Experts from FireMon and Zscaler discuss why you should consider SASE and what to know when you make the migration

The world has gone hybrid. Some assets are on-premise and some are in the cloud. And they all need management. That wasn’t an easy task even before COVID – and now that workforces are remote and workloads have exploded in volume, the challenge of providing secure access is only greater.

The common hub-and-spoke model of security can’t provide effective security in a dynamic hybrid environment. Secure Access Service Edge, or SASE (pronounced ‘sassy’) is a distributed model that answers the security challenges businesses face today. While SASE is still in the early stages of adoption, Gartner forecasts its market will reach almost $11 billion in the next four years.

SASE conglomerates WAN and network security services like CASB and Zero Trust into a single cloud-delivered service. Its capabilities are based on entity identity, real-time context, security and compliance policies, and continuous assessment of risk and trust during each session. Entities may be individuals, groups of people, devices, services, applications, IoT devices, or edge computing locations.

SASE reduces threats by letting the policy follow the user. “As workforces and workloads move from the branch office locations or homes or coffee shops, SASE makes the whole security stack available as an edge location – close to the user,” said Naresh Kumar, Director of Product Management at Zscaler. “And because you’re getting security close to the edge, the end user experience is not impacted. That’s a critical piece of SASE.”

Top 3 drivers for SASE adoption

“The biggest challenge we’ve seen from a security perspective is how to secure everyone during this sudden shift to work-from-anywhere,” said Kumar. “Branch offices, SaaS, remote workforces… security needs to be applied to all them consistently.”

“The next is whether IT has enough resources outside the perimeter they were formerly owning and managing to get the desired level of protection. With the new phase of SaaS, there’s a need for additional context around managing company devices and personal devices, such as data privacy issues.”

The third challenge, said Kumar, is the most important — how to ensure corporate policies are normalized and the business has complete visibility across its hybrid environment. Tim Woods, Vice President of Technology Alliances at FireMon added, “That’s not an easy task when you consider all the different areas that that must be managed from a security perspective. But regardless of how we connect our people to the required resources, we still need to maintain a consistent policy visibility. It’s very important we have visibility and awareness of change across that hybrid model from top to bottom.”

How to address these challenges with SASE

“Centralize security controls across all entities”

Visibility is hindered by what Woods referred to as security/responsibility fragmentation. “When there’s a lack of centralized policy control — too many chefs in the kitchen, so to speak —  you begin to see a negative impact on consistency, and inconsistency creates security gaps.”

“If you’re dealing with different security facts for your users sitting in branch offices or at headquarters versus your remote users using a VPN, you will never be able to achieve consistency,” said Kumar. “And consistency is a key tenet of SASE. It’s essential to performance and scale.”

Kumar said the number of security tools companies are currently using is part of the problem. “Right now, security and networking teams have to swivel between a lot of different screens to understand what’s happening. Every entity, like a branch office or a user, is handled in a different way.” But visibility can only be achieved when it’s handled in a centralized manner. That includes the ability to manage policies across a heterogeneous environment like a hybrid cloud.

“When I hear heterogeneity, I think complexity,” said Woods. “And this is where not only centralized visibility, but centralized quality control become paramount. It’s not just for our own people, it’s for any access we allow into our extended hybrid infrastructure.” Visibility and quality control must be applied to connections from partners, temporary contractors, subsidiaries, merges and acquisitions, etc., just as it is applied to the business’s own connections. “We need to consider those remote connections and the potential risk they bring with them,” said Woods. Otherwise, the business is at the mercy of whatever security controls those connections’ third-party providers have chosen to stand up – or failed to stand up.

“All too often, we’ve seen breaches occur as the result of a bad actor gaining access to a third-party connection,” said Woods. “Bad actors are constantly seeking out that path of least resistance. And when they find it, they definitely will exploit it. So being able to wrap those third-party connections into your cloud security plan can ensure you have that equal footing — equal security controls — across all entities.”

“You’re only as good as your last change”

“I cannot tell you how many times I’ve heard from the customers that they don’t feel like they have a good perspective over the entirety of their real estate,” said Woods. “They don’t know where they’re secure and where their security gaps exist. They don’t know how many tools they have or how many platforms. They don’t know how to share information across platforms or enrich data to raise the total value of their combined security solutions.”

Businesses that lack these capabilities also lack the ability to scale, and certainly cannot scale on demand. Woods said, “The cloud landscape is like shifting sand. It changes very quickly. It’s a scary reality when you consider that the resources we place in the cloud could quickly become internet-facing through a simple misconfiguration. This really underscores the need for an agile security policy management model. I like to say that you’re only as good as your last change.”

Woods said that before a change is implemented, the business should already know the answers to these questions:

• Will this change break compliance?
• Will it introduce unacceptable risk?
• Will it expose the infrastructure to a known vulnerability that wasn’t previously exposed, such as one caused by a policy conflict?
• Does it provide overly-permissive access from a policy perspective?
• Does it break business continuity?
• Will it impact anything critical to business operations?

“Am I going to run around and troubleshoot to figure all that out,” asked Woods, “or can I be proactive and know enough in advance to say, hey, we can’t allow this change because we’ve already assessed it and we know it will have a negative impact on our business continuity.’”

“Don’t bring old rules into new systems”

When discussing migration, Kumar said, “It’s not a good idea to bring the same policies from your appliances into the cloud. Then you’re just moving the problem from one place to another. Cloud migration is an opportunity to identify which rules are really securing your things. Because over time, rules pile up and sometimes those rules aren’t even hit anymore. They’re just out there, doing nothing but slowing down your performance and maybe even creating vulnerabilities.”

“Policy bloat is a real problem,” Woods said. “It’s all of the stuff that gets built up in the policies over time that doesn’t need to be there, whether it’s unused rules, redundant rules, shadowed rules, duplicate rules or technical mistakes, stagnant rules, rules that have just went to sleep. And if you’re not vigilant in staying on top of them, bad things can happen — like inadvertent access. Trying to analyze policy behavior becomes a mess. So any time you want to migrate a policy, my recommendation is to always make sure you have a good, clean policy to start with. It needs to make sense for the environment you’re moving to.

SASE helps businesses “be faster than change”

The five factors that work against network security policy agility are:

1. Lack of visibility/insight
2. Lack of compatibility/integration
3. Changes in the environment
4. Inability to scale
5. Expanding attack surface

SASE helps organizations break away from these restrictions by enabling consistent and proactive compliance combined with centralized and simplified visibility and policy management. Businesses can keep track of everything happening in the network. The result, said Woods, is “positive business outcomes that result from having a proactive posture and monitoring for changes. Businesses need to be ‘faster than change,’ meaning I want to be able to analyze change before it gets implemented. If you’re not evaluating changes, you’re going to be caught off-guard. Sooner or later, you’ll miss something critical. Anywhere we can reduce complexity, we’ll inherently bring about better security and compliance.”