Technology Blog

Security models have always been helpful to practitioners trying to make sense of the complex threats that target their resources. The zero-trust model promoted by Forrester, for example, has helped network designers deal with the ongoing reduction in emphasis on the perimeter as a protection control.

Similarly, the secure access service edge (SASE) model promoted by Gartner has prompted many companies to rethink their access use-cases.

Our many decades of experience at AT&T suggests that three broad types of network access require protection from cyber threats.

First, there are physical business locations, including headquarters and branch offices, that must include secure, high-capacity network connectivity. Our multi-protocol label switching (MPLS) solutions have served this market well for many years and continue to do so.

Second, there are the end-users working from anywhere. They are typically served by some form of virtual private network (VPN) solution. Security approaches for remote access range from heavy client-server VPN deployments, using underlying protocols such as IPSec, to lighter solutions integrated into the browser, using security protocols such as TLS. These approaches helped users cope with work style transitions prompted by the ongoing pandemic.

Finally, there are the third parties who require access to their business customers. The need for business-to-business (B2B) security became evident many years ago with the outsourcing of corporate functions to remote support teams. Today, many B2B connections combine VPNs with a wide range of older protections including IP source address filtering to dedicated connections. Authentication is provided using an identity and access management (IAM) tool.

Zero trust and SASE are useful for these. But they do require considerable adjustment to support the challenges of handling modern hybrid networks, legacy systems, mergers and acquisitions, and other unique one-off scenarios. AT&T Cybersecurity provides SASE managed services and zero trust consulting services to help remove this complexity. But we're also looking ahead and developing something new.

The result is a new model that is essentially a secure access network edge. We describe it in the context of five architectural zones - illustrated in the diagram below.

model-network-security.PNG

The Customer Network zone includes the various use-cases listed above – namely, corporate offices, third-party suppliers, and end-users working from everywhere. We agree with the SASE model that access should be delivered using a smart edge, and our AT&T team has been innovating heavily in this area. This includes solutions that use virtualization and software-defined networking (SDN) to enhance the evolving edge.

The Access Network and AT&T Network zones are embedded into our service infrastructure. You can think of these components as being the means by which we extend our massive network from a common internal core to broad geographic coverage for our global customer base. This is true for both wireless communications using 4G and 5G technology and for our world-class fiber infrastructure serving broadband connectivity to customers.

The Edge Locations and Cloud Interconnect zones support the device-to-cloud needs of our customers. Increasingly, businesses are moving from traditional physical data centers to a cloud-based architecture, where applications and workloads are the primary tools used to accomplish the organizational mission. AT&T has been at the forefront of connecting users to cloud since the invention of these capabilities.

My advice is that you start thinking about this new, evolving model as a mash-up of both zero trust and SASE - but in the context of practical network deployment and support. Experts in AT&T Labs and across our Chief Security Office are hard at work developing the model for both business and government. When supporting government, in particular, we've been able to draw on deep underlying capabilities developed to support that sector.

Watch this column in the coming months for more information on how you may be able to deploy these solutions in conjunction with your AT&T services. As always, we remain committed to the security and privacy of your infrastructure.