Why Digital Transformation Is Incomplete Without SASEArchie Jackson of Incedo Discusses the 'Disruptor of the Legacy Model'
Security needs to be embedded by design at the inception of a project. Today’s CIO cannot be efficient if they do not have at least a 50% focus into security. Their strategy, approach, conceptualizations, blueprints and vision all must have business, technology and security embedded in by design.
Secure Access Service Edge, or SASE, focuses on two aspects - networking and security coupled together to make a highly efficient and secure architecture to serve the business.
To have a high-performing network, sometimes security may take a lower priority as the centralized routes add more latency or vice versa. This model of networking and security has been failing time and again, but there were no alternatives that could solve for both simultaneously.
SASE = Networking + Security + Identity
But now there's SASE, which is networking plus security plus identity. Because of that combination, a question may arise about who owns the implementation of a SASE project. Is it the CIO because it has networks and cloud, or the CISO because it has security and identity?
A chief technology and security officer, or CTSO, may be an ideal role for a digitally transforming organization. There are multiple benefits in this approach: It has a single owner, it's a pyramid approach for complete architecture from a technology and security standpoint, and it's efficient.
Why SASE Is Needed
SASE is a disruptor of the legacy model. It enhances security, improves network performance and makes the business function more efficiently.
We Have Cloud
Cloud and digital adoption have changed data location, and most applications are now hosted in a cloud environment. Organizations are completely mobile. Collaboration, messaging and storage are all decentralized over cloud.
We Have Internet Traffic
The traffic flow has inverted - now very little traffic is internal and the majority of the traffic flow is internet traffic. This completely changes the dynamics of how to set up the network and make it secure.
MPLS and VPN setups are expensive, time-consuming and comparatively bring forth lots of security vulnerabilities. Most importantly, the majority of the traffic is required to go to the internet instead of applications hosted onto the domain controllers, and it makes better sense to route traffic directly to the internet securely without reaching the data center for centralized secure access - which impacts both performance and security in many ways.
We Have Decentralization
The number of users outside the office is increasing. And users are working from home, the office or mobile and operating on different platforms or OSes, such as Android, IOS or Windows. The majority of business applications - such as M365, Okta SSO, Splunk, AWS, GCP, SharePoint and Salesforce - are not found at centralized locations. And the adoption of SaaS, PaaS and IaaS creates more reliance on the internet and demonstrates that network services are highly distributed.
SASE at the Peak
For high availability, confidentiality and integrity of the data, it is important to derive a solution such as SASE that sits between the distributed users and distributed cloud services.
The modern approach is to explore direct internet access, or DIA, and network decentralization and add security from multiple locations at the edge of the cloud. Performance-sensitive traffic goes direct and reduces the dependencies of central route via network decentralization.
The August 2020 release of Gartner's Hype Cycle for emerging technologies finds SASE at the peak of inflated expectation and predicts the plateau to be reached in five to 10 years.
The Benefits of SASE
SASE has the following benefits:
- Reduces complexity and costs;
- Enables new digital business scenarios;
- Improves performance and latency;
- Is easy to use and transparent for users;
- Improves security;
- Lowers operational overhead;
- Enables zero trust network access;
- Increases efficiency of network and security staff;
- Offers centralized policy with local enforcement.
By unifying networking, security and identity under a single umbrella, the SASE platform reduces complexity and improves the performance.
How SASE Works
The core components of SASE are cloud-native security components with DNS security, Secure Web Gateway or SWG, Cloud Firewall, Cloud Access Security Broker or CASB. These are combined with technologies such as SD-WAN and software-defined perimeter or SDP/zero trust architecture or ZTA via DIA.
An ideal SASE-based architecture is the convergence of network and security services, including SWG, CASB, DNS protection, firewall as a service, SD-WAN and ZTA or ZTNA.
In the world of ZTA, there is a reverse proxy and an SSO gateway using SAML protocol that talks to the reverse proxy. The user connects via reverse proxy that sends it to SSO gateway, which authenticates the user and based on the identity privileges, routes the user to gain access to on-premises or the cloud. For cloud, from the gateway authentication the user is permitted to go to the cloud directly. The right access level can be designed at the edge of the cloud with policies.
For the on-premises applications, the proxy tunnels get created to individual applications for access. The scenario of accessing other applications via SSH is controlled by policies and therefore is authenticated with the zero trust method at each step.
There is no VPN access required and therefore, whether the application resides on-premises or in the cloud, the experience remains the same and is transparent to the user. None of the apps would accept connections that are not via the proxy, and individual actions to applications can be configured.
SASE = Network as a Service + Network Security as a Service
NaaS and NSaaS combine to create SASE and provide a platform for a business to efficiently embark on its digital transformation journey and easily adopt cloud and multi-cloud with embedded security by design.
Network as a Service
The components of Network as a Service are:
- Quality of service;
- Path selection;
- Content Delivery Network or CDN;
- Traffic shaping;
- SaaS acceleration.
These components ensure users connect to the services faster and in a more reliable manner instead of depending on legacy VPN or corporate networks.
Network Security as a Service
The components of Network Security as a Service provides security outside of the perimeter. Technologies that are included within SASE are:
- Cloud access security broker or CASB;
- Data Loss Prevention or DLP;
- Web Application Access Platform as a Service or WAA PaaS;
- Cloud threat protection;
- Firewall as a Service or FWaaS;
- Zero Trust Network Access or ZTNA
- DNS and Wi-Fi security;
- User and Entity Behavior Analytics or UEBA;
- Secure Web Gateway or SWG;
- Cloud application delivery;
- Sensitive data discovery;
- Network encryption/decryption;
- Remote browser isolation.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Archie Jackson is a technology and security professional with more than two decades of deep experience in technology and security architecture, design and orchestration. He is the senior director, head of IT and security at Incedo Inc. and has been ranked among the top 10 security professionals in India by CISO Platform. Jackson started an initiative to spread cybersecurity awareness across colleges and universities and has addressed more than 12,000 students in the past four years.