How to take SASE from a buzzword to a plan
Whether you are talking to your leadership or external auditors, it’s always best to be able to explain that your cybersecurity program is based on a framework utilizing industry best practices.
A recent framework by Gartner is one that I recommend having as part of your toolkit: Secure Access Service Edge (SASE), as outlined in their November 2019 “The Future of Network Security is in the Cloud” report.
The idea was to develop a single strategy that combined both perform (network architecture) and protect (security) functions under one cloud-based service provider platform.
I think this captured a trend that was prevalent across major enterprises – the move to vendor consolidation. In my experience working with peers of Fortune 500 enterprises, they can have over 100 security vendors, which creates a nightmare when attempting to manage and correlate them into a single risk profile.
The SASE framework is in line with vendor rationalization and the trend to reduce complexity, while also increasing visibility and ease of management. This is not a solution for your entire program, as it is currently designed to focus on protecting the company and employees.
Additionally, it is focused on the edge, so you would need platforms for areas like endpoint protection and network / incident response. The days of picking the best tool for each problem is ending and this trend of moving away from best athlete to best teammate reminds me of this quote by Michael Jordan, “Talent wins games, but teamwork and intelligence win championships.”
I also like the fact that SASE encompasses both perform and protect functions as I have scar tissue from when I had designed my security environment. I discovered some of the applications I needed to protect were moving to a cloud infrastructure. SASE ensures that both teams are talking to each other. This is key because if 2020 has taught us anything, it is that we need to be flexible and rapidly adapt to changing business models. That requires tightly integrated strategies.
While SASE outlines several tools that can be used to combine perform and protect functions on a single platform, it doesn’t have a single recommended solution. Instead, it talks about what could be used for different business models. It also highlights that no single vendor has all the tools you need. Finally, Gartner acknowledges that this will be a journey as many of the tools will already be part of your environment, so it will take time to migrate onto fewer platforms.
As we look at building a strategy, the first challenge is to define your “edge”. For some companies their edge is their data center. Still, for others it is their cloud infrastructure. Realistically, for most large enterprise environments, it will be hybrid and potentially multi-could.
For performance, the SASE report lists capabilities like SD-WAN and CDNs. When thinking about your SASE strategy you should think about where you have your interface with employees / users and where your security controls are integrated. As always, analyze both current and future state.
Let’s start by listing the different NaaS tools:
- Content Delivery Network (CDN)
- Software Defined – Wide Area Network (SD-WAN)
- Wide Area Network (WAN) Optimization
- Network as a Service
- Bandwidth Aggregators
- Networking Vendors
Depending on your end state goal, you will need to focus on different capabilities. If you are trying to move to a borderless architecture, you will focus on CDN. If you are looking to stay with branches and remote workers leveraging a main office, you will focus on SD-WAN. Software as a Service (SaaS) will most likely be part of either of these approaches.
Additionally, each of these will need to have their own evaluation criteria. For example, with CDN you would want to focus on factors like location/number of POPs and peering relationships, ability to scale, international presence, and capabilities based on your business needs like image management, caching at edge and route optimization/acceleration.
Next, let’s review the security tools mentioned throughout the report:
- Zero Trust Network Access (ZTNA)
- Cloud Access Security Broker (CASB)
- Secure Web Gateway (SWG)
- Web Application and API Protection as a Service (WAAPaaS)
- Domain Name System (DNS) security and protection
- Data Loss Prevention/Protection (DLP)
- Security Network Security
- Virtual Private Network (VPN)
- Firewall as a Service (FWaaS)
- Intrusion Prevention System (IPS)
- Software-Defined Perimeter (SDP)
- Remote Browser Isolation (RBI)
There are a lot of capabilities here and unlike the network section many large enterprise environments will need all of them. Many of these are combined today such as SWG that have DLP and sandboxing.
Like networking, you will need to have evaluation criteria for these, such as: do they have consolidated agents, do they integrate with your Security Information and Event Management (SIEM) and do they offer services like engineering support? Also don’t be limited by this list as countering threats like Magecart were not included in the report.
Now that you have some idea on what you will need, you will need to conduct an internal review to determine your current capabilities and gaps. This should include measuring the maturity of your tools and quantifying your technical debt (i.e., tools that have been customized and can’t be updated).
With both end state and current situation in mind, it’s time to map out a strategy. As we mentioned before, this will be a journey, so it will be a multi-phased project. On the security side, a generic prioritization would look like:
- Establish ZTNA (most companies will start with use cases like external partners, Mergers & Acquisitions or access to most sensitive information)
- CASB (this depends on how heavily dependent you are and how much critical data is on SaaS systems)
- SWG (we need to protect outbound traffic from employees going to phishing sites or malware command and control systems phoning home)
- DDoS and DNS protection (DDoS and Ransom/Extortion DoS threat actors are becoming more active)
- FWaaS and WAAPaaS (while this should top the list, most companies have something in place so they would transition as part of the normal contract life cycle)
Generally, you will find that many of the other capabilities listed are part of these controls
Each company will need to customize their strategy based on their risks and capabilities of their current security controls.
Here are some factors to consider including in your broader evaluation criteria. Do they support a multi-tenant model? Do they address compliance issues across all the geographic areas you operate in? What is the level of effort to both deploy and operate the platform? What services do they support? How likely are they to be around in 5 to 10 years? Do they have a history of delivering on their roadmaps?
As you build out your business case some of the benefits of combining both protection and performance in one vendor platform include:
- Reduction in complexity and costs though vendor consolidation
- Increasing situational awareness though a single threat portal
- Moving to latest generation of protections designed for your edge
- Simplifying vendor management, while improving compliance
- Preventing engineer bloat, while optimizing capabilities
- Reducing latency and improving user experience by executing at the edge
- Enable new digital business scenarios though greater flexibility and resiliency
There are some risks. The most common concern is “all my eggs in one basket”. This is what has driven us to environments that have so much complexity and cost that companies are reversing their approach. Another is around the amount of turmoil in the market with acquisitions and capabilities that are new to market. Finally, the issue of determining when it is the right time to move to a platform with nobody today offering all the capabilities needed. My only caution is beware of analysis paralysis.
In summary: SASE is a powerful tool that you should consider adding to your toolbox. It will provide you the framework to define your edge and integrate, perform and protect controls into one platform. We have looked at the journey and outlined some evaluation criteria. Finally, we looked at some of the benefits and risks for your business case.
I strongly believe that complexity is the enemy of security – this tool will help you eliminate it while improving user/employee experience.