Our SASE Journey: Lookout Head of IT Talks Shop
Like other organizations that are adopting a permanent hybrid or remote-first work environment, Lookout is using our Secure Access Services Edge (SASE) platform to implement cybersecurity that is not tied to the physical office spaces where employees used to work.
SASE is a security framework defined by Gartner that has been adopted by many organizations to enable intelligent Zero-Trust access from anywhere without hindering productivity. The Lookout Security Platform delivers SASE technologies with integrated endpoint security, advanced data protection and user behavior analytics capabilities.
To give you insight into how Lookout implements our SASE platform and how you can get started, I sat down with our director of IT systems engineering, Joel Perkins. He heads our IT department and has over a decade of experience.
Steve Banda: Obviously, the IT space is always evolving alongside emerging technologies. What changed for your team during the COVID-19 pandemic? What are some of the new challenges IT departments around the world are now faced with?
Joel Perkins: Lookout, just like many other organizations, went remote during the pandemic. Employees are no longer working behind office firewalls. They’re working on laptops, tablets and smartphones from anywhere. This means, instead of securing nine office locations, I have over 600 locations in the form of homes or co-working spaces.
But even before the pandemic, corporate data was already leaving on-premises data centers as part of digital transformation initiatives. Increasingly organizations are moving operations to software-as-a-service (SaaS) applications like Google Drive and Salesforce, or Infrastructure as a Service (IaaS) such as AWS, Azure or Google Cloud Platform. As a result, a typical company might have hundreds of apps in different locations and configurations, which makes securing access and protecting data much more complex. The pandemic accelerated this transformation as well as the adoption of SASE.
Where does SASE come into play to address these new challenges?
I’ll speak about my SASE experience in terms of the Lookout solution, which is fairly unique in that it is integrated with endpoint security and has native advanced data protection like data loss prevention (DLP) and enterprise digital rights management (E-DRM), and user behavior analytics.
SASE gives my team insights in a single place. While we had a lot of the information already, it was spread across different apps. My team either had to manually retrieve the information or have it piped somewhere — both processes were labor intensive.
In addition to integrated insights, our platform provides my team with consistent granular controls across all SaaS and IaaS apps and data. With an integrated platform, it is easy to implement consistent security policies. In the past, this was not possible because of the multiple products used and human error could easily create inconsistencies. With insights and policies in one place, we can systematically take action.
Drawing from your experience onboarding SASE, what should other heads of IT expect?
Deploying SASE is a journey for any IT team. It’s not something that happens overnight. However, you can see quick results within 90 minutes of deploying the Lookout Security Platform. After implementing our Cloud Access Security Broker (CASB), we immediately gained insights into our Microsoft Office 365 and Slack apps.
We have already witnessed the huge advantage of an integrated SASE platform with the ability to enforce consistent security policies throughout the migration of a private app to the SaaS version. Security policies that have been defined for Zero Trust Network Access (ZTNA) to provide private connectivity to private apps, can be easily implemented with the CASB securing connectivity to the SaaS version.
“Journey” is a good way to put it. The SASE architectural model uses identity and context to deliver secure Zero-Trust access to apps and data by converging different network and security tools into a unified platform. What can customers do to get started?
There are multiple ways of getting started with SASE. One way is to start with cloud apps. With employees able to access these apps from anywhere, it means you have less visibility from traditional perimeter security controls.
To secure your SaaS apps with Lookout CASB, you can use the API mode, which an IT team can use to onboard an app within 15 minutes and get instant visibility. You also have the option to dive deeper and get much more powerful controls by doing more work and implementing inline reverse proxy. There are countless ways to leverage our solution.
For most organizations, however, the SASE journey will likely start with apps that are most important to them — whether they are SaaS or private apps. These are usually the big productivity platforms like Google Workspace and Microsoft Office 365, or apps with business critical or personally identifiable information such as customer relationship management tools like Salesforce, or HR solutions like Workday.
Once these apps are onboard, you will have immediate visibility into the data and activities associated with them. I would say this is the first step — before touching the controls we offer — is to assess what you have.
So once you get visibility into critical apps, then what?
Once your critical apps are set up and you’re getting visibility into the activities and data within them, you can then start implementing policies.
For example, by using some of the predefined data templates Lookout provides, like for personal health information (PHI), national ID, social insurance number (SSI) or credit card numbers, IT teams can quickly create and set up remediation actions or remove public sharing if those data types are detected.
The beauty of a single platform is that everything is in one place. I can build a single policy and apply it to multiple apps without needing to recreate it for each app. As I onboard a new SaaS app with CASB, or cloud-enable a private app with ZTNA, I can easily apply existing policies.
What does that SASE journey look like in the long term? How can organizations take advantage of something like the Lookout platform?
Over time, you would likely protect all of your apps with SASE and begin to implement dynamic and precise policy enforcement. And like I said earlier, with Lookout, you also get endpoint security and visibility natively. Our platform also provides really robust user behavior analytics and data protection capabilities.
Having all of these insights into endpoints, users, apps and data, you can start creating and fine tuning policies that enable employees to access what they need while still safeguarding highly sensitive data. You might start out writing policies that limit data access to only managed devices. But down the road, you could confidently implement a bring-your-own-device (BYOD) program where you have full control over the data accessed by personal devices.
Zero Trust has been the focus of most organizations to empower remote access without sacrificing security. But the issue is that most attempts at achieving Zero Trust are a patchwork of disparate products connected to virtual private networks (VPN), with binary access controls based on limited visibility. Not only is this on-off access a poor experience for end users, VPNs also give whoever is connected access to all the apps and data on the entire internal network. This means an attacker who compromises an account can easily move laterally.
The key to a modern Zero-Trust deployment is to align the fluctuating risk levels of your users and endpoints with the sensitivity level of the data they seek to access. With integrated insights within the Lookout platform, we enable organizations to make intelligent and granular access decisions that don't hinder productivity. We can restrict access to data, request step-up authentication or take specific action on the content itself, such as redacting keywords, adding watermarking and applying encryption.
For example, you may want to give unmanaged device access to certain sensitive data, but making it read only, preventing employees from downloading or sharing it. Whereas if the employee is using a corporate-issued device and is connecting from their usual location, they are given more freedom to access data and apps.
We probably only scratched the surface with this conversation. But I think you gave people a lot of things to think about. Thank you for taking the time to chat, Joel.
If you want to learn more about SASE and the Lookout platform, join our upcoming webinar on Dec. 14, 2021, we’ll be continuing this conversation with Joel Perkins.