IT infrastructures are in the midst of dramatic changes, restructuring how applications and data are deployed and consumed. Organisations are beginning to realise that their physical network and security infrastructure must evolve to protect an increasingly perimeter-less environment. Cloud services, security and networking are converging, creating a new model where security and networking no longer comprise discrete applications and devices, but are delivered as software services alongside cloud-based applications.
Gartner has recently coined the term SASE (Secure Access Service Edge) to describe this emerging security and network framework. The analyst house points to seven areas in which security and network teams should review their architecture with a view to achieving the benefits of SASE. In this article, I walk through these areas of consideration, explain the benefits that can be gained by each, and help security and network teams evaluate their own progress to SASE.
1) Shift operations from managing security boxes to delivering policy-based security services via a cloud-native, microservices-based environment.
An architecture that relies on traditional network and security appliances that are merely ported to the cloud as software is not SASE ready. This common approach does not scale, suffers from interoperability issues, is unable to deliver new features quickly and delivers security services with much higher latency than is acceptable.
A cloud-native architecture can deliver seamless security services that best match risk reduction requirements. It also future-proofs investments in an architecture that rapidly adapts to the changing enterprise network and security market, building new products natively and delivering security services without hindering business productivity or impacting the end-user experience.
2) Converge cloud and web security technologies to simplify configuration and operations, and to reduce cost.
SASE infrastructure helps organisations implement consistent security controls across SaaS, Web and IaaS services, minimising available attack surfaces and protecting the most sensitive data. SASE-ready infrastructure delivers Secure Web Gateway (SWG) capabilities alongside other cloud-delivered network and security services such as Cloud Access Security Broker (CASB), Data Loss Prevention (DLP) and Advanced Threat Protection (ATP). This is necessary as enterprises move their applications to the cloud and can no longer rely on on-premise firewalls to protect their data (as these appliances are blind to modern cloud traffic like API calls and JSON). Organisations require a deeper set of security controls to enable more granular visibility into activities performed across SaaS, Web and IaaS services, and spanning both managed and unmanaged devices.
By unifying these capabilities within a single architecture, SASE enables organisations to identify and decode both web traffic and cloud-based applications, deriving detailed context such as personal and corporate instances of the same cloud app (e.g. Office 365, Gmail, Slack). Enterprises are able to obtain a big-picture view of the threat landscape, incorporating context obtained from the integrated security and network services within the SASE-ready platform. Netskope calls this consolidated cloud gateway the Next-Generation SWG (NG SWG) and it extends protection by identifying, managing and securing web traffic and cloud-based applications, detecting and mitigating cloud-based threats, and enforcing data loss protection capabilities—all with a unified policy enforcement engine.
3) Follow a data-centric model and implement context-aware controls to readily detect and prevent sensitive data movement.
SASE enables data protection as an integrated part of the cloud security framework. Modern cloud DLP solutions provide full visibility and, in the best cases, context awareness of data movement across clouds as well as mitigation of loss and exfiltration. In order to scale and optimise DLP, policies must be data-centric, applying to and following the data regardless of the endpoint or cloud service.
DLP policy management becomes more simplified within a SASE framework as the same policies can be applied across all cloud applications and websites, ensuring the same set of DLP policies are applied to data-at-rest and data-in-motion. A SASE-ready framework should effectively identify and classify data, providing a granular understanding in support of policies based on context such as user, device-type, file type, data identifiers and more.
4) Protect against cloud-enabled threats, and combine inspection capabilities for threat and data to make an efficient, single-pass inspection solution.
With the rapid rise in cloud-enabled threats such as phishing and drive-by attacks, legacy solutions offer limited visibility and pose a significant risk. What’s needed is a cloud-native platform that scales to support real time (fast scanning) and deep scanning (sandboxing) threat protection across the cloud to effectively expose and mitigate any malware and threats.
An ATP solution based on a SASE model can significantly help reduce complexity and cost for SecOps and Incident Response (IR) teams, while enhancing threat mitigation efficacy and scale.
A SASE-based ATP solution can help centralise all security events collected across managed and unmanaged clouds, providing a single, consolidated view into all activities. To be effective, this solution must collect rich metadata from web and cloud traffic for further analysis and investigation.
5) Evolve remote access strategies, adopting a zero-trust approach.
For remote access, security teams have traditionally relied on complex and expensive VPN appliance implementations that do not scale and incur growing maintenance costs while being cumbersome to manage. With the traditional “open” network access of VPNs, sensitive data can easily be exfiltrated, while compromised accounts or insiders can move laterally within a network. SecOps teams require a modern secure access solution that easily scales while allowing remote users secure access to select private applications in public clouds and data centres, regardless of location.
A SASE provider can deliver a cloud security solution that enables application-level access to private applications based on Zero Trust principles. This includes the authentication of users, and device posture checking and classification, before connecting users to select private apps.
6) Use a robust, global edge network that is high-performance, high-capacity and capable of supporting ‘cloud heavy’ communications.
A vendor’s global network architecture determines how long customer data travels to and from the closest Points of Presence (POPs) before it is processed, potentially increasing end-to-end latency. In the end, the underlying network infrastructure affects the scale and efficacy of security controls, with traditional networks being inadequate for a SASE model.
A SASE-ready provider will deploy their services through a global cloud edge network, delivering security services closest to the end-user, optimising routing and availability, while enabling security functions like DLP and ATP inline. This allows processing to be done quickly with minimal latency and interruption to the end-user. Vendors that backhaul customer traffic to centralised data centres break the SASE model and are unable to deliver all the required network and security services demanded by enterprises.
SASE also allows for a seamless integration of SD-WAN functionality in a cloud-based architecture where SD-WAN functionality is built natively alongside security services, which helps to scale performance and delivery for remote office users. SASE-ready architectures enable SD-WAN edge solutions to be directly connected to the edge cloud network, avoiding the complexity of deploying physical SD-WAN hubs and reducing the cost and complexity of deploying multiple network and security appliances across the entire enterprise network. This access model can also help simplify multiple overlays that drive up complexity for enterprise network management.
7) Integrate management and administration tools to reduce complexity and increase efficiencies.
Most large security companies provide a portfolio of hardware and software-based security products that have been assembled together through acquisitions. While some integration may exist, SecOps teams struggle with the increasingly complex design, configuration and management of their security infrastructure.
A SASE-ready solution should allow for fully unified management and administration. Beware of products that require separate configurations and dashboards as a way to connect multiple products into common workflows. Integration with third-party security tools is essential and a SASE-ready solution should offer REST APIs, plus threat intelligence sharing based on standards to extend its capabilities.
A SASE framework sees essential security services converge in a cloud-native model which makes use of global, high capacity, low latency edge networks for an optimised user experience. Organisations embracing SASE can expect a simplified environment based on the consolidation of multiple security technologies, as well as reduced costs and a much-improved user experience for both end users and administrators. Crucially, adopting a SASE architecture leaves organisations much better protected against emerging threat factors, and better equipped to navigate data protection requirements.
Is your organisation’s network and security infrastructure SASE ready?
Neil Thacker, CISO EMEA and LATAM, Netskope