By Brijesh Miglani, Lead – Security Consultant, Forcepoint
Companies are moving more and more applications and data to the cloud. Some are opting to do this in order to get the benefits of the cloud, such as flexibility, scalability or location independent access. Some are doing it because large software vendors are driving this trend and gradually discontinuing support for their on premise solutions, often leaving companies with no choice but to use their cloud offerings. While some other are doing it because they were left with no other choice but to shift to remote-working due to the COVID-19 pandemic. Whatever has been the reason, one thing is certain—the trend towards the cloud is now irreversible and will continue to grow in the future.
As a result, some companies’ traditional IT security architectures are becoming increasingly obsolete. This is because they are still based on the assumption that applications and data live within the company. Result—these security architectures are designed to only protect the network from external threats. This has caused a growing discrepancy between where the risk factors actually reside and where the security tools to counter them are located. So the cybersecurity focus needs to be readjusted to design and plan a security framework towards the cloud adoption.
Secure Access Service Edge (SASE), a concept first formulated by Gartner, is fast emerging as the architecure of choice for meeting evolving networking and cybersecurity challenges in increasingly cloud-based environments. SASE brings the network and its security back to where applications and data really are: the cloud.
Advantages of using a SASE-based architecture
SASE architecture offers numerous advantages. SASE is geared towards platform-based solutions that unify web, network, and app security. A converged approach eliminates gaps and redundancies to stop attackers from breaking into your enterprise from the internet, web content, or cloud apps—consistently, no matter where your people work.
It provides support to the ever-growing number of users who access cloud applications from outside the corporate network such as employees working from home, those who are travelling or those working in branches without their own data centers. This entire workforce can be connected directly to the cloud via a SASE architecture. Data flow for cloud applications no longer needs to be redirected through a central data center. Thanks to SASE, companies can incorporate local internet connections and an SD-WAN approach into their network architecture, which means significant cost savings.
Adopting SASE principles offers a unique opportunity to simplify IT security again. In the past 20-25 years, companies have deployed a stack of security tools, turning to many suppliers. For security administrators, this meant various challenges including multiple contracts and update cycles and having to manage these tools with different management interfaces. In the future, when security tools can be used in a holistic and uniform way, from a single source, and when SASE supporting cloud solutions are integrated, IT security management will be much easier.
Why is SASE important for your organization
SASE architecture unites connectivity and security. It provides secure and encrypted connections from individual employees, first to the cloud platform itself and from there to the desired cloud applications or the direct internet. This can be accomplished with a client-to-site VPN, site-to-site VPN or Zero Trust Network Access (ZTNA) technologies. They can also use SD-WAN technologies to ensure that the best connection path for the application is always selected when accessing cloud applications.
SASE architecture can secure all centrally important modules for your organization, such as:
- A Secure Web Gateway (SWG) to protect users from internet threats, shadow IT access and apply safe browsing policies
- Firewall-as-a-Service(FWaaS) for continuous inspection of incoming and outgoing data traffic, including data decryption
- Zero Trust Remote Browser Isolation(RBI) to protect and secure the web sites browsing in a secure and isolated envrionment
- A Cloud Access Security Broker (CASB) that monitors and records the communication between the user and the cloud application
- Advanced Malware Detection (AMD), which tests suspicious attachments in an isolated sandbox to detect malware
- Data Loss Prevention (DLP), which monitors and, if necessary, blocks data transactions to prevent unwanted data loss across the platform
- Technologies for establishing and protecting connections.
How to start your organization’s SASE journey
Every organization will approach SASE in its own way. You can begin your SASE roadmap by determining if securing network connectivity or protecting data is your greatest need. SASE can be applied to many issues; start with one issue and work your way up through the larger ones gradually. Identify the right people to involve. In most organizations, the key audiences for SASE can be broken into two camps: network security buyers and data security buyers.
Network security buyers are concerned with challenges like securely keeping remote workers productive and safely adding new branch offices to the network. Data security buyers are interested in goals like improving data loss prevention to protect against external attacks and internal threats that can lead to breaches, as well as complying with governmental regulations and industry standards.
When relying on a partner that offers solutions based on the SASE model, there are some aspects to consider. For example, although the vendor can offer all the architectural features, if there are integrations of multiple third-party products in the platform, different cloud services may have to be connected to each other. This may consequently cause latencies and added management complexities, as different administration interfaces may be used.
The same effect occurs when the partner is a cloud-only provider with no on-premise security solutions. Companies will continue to keep applications and data in their data centers for the next few years, which will need to be protected with on-premise security tools. Hybrid security architectures will therefore be necessary, at least for the transition period. If the chosen partner is able to offer both on-premise and cloud solutions, companies will have the ability to holistically control both worlds within a centralised management console.
Finally, anyone offering a SASE architecture should provide proven technology that has a successful distribution track record; and the technology should be continually developed to ensure its quality. Platform security effectiveness is also dependent on that each and every solution should be highly effective and best in the breed.
The future of business applications and data lies in the cloud and the future of security therefore belongs to SASE architecture. Future SASE platforms will provide comprehensive connectivity and security technologies. The earlier the companies begin to address this topic, the easier it will be for them to ride their digital transformation journey.