the organization administrator privileges is on the other side. Most organizations fall somewhere in between. It is also not all or nothing.

 

Move from high risk to lower risk.

 

Organizations can move on the continuum to get closer to Zero Trust without implementing all its principles overnight. This is important to understand because moving toward Zero Trust reduces risk, but fully implementing it all at once is overwhelming and not something I would recommend.

Secure Access Services Edge (SASE)

An idea that’s central to the SASE concept is that many capabilities associated with on-premises data and network security will move to the cloud. There, they will be delivered as auto-scaling services in a cloud-native architecture. Like Zero Trust, this will not happen immediately, but organizations will slowly start migrating some of these services over time. (The COVID-19 pandemic has accelerated many organizations’ digital transformation initiatives, and by consequence, their SASE initiatives, but few organizations have fully implemented this vision.)

It is important to understand the relationship between SASE and Zero Trust because they are not the same thing. Essentially:

  • Zero Trust is an ideal that organizations should drive towards to secure data and systems.
  • SASE is a methodology to accomplish Zero Trust in a cloud-native architecture.

Dozens of technologies make up the overall SASE architecture, including some impactful examples:

  • Data Loss Prevention
  • Cloud Access Security Broker (CASB)
  • Firewalls
  • Secure Web Gateway
  • Remote Browser Isolation
  • Web Application Firewall
  • User and Entity Behavior Analytics (UEBA)
  • VPN/VPN Alternatives
  • Content Delivery Networks

As you might see, fully implementing the SASE vision requires the convergence of historically disparate disciplines across security and network teams. Currently, no single company can implement the entire SASE vision today. However, leaders in the space are leveraging their expertise in different technology areas to support the vision.

For example, Broadcom is strong in DLP, CASB, and Secure Web Gateway but has not historically been a player in the firewall space. Forcepoint is strong in DLP, Gateways, UEBA, and Firewalls, but has little experience with WAF or remote browser isolation. Netskope is very strong in CASB, Secure Web Gateway, and Private Access, but has not been a player in Firewalls.

Even with the breadth of Microsoft’s portfolio, they also do not cover all areas of the SASE vision. However, In general, choosing a vendor with a significant breadth of offerings and then augmenting that vendor with best of breed technologies to fill gaps or strengthen weaknesses is an effective strategy.

Many organizations own licensing packages from Microsoft that will allow them to implement significant portions of the SASE vision. Once organizations deploy the data protection tools they have from Microsoft, they can conduct a gap analysis to determine what vendor or vendors they should use to compliment Microsoft and create a complete the SASE vision.

Microsoft and SASE

The major portions of the SASE framework that Microsoft addresses well are:

  • Microsoft Cloud App Security (CAS)
  • Data Loss Prevention (DLP) for email
  • Elements of Data Classification and Encryption delivered through Azure Information Protection (AIP)

The Microsoft platform also provides additional significant capabilities that are necessary for SASE, including conditional access, just in time access, and identity management capabilities.

When organizations do a gap analysis of their security capabilities, they most often discover they lack coverage in the UEBA space, elements of DLP, CASB outside the Microsoft ecosystem, and Secure Web Gateway. For these reasons, Netskope or Forcepoint have often been natural compliments to a Microsoft strategy. While there is some overlap in technologies, both companies have made significant investments in co-development with the Microsoft teams.

Limitations—and the move to solve them

Overall, Microsoft is well positioned to help organizations begin their SASE journey and can be a core vendor as the SASE space evolves. However, the Microsoft tools that comprise SASE capabilities do not natively integrate or share information inside organizations that do not leverage Microsoft Sentinel. If Microsoft Sentinel is deployed, the ability to correlate events between technologies and gain visibility throughout the environment exists. However, there are still significant gaps in workflow and policy creation capabilities.

InteliSecure has set out to augment the Microsoft SASE capabilities by creating Aperture, a purpose-built workflow and collaboration console (currently in beta) to enable the effective use of AIP, Office 365 DLP, and Microsoft CAS. Organizations who leverage Aperture can easily build data protection policies across their Microsoft technologies and collaborate across teams to review events, investigate incidents, and drive down data risk across their organization.

Learn more about Aperture

InteliSecure clients have let us know they want to make the most of the data protection tools they have in their Microsoft ecosystem. Our in-beta Aperture platform is designed to enable collaboration and workflow, backed by InteliSecure’s world-class data-focused Managed Data Protection Services. To learn more, view our on-demand webinar, hosted by Skyler Butler, Director of Product Management, and Jeremy Wittkop, InteliSecure’s Chief Technology Officer.

View the Webinar