Although the past year has seen accelerated digital transformation, with whole industries navigating through the ongoing pandemic, there has also been a rise in cyber attacks on organisations, as threat actors aim to leverage the increased attack surface caused by remote working. To mitigate these rising risks, organisations have needed a barrierless security approach that goes beyond the traditional network perimeter. One emerging model that aims to meet this need, allowing for continued innovation, is Secure Access Service Edge, or SASE.
SASE was first coined as a term by Gartner back in 2019, and opposes the traditional architecture model which places a data centre in the hub, surrounds it with corporate-controlled networks and secures it with a fixed perimeter. Data and users increasingly reside outside of that old perimeter and so the SASE approach inverts this model and places the user at the hub of the model whilst taking a data-centric approach to architecting security.
“From my experience working as an information security professional for 20 years, dealing with both information security and network security, has proven a major challenge. SASE ultimately aids the convergence of network and information security” said Neil Thacker, chief information security officer EMEA at Netskope.
While cloud has increased business outcome and agility expectations, security has often remained appliance-based, and still occupies a spot in the increasingly redundant corporate data centre. This inevitably causes bottlenecks and delays. By being inherently cloud-native, SASE removes the need to hairpin traffic from its logical path and allows for direct connectivity to cloud services.
Thacker explains; “Traditionally, installing new security controls has reduced performance and introduced bottlenecks, but SASE removes the barriers that many organisations have, and allows them to safely utilise the public internet whilst also applying security controls that cover a much broader range of web and cloud services.”
Real-world comparisons show that with the right vendor, a cloud-based SASE approach to security can actually improve cloud application performance times.
Thacker; “It seems counter intuitive that adding a security check can increase speeds and improve user experience, but that’s what happens. Because SASE providers like Netskope have built strong direct peering relationships with both Internet service providers and cloud service providers, organisations can leverage these peering relationships and fast track access to these services.”
So SASE has the potential to enhance both security protection and user experience, but early adopters say that the benefits don’t stop there. The model also reduces costs through appliance consolidation, which narrows down the management, software updates and patching required across the infrastructure, and in turn increases efficiency.
Designing SASE
Digital transformation has become more vital than ever for companies to stay competitive in their respective markets. When it comes to designing SASE architecture to complement transformation strategies, there are four areas to consider:
- Networking transformation: Here, backhauling, hairpinning, and latency can be reduced to allow for direct-to-cloud access between users and applications. This eradicates the need for VPNs or multi-protocol label switching (MPLS), which lowers expenses, simplifies the environment and improves user experience.
- Application transformation: This sees apps migrate from the data centre to SaaS replacement choices, as well as new or redesigned custom apps that can be rearchitected for the cloud, and the lift and shift of legacy apps to cloud-hosted virtual machines. Netskope Research Labs data has revealed the doubling of SaaS adoption from 2019 to 2020, but while accessibility increases, so do the risks brought by shadow IT.
- Security transformation: This reduces data centre, office, and branch office security appliances, moving to a cloud ‘secure access edge’. User traffic for web, managed SaaS, unmanaged SaaS (Shadow IT), public cloud services, and custom apps all need data and threat protection with granular policy controls by user and group, among other variables.
- Data transformation: Data is moved to apps and cloud services, whether as part of a specific initiative or as a by-product of user-driven cloud adoption, which can increase exposure via boundary crossings into personal instances of managed apps, unmanaged apps (Shadow IT), or social activity. Needing more granular policy controls, risk-based data-centric assessments are carried out, which often lead to urgent controls of unintentional data movement, as well as protection of data and IP from cloud and web-enabled threats.
Next Generation Security
SASE is a new architectural approach which brings security design in line with digital transformation, but it also brings functional improvements, enhancing an organisation’s security posture. Any effort to secure cloud has to recognise the enormity of Shadow IT, and cannot only operate within the easily addressed confines of approved corporate applications. Netskope’s data shows that the average organisation with between 500-2,000 employees uses 690 cloud apps – a number that grew by 20% in 2020 – and 97% of those applications are considered Shadow IT.
Thacker explains; “SASE aims to mitigate shadow IT by providing visibility. Security teams can track what services are being activated, by whom, and for what purpose. You can’t just unilaterally block all shadow IT usage, as this would lead to a monumental failure of the business. But you can implement specific cloud-agnostic controls for those apps, getting granular around specific data categories, using the full control set that SASE provides.”
Indeed, even when designing security for sanctioned applications, it is imperative to be able to discern between corporate and private instances of cloud applications – personal and corporate Google Drive, for instance, probably require very different policies. Because it is cloud-native, and built using API/JSON, a good SASE platform is fully capable of identifying these nuances and applying instance-aware policies.