SBN

RSAC insights: ‘SASE’ disrupts networking by meshing security, connectivity at the services edge

It’s accurate to say that security has been bolted onto modern business networks.

It also has become very clear that we won’t achieve the full potential of digital transformation without security somehow getting intricately woven into every layer of corporate IT systems.

We’re still a long way from achieving that, but a promising roadmap has emerged. It’s a new model for architecting enterprise IT systems, dubbed Secure Access Service Edge (SASE), a term coined by top security analysts at tech advisory firm Gartner.

I had the chance to visit with Kelly Ahuja, CEO of Versa Networks, a supplier of SASE systems. For a full drill down on our discussion on why SASE could be game changer, please give a listen to the accompanying podcast. Here are the key takeaways:

Connectivity vs. security

Corporate networks exist to connect users to applications. Traditionally this was done by setting up a datacenter at company headquarters, and having employees enter the building and access applications using company-managed equipment. Thus, local area networks, or LANs, were born.

Then along came wide area networks, or WANs, as a means to securely connect several LANs set up in geographically dispersed branch offices. Over time WANs proved to be expensive and inflexible, so they began to be replaced with software-defined wide area networks, or SD-WANs, which offered heightened data-transfer efficiencies.

However, the first-generation of SD-WAN solutions were notable for one key thing: they were solely focused on improving connectivity and did little to account for security. Early SD-WAN solutions “were built only to replace an MPLS-VPN with an Internet-based VPN,” Ahuja says.

Meanwhile, as networking connectivity evolved, the bolting-on of more and more layers of security progressed — on a completely separate path. The firewall emerged as the cornerstone around which companies were encouraged to pursue a so-called defense-in-depth strategy.

Intrusion detection, intrusion prevention  and sandboxing technologies got bolted onto the firewall. Anti-virus suites morphed into endpoint detection systems. Entire sub-categories of specialized tools came along to do things like identity and access and management (IAM,) vulnerability management, web browser security and application security.

“All of these tools became extremely necessary to ensure that you could authenticate the user before allowing them access to the right resources in the network,” Ahuja says. “But the security market has become so fragmented and most enterprises have been stitching together these tools on a piecemeal basis.”

Secure connections

There is an obvious problem in this divergence of connectivity and security: the network attack surface has been drastically expanded. It’s difficult to quantify how this translates into specific risks for any given organization. But from a macro view, hundreds of billions of dollars of economic activity is being siphoned off annually.

The Solarwinds hack and Microsoft Exchange breach, not to mention the latest rounds of massive thefts of personal data from Facebook and LinkedIn aptly demonstrate this. For smaller organizations, the continuing plague of ransomware attacks, and hacks like an intruder nearly succeeding in poisoning the water supply of a Tampa suburb are stark reminders.

A paradigm shift in fundamental network architecture is sorely needed. This is why in August of 2018 Gartner’s leading security analysts Neil MacDonald, Lawrence Orans and Joe Skorupa coined and defined the SASE model.

Ahuja

Here’s how Ahuja broke it down for me: “SASE is a framework that essentially says network and security functions need to work hand-in-hand or at least need to be built-in together . . . Fundamentally, SASE is designed to enable every user to make a secure and reliable connection to any application, anywhere.”

SASE fundamentals

Ahuja noted that SASE isn’t designed to supplant legacy defense-in-depth security systems. Firewalls, identity management and endpoint protection aren’t going anyway, he says, they’ll just be woven in, instead of bolted on. Gartner laid out these four SASE criteria. Any SASE solution must:

•Be identity-driven. Simply using an IP address no longer is enough to make a connection and initiate a data exchange. All identities, whether for a human or a machine, should take into account the level of access granted and the extent of activity allowed.

•Use cloud-native architecture:The idea here is to highlight elasticity, adaptability, self-healing and self-maintenance; in short any SASE system must, itself, be agile.

•Support all edges. This includes datacenters, branch offices, cloud resources and mobile devices. SD-WAN will continue to fit in here as a way to tie together branch offices, while other types of systems can support mobile and clientless browser access.

•Be globally distributed. Full networking and comprehensive security capabilities must be delivered seamlessly to all edges, everywhere.

Identity is vital

SASE, unsurprisingly, is a white hot topic at RSA Conference 2021. Gartner’s security analysts say that by 2023, 20 percent of enterprises will have adopted SASE capabilities, in parts or as a whole, up from less than 5 percent in 2019. And by 2024, at least 40 percent of enterprises will have explicit strategies to adopt SASE, Gartner predicts.

Those estimates may yet turn out to be conservative. Due to the global pandemic, more folks than ever are logging in from remote locations for work and school; and they’re leveraging more and different types of applications increasingly on their mobile devices. In short, network connectivity is getting dispersed far and wide, and workloads are bouncing from servers scattered far and wide through private, public, provider and hybrid clouds.

“This is happening now,” Ahuja observes. “There are more users logging in from different places, and not from work locations. That’s why user identity is so important. You need to know what device the users are using, where they’re logging-in from, and what operating system they’re using. And then you need to be able to ensure that the onboarding of that user into the corporate environment, as well as any accessing of applications, is driven by a policy framework that you can implement. That’s what SASE allows enterprises to do.”

While SASE is directed at large organizations, the problems it aims to solve apply to organizations of all sizes and in all sectors. The central challenge for all businesses is how to deliver digital services with agility, but also securely, as well. We can’t rely on bolt-on security for much longer. I’ll keep watch, and keep reporting

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

 

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/rsac-insights-sase-disrupts-networking-by-meshing-security-connectivity-at-the-services-edge/