Is Secure Access Service Edge(SASE) Part Of Your It Road-Map?
In a few years to come (2 or max. 3), in my opinion both the roles of CIO and CISO would be redundant. The idea behind these two roles being separate was an intent of a maker/checker concept where one focuses on the technology whilst the other focuses on the security. These roles had been created with a pre-conceived conception in mind that a CIO may have higher focus towards executing the technological design and that is where a CISO comes into picture to engage, review and ensure there are no security gaps prior to implementation.
‘Security’ is to be embedded by design at the inception. It is critical to move onward with a balanced approach at the very start. Today’s CIO cannot be efficient if they do not have (at-least) a 50% focus into security. Their strategy, their approach, their conceptualizations, their blueprints, their vision – everything must have business, technology and security embedded in by-design. An ideal role for a digitally transforming organization may be something of a CTSO (Chief Technology & Security Officer). There are multiple benefits in this approach, one single ownership, a pyramid approach for complete architecture from technology and security standpoint, efficient.
Coming to the core agenda of the article, which advocates the above approach. In simplest terms, SASE focuses onto two aspects – Networks & Security coupled together and making a highly efficient and secure architecture to serve the business.
Since years, Networks and Security have been playing cats and dogs. To have a high performing network, somewhere security may take a lower priority as the centralized routes adds more latency or vice versa. This model of network and security has been failing time and again however there had been no such alternatives that could solve for both simultaneously.
Secure Access Service Edge (SASE) is a disruptor of the legacy model. SASE not only enhances the security but also improves the network performance and makes the business to function more efficiently.
In modern enterprise, users require immediate and uninterrupted access to data no matter where they are located or what OS they use. With the rapid increase in cloud adoption, increase of mobile workforce, expansion of branch offices it become much more difficult to secure access to applications. Therefore, putting all branch office and mobile user traffic via corporate headquarters data center to provide encapsulated security no longer makes much sense.
For years there has been a situation where most of the traffic goes to the data-center at the headquarter, irrespective if it is to access on premise applications or if it is to access SaaS based applications via internet. This kind of route primarily has been to ensure a centralized network and web security. The legacy architecture has been where majority of the applications were at the data center and majority of the traffic used to go via it. MPLS and VPNs were to get the traffic from different branches and other mobile locations to a central data-center. In this model, most of the network traffic is internal.
Things have changed with cloud and digital adoption; data location has changed and most of the applications are hosted into cloud environment. Organizations are completely mobile, collaboration, messaging, storage etc. everything is decentralized over cloud. The traffic flow has inverted where now only very less traffic is internal while internet traffic is majority of the traffic flow. This completely changes the dynamics of how-to setup the network and make it secure. MPLS and VPNs setups are expensive, time consuming and comparatively brings forth lot of security vulnerabilities. Most importantly, majority of the traffic is required to go to the internet instead of applications hosted onto the DCs and it makes better sense to route traffic directly to internet securely without reaching the data center for centralized secure access which impacts both, the performance and security in many ways.
The number of users outside the office is increasing. Users are getting diverse – from home, office or mobile and operating at different platforms or OS like Android, IOS or windows. Majority of the business applications like M365, Okta SSO, Splunk, AWS, GCP, SharePoint, Salesforce, are not found at centralized location. The adoption of SaaS, PaaS and IaaS creates reliance on internet more and demonstrates that the network services are highly distributed. For a high availability, confidentiality, and integrity of the data it is important to derive a solution like SASE that sits between the distributed users and distributed cloud services.
Modern approach is to explore DIA (direct internet access) and network decentralization and add security from multiple locations at the edge of the cloud. Performance sensitive traffic goes direct and reduces the dependencies of central route via network decentralization. DIA from internet for multiple locations to the cloud and security at the edge of the cloud.
To summaries, there is a need of SASE to enable digital transformation, enable seamless cloud adoption, provide high performance, and secure architecture. SASE converges the network and security services into a single cloud delivered platform. The SASE platform reduces complexity and improves the performance by unifying the network, security, and identity under a single umbrella.
SASE = Networking + Security + Identity
The core tenants of SASE are cloud native security components with DNS security, SWG (Secure Web Gateway), Cloud Firewall, CASB (Cloud Access Security Broker) these are coupled with technologies like SDWAN and SDP (Software defined perimeter)/Zero trust architecture (ZTA) via DIA (direct internet access). An ideal SASE based architecture is the convergence of network & security services including SWG, CASB, DNS protection, firewall as a service, SDWAN and ZTA (ZTNA).
It’s important to also understand the Zero Trust concept. For which lets first understand a Non-Zero Trust architecture.
Let’s say, a user is to access applications that are hosted onto the on-premise data center. The user uses the VPN (virtual private network) and with a level of security like a 2FA (two factor authentication) or an MFA (multi-factor authentication like device location, OS etc. validation) gains the access via VPN. Once the user is connected onto the VPN network, the user has access to all the permitted environments (since already authenticated as a genuine entrant via a VPN). Let’s say, the user can access the AD/LDAP, SSH, secure and monitored https traffic etc. however, very important to note is that the user can use the SSH access and gain access further into the network since the ‘trust’ is already authenticated. This means, once inherited, it is assumed to be trusted for the next access since already is coming from a trusted source. To further simplify, airports work on the same Zero Trust principle. While you enter the airport with a valid passport, there are security checks at each level that re-validates the passport. This is Zero Trust.
Now the same situation in the world of ZTA, there is a reverse proxy and an SSO gateway using SAML protocol that talks to the reverse proxy. User connects via reverse proxy that sends it to SSO gateway, this SSO gateway authenticates the user and based on the identity privileges, routes the user to gain access to the on premise or cloud. If it is in the cloud, from the gateway authentication the user is permitted to go to the cloud directly. The right access level can be designed at the edge of the cloud with policies. For the on-premises applications, the proxy tunnels get created to individual applications for access. The scenario of accessing other applications via SSH are controlled by policies and therefore makes it authenticated with zero trust method at all steps. There are no VPN access required and therefore Irrespective if the application resides on premise or on the cloud, the experience remains the same and undistinguishable to the user. None of the apps would accept connections that are not via the proxy and individual actions to applications can be configured.
SASE = Network as a Service (NaaS) + Network Security as a Service (NSaaS)
The components under Network as a Service includes:
• Geo Restriction
• Path Selection
• Content Delivery Network (CDN)
• Traffic Shaping
• SaaS Acceleration
These components ensure users to connect to the services faster and in a more reliable manner instead of depending upon legacy VPN or corporate network.
The components under Network Security as a Service includes:
Provide security outside of the perimeter, Technologies that are included within SASE are NG-SWG (web Proxy), CASB & ZTNA
• Data Leakage Prevention (DLP)
• WAA PaaS (Web Application Access, PaaS)
• Cloud Threat Protection
• FWaaS (Firewall as a Service)
• ZTNA (Zero Trust Network Access)
• DNS and WiFi Security
• UEBA (User & Entity Behavior Analytics)
• SWG (Secure Web Gateway)
• Cloud Application delivery
• Sensitive data discovery
• Network encryption/decryption
• Remote browser isolation
The NaaS and NSaaS couple together to create SASE and gives a platform for business to efficiently move towards their digital transformation journey and ease of cloud, multi-cloud adoption with embedded security by design.
Few benefits of SASE are:
• Reduction in complexity and costs
• Enable new digital business scenarios
• Improvement in performance and latency
• Ease of use, transparency for users
• Improved security
• Lower operational overhead
• Enablement of zero trust network access
• Increase in efficiency of network and security staff
• Centralized policy with local enforcement
Aug 2020 release of Gartner’s Hype Cycle for emerging technologies finds SASE at peak of inflated expectation and predicts the plateau to be reached in 5 to 10 years span.
• Credits: Checkpoint, Cisco, ZScalar, PaloAlto, Gartner.