Flexible, Edge-directed Meshes: Why SASE is the Future of CybersecurityDownload Case Study
The tectonic plates of network security are in motion.
A wrenching transference from on-premises to cloud-centric data security systems is gaining steam. Security teams are engaged in pushing cybersecurity out to the far edges of a highly interconnected, widely dispersed digital environment; and at the same time, they must find smarter ways to dramatically improve cyber hygiene.
The real trick chief information security officers (CISOs) face is that they must accomplish this without disrupting agility. Complexity is exploding and fear of falling behind is keeping the competitive heat on.
This is especially true as organizations accelerate cloud adoption and rely more than ever on a remote workforce and a globally-scattered supply chain. Consensus is rapidly gelling that simplification is the path to improved data visibility and threat awareness and, therefore, a more robust security posture.
In this heady environment, network security, which has hyper-focused on perimeter-based activities, must now somehow transform into something that mitigates cloud-based cyber exposures that are multiplying by the minute. Several developments are in play that should converge over the next couple of years to make this happen. Here’s my take on what’s happening — and what needs to transpire:
Dig a deep moat, erect a thick castle wall, place the crown jewels in a sturdy keep. Through the 2000s and 2010s, this was deemed an adequate approach to network security. Companies invested a king’s fortune, many times over, to build out on-premises security stacks.
Defense-in-depth became a mantra: antivirus suites got stacked onto firewalls, multi-factor authentication (MFA) got bolted onto virtual private networks (VPNs), and data loss prevention (DLP) got glommed onto email and web servers. These security tools tended to calcify into ‘silos,’ each becoming a realm onto itself.
This strategy remains a valid principle. But it’s in dire need of a reset. Software-defined everything has become a driving force where infrastructure as a service (IaaS) and SaaS rule the day. Today, processing power and data storage gets delivered virtually from Amazon Web Services (AWS), Microsoft Azure or Google Cloud, and communication and collaboration tools are supplied by dozens to hundreds of mobile and web apps.
In many ways, it’s easier than ever for malicious actors to get deep access, steal data, spread ransomware, disrupt infrastructure, and attain long-run unauthorized access. The CISOs who are destined to succeed in this environment must enable speedy, flexible innovation that ideally shrinks their organization’s attack surface.
The SASE value proposition
The technology and best practices are certainly readily available. This is my 18th year of reporting on privacy and cybersecurity and each year security vendors never fail to innovate. Recently, industry consensus has been gelling around new frameworks thoughtfully assembled to protect data in very granular layers.
This new approach is embodied by secure access services edge – SASE – a nascent network security framework that, in essence, takes the on-premises tools, policies and practices CISOs are familiar with and disperses them out to the extreme edges of where digital connections are getting made.
“The main value proposition for SASE is the concept where the security stack moves from the perimeter out to be delivered from an edge, something right before the cloud, right before you get to AWS,” says David Holmes, Forrester Research analyst for zero trust, security and risk.“That way you could protect the remote workers, you can see all of the network traffic and you can get all of the alerts in order to protect everything.”
First coined by research firm Gartner in late 2019, SASE has emerged as something of a go-to roadmap for security vendors. As networking tools and cloud software converge, SASE serves as a framework for protecting cyber assets while preserving agility — at scale. At this early stage, there are several strikingly different approaches for delivering SASE systems, depending on the expertise of the vendors making the SASE offering.
At the end of the day, SASE should give a CISO very direct control over sensitive data, wherever the data resides and whoever might be accessing it, at any given moment. The tricky requirement, of course, is that this granular level of data control must be achieved without disrupting an employee’s ability to work as flexibly as they wish.
This calls for a highly finessed, quite deep level control of sensitive data. The leading SASE offerings mix and match old and new security technologies to achieve this. This includes everything from next generation firewalls (NFGWs) and secure web gateways (SWGs) to zero-trust network access (ZTNA) tools and an array of software configuration management tools.
One way for CISOs to begin their SASE due diligence is to think of SASE as providing them with intricate control over data in these three buckets:
Controlling cloud and private app access
Let’s face it, IaaS and SaaS have won the day. Today, many business functions — from productivity, marketing to business operations, HR and payroll — are scattered among various services. As a result, security teams have lost control over basic account access, much less how users are handling data and the software configuration settings across these various services.
The Colonial Pipeline ransomware attack and the Solar Winds supply chain debacle should serve as indelible reminders of threats that aren’t going to go away anytime soon. Like most breaches, these headline grabbers pivoted on the manipulation of an authorized identity carrying privileged access rights.
This is why zero trust, the idea that you should never trust and always verify, is a core tenant of SASE, which includes cloud access security broker (CASB) and ZTNA. These technologies provide granular, dynamic access to SaaS apps as well as private apps running in private clouds or inside of data centers.
A comprehensive SASE would be able to granularly monitor both user and device behaviors and adjust access privileges based on risk-assessment policies. They dramatically reduce an intruder’s ability to move laterally, for instance, to find critical systems to encrypt as part of a ransomware play, which crippled Colonial Pipeline; or to manipulate a digital supply chain at a deep level, as happened to Solar Winds.
Securing web usage
There is plenty of noisy, clearly malicious traffic blended into the data packets continually crisscrossing the internet. However, there’s also a rising tide of legitimate traffic, even more so with elevated work-from-home traffic. Sifting the bad traffic from the good has never been easy; it’s now more problematic than ever.
SASE taps on legacy network security tools to deal with this. Traditionally, a SWG took the form of an appliance physically perched on a company’s network perimeter to monitor incoming browser traffic. This was done to protect users from malicious traffic and also to optimize web traffic.
It turns out that an SWG’s core functionality fits well as a first-level filter for web traffic arriving from connection points strewn across the cloud. SASE systems include advanced, cloud-delivered SWG filtering capabilities useful for detecting and blocking phishing websites that can deliver malware or steal credentials — while also implementing and enforcing acceptable use policies.
The inspection, as part of SASE, can also be used to review data leaving a company. Rather than simply looking at inbound malicious traffic, SWG can also be used to mitigate against data leakage or malicious data exfiltration.
Preventing data loss
At the end of the day, it’s all about protecting sensitive data. But with so much sensitive information swirling into ever expanding data lakes, it has really become about identifying and protecting the data that matters most.
SASE addresses this by adapting another legacy network security tool. As an appliance traditionally perched on a company’s network perimeter, DLP was a one trick-pony. Its sole function was to inspect data — and implement security policies — as the data passed into and out of the corporate perimeter.
Today, corporate data is dispersed far and wide, across countless SaaS apps. Advanced, cloud-delivered DLP, delivered as part of a SASE system, can be positioned to inspect data in support of ZTNA, CASB and SWG in a way that ensures only vetted users get granted strategically narrowed access privileges.
Great leap forward
Let’s face it, company networks have been turned inside out. Most users now function, much of the time, outside of the narrow IT perimeter that security teams got good at defending. In an intricately complex, highly dynamic IT environment, adding more security analysts (if you could find them) or purchasing yet another cloud-delivered security tool isn’t going to cut it.
SASE – and in particular the “security service edge,” or SSE, which is a component of SASE – could very well emerge as the linchpin that helps network security make a great leap forward. Over the past few months, SASE has been increasingly framed as having two distinct halves: one half referred to as WAN-edge, comprising the networking connectivity aspects, and the other being SSE, which concerns access control and security monitoring.
This parsing of SASE clears things up, quite a bit; it has helped competitive tech vendors sort out what they bring to the table, and this has led to a welcomed tempering of muddled messaging. In the end, it should lead to better integration of best-of-breed edge technologies.
Sooner than you might think, companies could commence the wholesale dismantling of their castle wall defenses — to be replaced by flexible, edge-directed security meshes. I’ll keep watch and keep reporting.