Designing a new modern network security model

Security models have always been useful to practitioners trying to understand the complex threats that target their assets. The zero-trust model promoted by Forrester, for example, has helped network designers cope with the continued reduction in emphasis on the perimeter as a protective control.

Similarly, the SASE (Secure Access Service Edge) model promoted by Gartner has prompted many companies to rethink their access use cases.

Our many decades of experience at AT&T suggest that three major types of network access require protection against cyber threats.

First, there are physical business locations, including head office and branch offices, which must include high-capacity, secure network connectivity. Our Multi-Protocol Label Switching (MPLS) solutions have served this market well for many years and continue to do so.

Second, there are end users who work from anywhere. They are usually served by some form of virtual private network (VPN) solution. Security approaches for remote access range from heavyweight client-server VPN deployments, using underlying protocols such as IPSec, to more lightweight browser-based solutions, using security protocols such as TLS. These approaches have helped users cope with work style transitions caused by the ongoing pandemic.

Finally, there are third parties who need access to their business customers. The need for business-to-business (B2B) security became evident many years ago with the outsourcing of business functions to remote support teams. Many B2B connections today combine VPNs with a wide range of older protections, including filtering source IP addresses to dedicated connections. Authentication is provided using an Identity and Access Management (IAM) tool.

Zero Trust and SASE are useful for this. But they require considerable adjustments to meet the challenges of managing modern hybrid networks, legacy systems, mergers and acquisitions, and other unique unique scenarios. AT&T Cybersecurity provides SASE Managed Services and Zero Trust Consulting Services to help eliminate this complexity. But we also look to the future and develop something new.

The result is a new model that is essentially a secure access network edge. We describe it in the context of five architectural zones – illustrated in the diagram below.