Highly effective SaaS applications have enabled massive growth in remote working, bringing businesses new agility and employment flexibility. But with large numbers of employees working remotely on extended networks, a significant set of security challenges has arisen.
Thousands of individuals are now working from uncontrolled environments, frequently using their own devices, and almost certainly relying on domestic networks, potentially exposing an extensive new set of vulnerabilities. Domestic broadband and personal devices lack the same security protocols and controls that protect corporate devices and networks, presenting a tempting door for cyber-criminals to unlock and push open.
Internet access is often shared with other devices, while home networks either have weak passwords, or none at all, and are generally configured without encryption. All these vulnerabilities provide multiple angles of attack on a corporate network which are potentially easier to carry out than many other methods employed by criminals or activist hackers.
The picture for IT chiefs is further complicated by using multiple cloud vendors and the steadily growing adoption of hybrid infrastructures for sound business reasons. These further compound the vulnerabilities of an expanded surface, with multiple ingress points to access distributed business information and systems, which all need to be controlled and monitored.
Removing the IT headache
For IT teams these developments are problematic. Applying security policies to each employee working remotely can be complex and costly. For example, applying the same policies and controls could require deploying a firewall at each employee’s home which is expensive and generates huge management overheads. The alternative, providing each employee with a remote VPN connection back to a central office location, goes against the flow of what businesses need today for increased agility and cost-effectiveness. As organisations increasingly move to decentralised services employing SaaS applications and public cloud, there is little sense in routing traffic back through an office location.
The role of SASE
Secure Access Service Edge (SASE) is increasingly emerging as a solution to most of these difficulties, enabling organisations to apply security policies to employees wherever they are working, using a centralised management policy. Adoption of SASE remains cautious however, largely because there is no settled definition of what it is, nor has it been standardised, causing significant confusion about the benefits that it can bring.
Depending on who you want to believe, SASE comprises all or most of the following technologies: secure web gateways (SWGs); web-filtering; cloud access security brokers (CASBs); firewall-as-a-service (FWaaS) and Zero Trust Network Access (ZTNA). Many organisations will already have some of these applications in place just not in a unified, cloud-based solution that provides genuine control, visibility and management, removing the drudgery and cost of overseeing and administering them separately.
Gartner defines SASE as an extension of SD-WAN to include other network security controls and services that can be centrally managed through the same SD-WAN management plane. This covers the essential elements of network and application optimisation, access control and, the vital requirement for the IT team, full visibility. With these capabilities, troubleshooting becomes much quicker and more effective.
Unfortunately, many vendors have boarded the SASE bandwagon in what are often little more than rebranding exercises. They slap the SASE label on cloud-based security solutions that are not managed by a single dashboard and still involve multiple separate products. Others claim to provide SASE even without an SD-WAN offering, while yet more offer elements of SASE but not the full product range.
In the current market, there are very few vendors who provide SASE matching Gartner’s full definition. However, this does not mean that SASE is something that organisations should disregard; instead, it should be seen as more of a framework to build a solution that helps solve the security complexities introduced by modern working.
Zero trust and the edge
SASE is fundamentally about the application and the user. With SD-WAN, the primary purpose is to have control over the application and apply routing policies to ensure the right applications obtain the best possible path. This optimises performance for the end-user and enables organisations to upgrade or implement new applications efficiently and quickly.
True SASE means applying the same principles of efficiency and agility to security controls. The application and the user are still considered, but more specifically it is about ensuring the right user has access to the right applications, but only those applications. This implementation of the zero-trust approach can even be broken down further to the right device, at the right time of day, from the right network, and access restricted to applications and web services based on the security posture of the user, device and destination.
The physical location of the SASE ‘engine’ should also be considered. The term ‘cloud’ implies that something is located everywhere, while in the UK, this typically means it is hosted in one location. By having regional points of presence, the enforcement of security policies is distributed closer to each user wherever they are working.
Using this approach, organisations can stop employees from accessing known bad web services, regardless of location, removing the risk of downloading malicious files or applications. If malware does get through and a device is breached, access can be revoked, preventing attackers from gaining access to applications or services.
Securing the edge
SASE in its true form is a package that comprehensively combines many solutions. As organisations increasingly implement distributed and decentralised applications, SASE in conjunction with SD-WAN, provides a high level of central control that is flexible and agile.
As organisations adjust to new ways of operating, such attributes become critical. Remote working policies are here to stay on a major scale. It will not be long before SASE and SD-WAN enable IT and security teams to bring security protocols closer to users. The result will be a very resilient network that optimises the edge and protects its users from evolving and increasingly complex cyber threats — whether they are toiling in a home office, on the road or at their company’s headquarters.