SASE: Five steps for a successful transition to modern-day security

A great many companies are waking up to the fact that traditional perimeter security controls are no longer a good fit for the modern way in which we work and conduct business. This realisation is in no small part due to the transitioning of many IT services over to the cloud. When data and applications have left the data centre and are instead provided from multi-cloud environments, with mobile employees working outside of the secured network, perimeter security becomes moot.

This, of course, is ever more prevalent now, as COVID-19 has moved a great many employees out of the office and necessitated them to work remotely. Whether the mass remote working we’re currently experiencing shifts business mindsets around remote workers after the current situation subsides is a big topic in and of itself. Yet, the current situation has hammered home one key fact: attempting to secure these modern working environments using traditional network security concepts both completely bypasses the needs of the user and the demands associated with their mobile working lifestyle.

To compound the issue, the risk landscape is changing, too: We are now seeing targeted attacks intended for specific users. If a targeted user is not working on the secure network and is using mobile devices to access data and applications in the cloud and network at the same time, companies will need new security concepts to protect themselves against third-party attacks and malware. As organisations are increasingly becoming dependent on cloud technology as a replacement for their own in-house networks – and are structuring their digital business models on this basis – their security concept must also adjust to this changing environment.

The Secure Access Service Edge (SASE) framework was developed by Gartner, based on the new demands of day-to-day business in the modern world. The framework – which will be boosted in the future by powerful always-on internet access – was constructed on the premise that, for maximum flexibility, cloud security should also come from the cloud. The idea behind the framework is that information traffic is secured throughout its journey from a user to an application, regardless of where the user is or where the application is hosted. This is a step away from the network-centred approach and towards a user-centred security concept. These kinds of models were designed to secure mobile users and data traffic in the cloud, and now are demonstrating their merit as companies embrace them to secure their largely remote working staff. This approach also removes the need to divert data traffic to a protected data centre via the MPLS network – which is an expensive, now unnecessary, route to take.

Gartner’s concept also factors in the ever-changing application landscape. As the various applications that an employee may need to access can all be hosted by different cloud providers, the associated infrastructure is becoming increasingly complex. Furthermore, users expect to be able to access the applications they need to do their jobs from any location and any device, without manual interaction or latency. With this in mind, Gartner has designed the Secure Service Access Edge framework to secure data throughout its journey from the user’s device to the destination – rather than just securing the destination.

Understanding SASE

Companies wishing to apply the SASE framework to their security solution must first overcome a number of interpretation hurdles to achieve a comprehensive and accurate understanding of the concept. It isn’t easy to define the term “edge”: In this concept, it does not refer to the boundaries of a physical network. Companies must move away from the notion that an “edge” refers to a single location. And the teams responsible for implementation must let go of the idea that their aim is to secure a network. In fact, the focus of the process is on choosing an approach that is available at any time and from any location. A true SASE model should be considered an all-encompassing, holistic service rather than a purely destination-based service. To put it in its most simple terms, the “edge” in this instance is more of a pass through; it sits between the user and the service which they’re connecting to. So the SASE framework covers all of the user’s communication between a point of origin and an end point; it does not get in the way of the user’s work, but enables them to securely access the applications and data they need. SASE cannot be compared to any other stand-alone service, because it is an entire framework comprised of different elements, including SD-WAN, a software-defined perimeter and IAM services.

In order to establish a SASE-based security system, companies must take these five steps into account:

  1. Know your user base
    At the first stage, companies must be able to identify their users. They must ask themselves “who needs access to which services? How can this user base be categorised by their required access rights so that we can establish different policies for different types of users?” It’s a good idea to implement SASE gradually, so that any company can select the sets of their business that they want to enable and applying and learning who should be using it through process not guesswork. An identity provider such as Azure AD, Okta or Ping is generally a helpful tool for creating the user base.
  • Have an idea of user destinations
Related:   Mozilla wants to show you where "Privacy is Not Included"

As well as knowing their users, companies should also give some thought to where their users want to go: What does the user need access to and where is the application hosted? This question becomes all the more important in the context of the multi-cloud infrastructures that are so prevalent today. It is no longer the case that all applications are hosted from a single data centre: They are also distributed across multiple cloud providers and both private and public environments. These two pieces of information – the user and the destination – form the starting point for a SASE-based solution.

  • Group service categories and understand their topology

Companies don’t just need to think about why a user is given access to a service, but also where this service is located and how the user can be routed to it most efficiently. As modern applications can be hosted on any cloud, companies need to maintain an overview of what belongs where in their multi-cloud environments. Cloud service providers will continue to diversify, with new niche providers joining in to compete with the major market players AWS, Azure and Google all the time. As companies want to avoid vendor lock-ins, they seek out the most appropriate cloud environment for each application, so it is essential to develop an architecture to understand where each application is located. Furthermore, it is important that companies consider how their applications can be grouped into service categories to facilitate rule and access controls.

  • Define the rules

To be completely frank, SASE can be complex but only if an organisation rushes through it. As users will be headed for a wide variety of destinations, companies must decide which access rules will apply in each scenario. It’s best practice to apply SASE rules first and foremost to what is already known, and observe over time where else these rules should be applied. It’s an iterative process.

Responsibility for creating these definitions lies with human resources and the specialist department, who can use the job description for the role of each new employee to define and determine the required access rights to the relevant applications. A SASE service includes shades of grey between black and white or, in other words, access or no access: It must be adaptive, so the company will need to define different rules for different sets of circumstances. A mobile user will work from different locations, so the service will need to switch between access, blocking or routing at different times.

To accommodate this feature, there must also be an access control instance at the point of origin and the destination to decide whether a connection should be established between the user and the application and, if so, how. In order to meet the user’s expectations for fast and seamless access, the system must connect the user to the application via the shortest possible route, without latency. This is where zero-trust network access solutions can be used to guide the user to the relevant application based on the applicable rules and context.

  • The optimum path to the application

The final step is to steer user traffic to the application via the shortest possible route. Here, companies must bear in mind that a static definition of the path from the user’s point of view may not be the most effective. Once again, the company must factor in the mobility of the modern employee, who must be dynamically routed to the required application from any location. Another criterion to consider here is bandwidth optimisation, so that priority is given to business-critical applications. This is where local internet breakouts with SD-WAN models and bandwidth management, as well as service quality monitoring, will come into play.

Conclusion

Once an organisation has worked through these five steps, it will be in an excellent position to select a single application or a group of users and to begin the implementation process from there. Ultimately, the goal of digital transformation should be to accelerate innovation rather than put the brakes on business processes. The SASE framework can help companies to construct a holistic IT infrastructure that takes all application, network and security-related requirements into account.

Vice President of Emerging Technologies at Zscaler

Nathan Howe has over 20 years of experience in IT security.
He brings his knowledge as an IT architect, pen tester and security consultant to companies to help them meet the challenges of digital change.
Since 2016 he is working for the cloud security specialist Zscaler.

Leave a Reply

Your email address will not be published. Required fields are marked *