Assess and Optimize Cloud Security Tools as Part of Zero-Trust Initiatives

Many organizations are embarking on the journey toward zero trust, the principle that every user must be authenticated, authorized and continuously validated for security posture and configuration before being allowed to access data and applications. Establishing a zero-trust architecture is an iterative process, and the road to maturity can be lengthy. As organizations move in that direction, cloud security can be a critical area of focus. 

For all the benefits that cloud computing delivers, it poses challenges from a security perspective. With applications no longer concentrated in the data center and instead spread across various as-a-service environments, many organizations lack adequate visibility and control over data and applications, a problem exacerbated by remote work. Dispersed data makes it difficult to achieve visibility and maintain control, and cloud environments have a high potential for misconfigurations that increase cybersecurity risk.

Secure access service edge (SASE), a security approach that combines network and security functions (also called secure service edge, or SSE), can help organizations close security gaps with cloud-based SaaS applications and mobile workforce devices. SASE solutions typically incorporate a variety of cloud-based security tools and strategies, including zero trust, secure web gateways, firewall as a service and cloud access security brokers. By implementing these capabilities, SASE can provide better security than a traditional VPN.

Typically, a VPN determines access based on large-group policies — the opposite of the granular, contextual access control found in a modern zero-trust architecture. As a result, access defined by a VPN policy may be too broad. Furthermore, VPNs don’t integrate effectively with identity management tools and lifecycles. SASE-oriented solutions help to resolve these issues by eliminating legacy group policies in favor of application-level control on a user-by-user basis, based on Active Directory group and dynamic access governance policies.

Figuring out how to enable and optimize various cloud security capabilities under the SASE umbrella has become a priority for many organizations, regardless of whether they are deploying a zero-trust architecture. Over time, organizations have added tools to their existing platforms or obtained capabilities through acquisitions. This complexity — and, in some cases, redundancy — has been increased by the fact that platform solutions now offer multiple capabilities that in the past were provided by individual tools.

Accordingly, organizations need to determine how to optimize existing investments while identifying and addressing gaps. They are asking questions such as:

• Are we using each tool to its fullest capability? 
• Where do overlaps exist, and are there opportunities to consolidate? 
• How can we leverage existing investments to achieve business and IT objectives, such as pursuing a zero-trust architecture or improving cloud security? 
• How can we integrate disparate tools into a cohesive, efficient ecosystem? 

Answering these questions requires understanding what each solution can provide individually and, alternatively, what might be achieved from a holistic platform approach. For example, a company might use a next-generation secure web gateway and a cloud access security broker, both of which have data loss prevention capabilities. Determining which tool to rely on for DLP (or opting instead to use a holistic platform) can help the organization ensure a more effective posture. 

Cloud security can sometimes seem as sprawling as the cloud itself, and it’s important to periodically reassess the solutions and strategies in place to ensure they are still aligned with IT and business objectives.

Story by John Candillo, a field CISO at CDW. He is an accomplished cybersecurity expert with more than 20 years in security. John specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He has designed several processes and assessments to help organizations align security initiatives and quantify risk in a way that translates cybersecurity into the language of business. At the core of his thought leadership is a passion for helping protect the world from cyberthreats by enabling the private sector to build robust, business-aligned cybersecurity programs.