Written by Daniel Blackwell, Product Manager – Network and Security at Pulsant, on using edge to transform networks.
The huge shift to remote working and the increased sophistication of SaaS applications used by employees on vastly extended networks present significant security challenges.
Supercharged by the pandemic, these major trends have left many businesses struggling to address the long-term security risks generated by such an expanded attack surface.
The problem is that thousands of employees are now working from uncontrolled environments, frequently using their own devices, and almost certainly relying on domestic networks. Personal devices and home broadband lack the same security protocols and controls that apply to corporate devices and networks, making them more vulnerable to cyber-attacks.
Internet access is often shared with other devices, while home networks either have weak passwords, or none at all, and are generally configured without encryption. All these vulnerabilities provide multiple angles of attack on a corporate network which are potentially easier to carry out than many other methods employed by criminals or activist hackers.
The picture for IT chiefs is further complicated by the use of multiple cloud vendors and the steadily growing adoption of hybrid infrastructures for sound business reasons. This further compounds the vulnerabilities of an expanded surface, with multiple ingress points to access distributed business information and systems, which all need to be controlled and monitored.
Removing the IT headache
For IT teams these developments are problematic. Applying security policies to each employee working remotely can be complex and costly. For example, applying the same policies and controls could require deploying a firewall at each employee’s home which is expensive and generates huge management overheads. The alternative of providing each employee with a remote VPN connection back to a central office location goes against the flow of what businesses need today for increased agility and cost-effectiveness. As organisations increasingly move to decentralised services employing SaaS applications and public cloud, there is little sense in routing traffic back through an office location.
The role of SASE
Secure Access Service Edge (SASE) is increasingly emerging as a solution to most of these difficulties, enabling organisations to apply security policies to employees wherever they are working, using a centralised management policy. Adoption of SASE remains cautious, however, largely because there is no settled definition of what it is, nor has it been standardised, causing significant confusion about the benefits that it can bring.
Depending on who you want to believe, SASE comprises all or most of the following technologies: secure web gateways (SWGs); web-filtering; cloud access security brokers (CASBs); firewall-as-a-service (FWaaS) and Zero Trust Network Access (ZTNA). Many organisations will already have some of these applications in place but not in a unified, cloud-based solution that provides genuine control, visibility and management, removing the drudgery and cost of overseeing and administering them separately.
Gartner defines SASE as an extension of SD-WAN to include other network security controls and services that can be centrally managed through the same SD-WAN management plane. This covers the essential elements of network and application optimisation, access control and the vital requirement for the IT team to have full visibility. With these capabilities, troubleshooting becomes much quicker and more effective.
Unfortunately, many vendors have boarded the SASE bandwagon in what are often little more than rebranding exercises. They slap the SASE label on cloud-based security solutions that are not managed by a single dashboard and still involve multiple separate products. Others claim to provide SASE even without an SD-WAN offering, while yet more offer elements of SASE but not the full product range.
In the current market, there are very few vendors who provide SASE matching Gartner’s full definition. This does not mean, however, that SASE is something that organisations should disregard; instead it should be seen as more of a framework to build a solution that helps solve the security complexities introduced by modern working.
Zero trust and the edge
SASE is fundamentally about the application and the user. With SD-WAN, the primary purpose is to have control over the application and apply routing policies to ensure the right applications obtain the best possible path. This optimises performance for the end-user and enables organisations to upgrade or implement new applications efficiently and quickly.
True SASE means applying the same principles of efficiency and agility to security controls. The application and the user are still considered, but more specifically it is about ensuring the right user has access to the right applications, but only those applications. This implementation of the zero-trust approach can even be broken down further to the right device, at the right time of day, from the right network, and access restricted to applications and web services based on the security posture of the user, device, and destination.
The physical location of the SASE ‘engine’ should also be considered. The term cloud implies that something is located everywhere, while in the UK this typically means it is hosted in one location. By having regional points-of-presence, the enforcement of security policies is distributed closer to each user wherever they are working.
Using this approach, organisations can stop employees from accessing known bad web services, regardless of location, removing the risk of downloading malicious files or applications. If malware does get through and a device is breached, access can be revoked, preventing attackers from gaining access to applications or services.
Securing the edge
Genuine SASE forms a comprehensive package that combines a variety of solutions, and as organisations move towards distributed and decentralised applications, SASE and SD-WAN provide agile and flexible central controls.
These are vital attributes. Remote working policies are now permanent and widespread, and before too long, SASE and SD-WAN will enable IT and security teams alike to bring security protocols closer to users. The outcome will be a highly-resilient network that optimises the edge and truly supports its users and protects them from emerging and increasingly sophisticated cyber threats — whether they are at home, on the road, in a branch office or headquarters.