In our digital world, organizations have massively moved their workload to the cloud. Users connect from anywhere and access sensitive data in the cloud using untrusted links. To tackle the threats and security challenges posed by the growing amount of data in the cloud and data privacy as well as remote access, organizations are adopting zero trust and SASE (Secure Access Service Edge) architectures. At the same time, regulators are creating new security frameworks and standards such as GDPR, NIST, SOX, PCI DSS and HIPAA to protect organizations, employees and consumers, and reduce cybersecurity risks.
In 2022 alone, 493.33 million ransomware attacks were detected by organizations worldwide[1] and around 30 percent of adults worldwide encountered phishing scams[2]. Additionally, the number of data compromises in the United States stood at 1802 cases, and over 422 million individuals were affected in the same year by data compromises, including data breaches, leakage, and exposure[3].
These regulations and standards help address multiple cybersecurity threats including:
- Malware and ransomware: Threats can originate from malicious websites, emails, software and other files.
- Phishing and social engineering: Cybercriminals trick users into revealing sensitive information.
- Insider threats: Suspicious activities that include data theft or sabotage can be difficult to detect by organizations.
- Data loss and data breaches: Data exfiltration is a significant concern for organizations. Many regulations require organizations to report data breaches to authorities and affected individuals.
- Third party risks: Vendors and suppliers represent a major cybersecurity concern for organizations. Regulations require organizations to conduct due diligence on vendors and suppliers to ensure compliance with security standards.
- IoT explosion: Over the past few years, the number of IoT devices have grown exponentially, increasing the attack surface and exposing organizations to major cybersecurity risks.
SASE is a term coined by Gartner in 2019 and stands for Secure Access Service Edge. It combines SD-WAN capabilities with SSE (Security Service Edge) that provides a comprehensive set of security functions including ZTNA (Zero Trust Network Access), CASB (Cloud Access Security Broker), and SWG (Secure Web Gateway).
Here are five ways SASE and SD-WAN can help improve compliance to regulations and standards:
1. Data protection
To ensure compliance with regulations such as GDPR or HIPAA, organizations must ensure that sensitive data is protected. CASB and DLP (Data Loss Prevention) help enforce data protection. CASB can discover and monitor cloud-based applications, identify users and enforce enterprise-wide security policies. DLP can identify and classify sensitive data based on content and context, and monitor user behavior.
CASB and DLP monitor data at risk and prevent users from downloading/uploading sensitive data into cloud applications such as Dropbox, Github or Salesforce, intentionally or unintentionally. CASB also helps reduce shadow IT and identify unsanctioned SaaS applications in organizations, and enforce security policies such as authentication and Single Sign On (SSO).
Additionally, SD-WAN and SASE create encrypted tunnels between a user and an application protecting data in transit, required by regulations and standards.
It is worth noting that CASB solutions can decrypt data in transit for inspection. This requires deploying a trusted certificate on the user’s device. Regulatory bodies may require additional security measures to manage certificates and encryption keys. Another approach used by CASB is to access data at rest in the cloud, in decrypted form, using APIs.
2. Access Control
Many industry standards and regulations require a Zero Trust architecture to limit access to systems and data based on the need to know and according to roles in the organization.
ZTNA provides least privilege access through fine grained segmentation based on role and identity. This ensures that users access resources consistent with their role in the business on a need-to-know basis while only authorized users access sensitive data. ZTNA indeed provides an additional layer of security compared to VPN, as VPN gives access to any resources once a user is connected, increasing security risks. Additionally, some ZTNA solutions are agentless. This enables organizations to seamlessly give access to third party contractors, who might represent a potential risk of non-compliance, without installing a ZTNA agent on their devices.
In branch locations, a secure SD-WAN with next-generation firewall capabilities provide advanced micro-segmentation capabilities to protect critical parts of the LAN and the WAN. Administrators can create zones, assign applications to them, and create unique security policies that control access between and across zones. The policies can completely block access, allow traffic in one direction only, or restrict interzone traffic to specific uses. The solution also helps secure IoT devices that cannot run security agents, by ensuring that the IoT traffic remains isolated from mission-critical applications.
3. Threat Protection
Regulations and standards often require enforcing strict internet usage policies across the organization to reduce cybersecurity threats and ensure compliance.
SWG provides real-time protection for users by creating a safe environment. It scans internet traffic for malicious activity including malware and phishing attacks and blocks malicious content, enabling organizations to protect their data and systems from cyber threats, as required by regulatory mandates. SWG also blocks access to websites known for their malicious content, that may violate compliance requirements. By decrypting and inspecting SSL/TLS traffic, SWG helps organizations to meet regulatory mandates and provides visibility into encrypted traffic.
Secure SD-WAN solutions also include intrusion prevention (IDS/IPS) and DDoS protection capabilities to protect users in branch offices. These functionalities can be centrally configured based on firewall zones enforcing granular security policies.
4. Centralized policy management
Hosted in the cloud, SASE and SD-WAN solutions allow network and security administrators to centrally manage policies and deploy them instantly to remote users and branch offices. Not only does this approach provide consistent security policies across branches and remote users, but also it helps comply with regulations and standards.
With centralized policy management, administrators can ensure that users are following the established policies. This is particularly useful in the case of remote sites located overseas where it can be more difficult to enforce compliance, but that may also operate with different regulatory mandates such as GDPR in Europe and CCPA in California.
5. Visibility, reporting and auditing
SASE and SD-WAN provide advanced visibility on the network and security incidents. They continuously monitor the network enabling architects to implement remediation actions in real-time.
They can capture events related to traffic sessions, as well as reasons for those events. This information can be sent to SIEM solutions to help identify and respond to security incidents. By integrating with SIEM solutions, architects get a comprehensive view of security threats and vulnerabilities. They can filter, sort, navigate and view the collective security event notifications generated across the entire network to help them pinpoint security events that require further investigation.
In addition to resolving security issues, audit logs and reporting can be used to demonstrate compliance with regulations.
With digital transformation and an increasing regulatory environment, SD-WAN and SASE enable IT leaders, risk managers and GRC (Governance, Risk and Compliance) teams to accelerate compliance to regulations and standards such as HIPAA, PCI-DSS, NIST or GDPR. These solutions provide data encryption, they secure web access, prevent data loss and malware attacks. They use least privilege access principles to access cloud-hosted resources, identify and monitor data flows in the cloud and block malicious content. Additionally, a secure SD-WAN in branch locations provides micro-segmentation capabilities to ensure that mission-critical applications and IoT traffics are isolated. It offers an enhanced user experience and flexibility to steer traffic to the cloud without backhauling the traffic to a data center, and helps reduce the hardware footprint in branch offices by integrating routing and firewall functionalities, in addition to SD-WAN capabilities.
Accelerate compliance to IT security frameworks and standards with SASE and SD-WAN
HPE Aruba Networking SSE is a cloud-native SSE platform designed to offer secure access to business applications and accelerate the transition to the modern workplace. It delivers authenticated user access to private applications at the network edge (ZTNA), a secure web gateway (SWG) to safeguard user access to the Internet, and a cloud access security broker (CASB) that enforces policies to protect sensitive data. Tightly integrated with EdgeConnect SD-WAN, it enables organizations to build a unified SASE architecture and meet the challenges of digital transformation and hybrid working to protect SaaS applications and accelerate regulatory compliance efforts.
HPE Aruba Networking products have earned various security certifications including SOC2 (type 1 or type 2), Common Criteria and FIPS 140-2. HPE Aruba Networking Central also achieved FedRAMP Authorization and PCI DSS compliance. In addition, HPE Aruba Networking is committed to helping customers to comply with GDPR. EdgeConnect SD-WAN showed that it met the TrustArc Privacy & Data Governance Framework, for following and continually improving GDPR-compliant privacy practices: The solution has also earned the ICSA Labs certification for secure SD-WAN.
To learn more, please visit our webpage on unified SASE.
Other resources:
Regulatory compliance web page
GDPR and CCPA Compliance: Ensuring Data Protection with SD-WAN and SASE
How the EdgeConnect SD-WAN Platform Supports PCI DSS Compliance
HIPAA Compliance: Delivering Privacy and Security for ePHI with a Business-driven SD-WAN
---------
[1] Annual number of ransomware attacks worldwide from 2017 to 2022, Statista
