Last year, Gartner introduced the term Secure Access Service Edge or SASE in their technology hype cycle. Almost immediately, it grabbed enormous attention from the vendors and enterprise consumers. Existing and new technology players began highlighting the benefits of SASE, marketing their offerings to attract customers. But what is this SASE? Why should we care about it? Is it truly a game-changer? In my opinion, the concept is not entirely new; the branding and the timing of the terminology attracted a lot of attention. SASE provides networking & security as a cloud-based service as opposed to discrete solutions, which are not relevant in today’s environment–where application and data access is needed from everywhere, and from any type of device. Before we delve into the world of SASE, let’s examine the technologies used by organizations for connecting and securing applications, and why do they need to look at newer alternatives.
By Parthasarathi Chakraborty, Director–Infrastructure & Cloud Security Architecture, Bank of Montreal
Enterprise applications used to be hosted in corporate datacenters and within the perimeters of the organization. Users had to backhaul to the company network for accessing applications. Introduction of cloud hosted applications, increasing dependency on third-party SaaS, and workforce mobility has made the traffic backhauling inconvenient, and perimeter centric security as less efficient. Nevertheless, a plethora of networking and security solutions made the integration even more challenging, security incident response is more cumbersome and responsible for lowering of the return on technology investments. That’s why organizations started looking for “integrated” solutions that bind networking with security services and make it a single pane of glass for easier operations. They offer better context and data sharing between controls for improved efficiency and increased portability of the solution suite to address the ever-changing form factor of user compute.
Gartner’s SASE concept is the reflection of the same in a cloud-based service offering. The future of networking and security will be in an integrated “as a service offering” from cloud to enable users to access data from anywhere, anytime and on any type of device.
Major components of a good SASE security plane may include a proxy-based secure web gateway, URL filtering, SSL interception, data leakage protection, content isolation, advanced threat protection including dynamic detonation, firewall/IPS as a service, DDOS/WAF as a service, DNS security, CASB or cloud access security broker (for SaaS) and other security controls based on zero trust security model. Whereas the network plane integrated with security controls may include intelligent connectivity solutions like SD-WAN (software defined wide area networking). This is done to minimize connectivity cost & intelligent latency, to reduce routing to the applications hosted anywhere – cloud or corporate datacenter), VPN replacement with SDP (software defined perimeter), Content distribution service, WAN optimization, policy-based routing, class of service and quality of service assurance from the cloud. There is no prescriptive list of networking or security controls within the SASE framework, key is to have the integrated as a service offering. That’s where the industry vendors are stretching by offering solutions in their stronghold as SASE.
The challenges early adopters will face here will be no different from what they see in on-premises technologies. Distinct technology controls offered as a service with minimal integration and context sharing between those, basically shifts the problem from datacenter to the cloud. The reason for it lies in the fact that there is no set definition of controls needed to be in the SASE space. Classic networking vendors are either building a few security features or acquiring some security companies devoid of tight integration, to emerge as a “new” SASE player. The same holds true for traditional security players: they lack expertise in the networking space and then “partner” with network players to provide “an on-paper integrated” SASE offerings.
Here is what an organization should consider while evaluating a SASE vendor.
- Integrated networking & security as a service
- Avoid a “stitching approach” which means multiple vendor products offered “together” as partners or acquired solutions with poor integration capabilities
- Look for solutions built from the group up with offerings in the networking and security space
- Look for solutions with better data and context sharing for a complete end-to-end picture
- Prefer solutions written in cloud native technology
- Hardware instances or virtualization will be less preferred compared to container-based offerings leveraging microservices technology
- Identity-based security filtering based on the principles of zero trust networking
- Select products allowing granular policies based on immutable identities of humans and machines
- Prefer solutions with open APIs for better integration with the rest of the control suite
- Built on next generation technologies like artificial intelligence and machine learning
To conclude, SASE is the direction organizations should be looking to embrace without repeating the same mistakes of on-premises network with too many independent solutions at the cost of higher level of complexity and lower integration capability. Industry solutions offered in this space fall into three distinct categories: strong network as a service offered by traditional networking vendors, strong security players providing security as a service or CDN providers helping with content distribution from cloud. Network vendors not having a stronghold in security can either acquire a security solution or partner with other security vendors. The same is true for classic security vendors entering into the SASE space. The net impact is lack of context sharing, poor integration and operational complexity that defeats the core goals of the SASE concept. We should prefer solutions having the most depth & broader breadth covering network and security areas well enough to provide one integrated “as a service” solution written in cloud-native development platforms with open integration capabilities. The market is still full of network or security niche players. It would be prudent to take a cautious approach of waiting till solutions are available with equally strong network & security offerings.
Everybody is selling the SASE concept in their offerings now, but to me, it is exactly the same as the on-premise problem moved to cloud except that few vendors are bridging the gap with an integrated cloud-based networking & security offering.
The goal here is not to be prescriptive but to present the facts, and the final decision stays with the individuals in charge of technology selections based on organizational objectives and risk appetite.
About the Author
Parthasarathi Chakraborty is Director – Infrastructure & Cloud Security Architecture at the Bank of Montreal. Previously, he held executive leadership roles at Guardian Life, JP Morgan, Bank of America, and Merrill Lynch.
He is a member of the Forbes Technology Council, Rutgers University Cyber Security Advisory Board, and the New Jersey Institute of Technology CSLA Advisory.
He achieved certifications for CISSP, CCSP, CEH, CHFA, MS (Infosec-WGU), and MS (Technology Management-Columbia University).
Views expressed in this article are personal. CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.