One of the hottest topics at RSA Conference 2021 taking place virtually this week is the Secure Access Services Edge (SASE) security framework.
SASE (pronounced sassy) essentially is a roadmap for infusing privacy and security deeply into the software coding that gives life to our smartphones, IoT devices and cloud infrastructure, i.e. at the “services edge,” where all the action is taking place.
Coined by Gartner in late 2018, SASE is gaining momentum as a generational disruptive force. It calls for organizations to start proactively managing the myriad new attack vectors they’ve opened up in the pursuit of digital agility — by embracing a bold new IT architecture that extends network security far beyond the traditional perimeter
However, disruption doesn’t happen without displacement. And at this early stage, things are a bit chaotic. As established and newer cybersecurity vendors scramble to catch the SASE wave, marketing messages have sometimes been less than clear.
From the customer’s point of view, some early-adopter enterprises have experienced buyer’s remorse trying out SASE services that don’t really make the grade, says Mike Spanbauer, security evangelist at Juniper Networks, a Sunnyvale, Calif.-based supplier of networking technology.
“What we’ve heard from out in the marketplace is that a number of SASE solutions that supposedly could deliver everything as promised, were found to be lacking in many capacities,” Spanbauer says. “So now people are having to operationalize the pain and re-architect from scratch. It’s an ugly mess.”
I’ve a had a couple of deep conversations about this with Spanbauer. Juniper has just officially thrown its hat in the SASE ring with its recent roll out of a SASE-tuned portal service that can manage security policies across multiple systems. More SASE services are coming from Juniper. It was instructive to get Spanbauer’s take on how SASE is taking root and why Juniper is taking a measured approach to becoming a major SASE supplier. Here’s what I learned.
Twenty years ago, network connectivity was straightforward. Companies stood up datacenters to deliver apps from on-premises servers to employees using company-owned desktops and laptops. Security got bolted on by installing firewalls at web gateways.
Defense-in-depth meant adding on layers of intrusion detection and data loss prevention systems, while also keeping antivirus software updated and vulnerabilities patched. This bolt-on approach to security was deemed sufficient to protect an organization’s IT perimeter – the only edge that mattered at that time.
Fast forward to the present. Connectivity has become spectacularly complex. In support of digital transformation, company networks today must connect to endless permutations of users and apps, both on-premises and in the Internet cloud. Mission-critical edges exist everywhere.
Bolt-on security, meanwhile, has morphed into a glut of point solutions that mostly seem to put companies one step further behind as threat actors have a field day exploiting an ever-expanding attack surface.
The Colonial Pipeline hack, for instance, highlights the steadily escalating ransomware plague, and the SolarWinds hack points up how deep, multi-staged intrusions have begun to profoundly undermine the global supply chain. Clearly, bolt-on security just isn’t cutting it.
Thus, in August of 2018 Gartner’s leading security analysts Neil MacDonald, Lawrence Orans and Joe Skorupa laid out a new security framework that intertwines the main ways enterprises today make their network connections with a very robust, security-oriented approach to verifying and managing identities.
They coined Secure Access Services Edge and defined SASE as having four core capabilities. A SASE system, they said, must be identity-driven and take into account the level of access granted to all human and machine identities; it must use cloud-native architecture, i.e. it has to be as agile as everything else coming out of DevOps; it must support all edges, including datacenters, branch offices, cloud resources, mobile devices and IoT sensors; and, finally, it must be globally distributed, i.e. it has to be seamlessly accessible to all edges, everywhere.
Connectivity, security converged
A shorthand way of thinking about SASE is that it blends three things: leading-edge Software Defined Wide Area Network (SD-WAN) technologies, the connectivity part; Zero Trust Network Access (ZTNA) systems, the identity part; and legacy security solutions, the security part, i.e. any bolt-on legacy security system that it makes sense to weave-in and carry forward.
“SASE is networking and security converged in a distributed, cloud-delivered architecture,” Spanbauer told me. “It calls for combining many different networking and security services in a way that results in secure access, low-latency and threat protection that’s in step with the Zero Trust framework.”
That’s a mouthful and a tall order. But it makes good sense — and it has struck a chord. Here’s why: Today, it’s common for software to be developed in an open collaborative process, and for new apps to then get pulled down from a virtual server into a user’s smartphone, from where it subsequently gets tied into all manner of other apps, collaborative tools and the like.
In this dynamic, software-driven environment, the bolt-on approach to protecting company datacenters has become obsolete. The legacy approach might still work if back-hauling all network traffic to a corporate datacenter for monitoring and filtering could be done efficiently and cost effectively. But that is not the case.
SASE is a roadmap for radically transforming network security to empower companies to begin agilely protecting cloud-native applications and globally-dispersed end users far off-premises. Because it is so different from the status quo, it foreshadows the sunsetting of some legacy bolt-on security systems, while others will need to be drastically overhauled.
A few web gateway firewall providers jumped out of the gate in 2019 draping their legacy services in a SASE mantel. However, many of these initial attempts at bringing SASE offerings to market do not truly check all three boxes of connectivity, identity and security, Spanbauer says.
“They could account for security, just fine, but they lacked network access capabilities and they couldn’t really provide any user-performance assurances,” he says.
A better place
A full transition to a radically transformed security architecture is a tall order. But it’s something that seems inevitable to fit the times we’re in. At the moment, consensus appears to be gelling around SASE becoming that stake in the ground, much as Zero Trust principles, arose as the authentication framework that will carry us forward. It’s notable that Zero Trust now aligns perfectly with SASE.
We’re at a juncture where cybersecurity vendors are scrambling to give shape to SASE as the umbrella architecture for modern network security. This means enterprises have a lot of due diligence to carry out. Companies must cut through the marketing hype to figure out which legacy security systems to jettison, which ones to keep and what else they’ll need to onboard in order to redirect security to their services edge.
“This will be a lengthy endeavor for most organizations,” Spanbauer says. “They could lose visibility in certain areas and policy management; conflicts may arise from having multiple solutions in place. Worst of all, the security efficacy of the environment itself might decline if there are any hitches making the transition to SASE.”
For its part, Juniper committed more than a year ago to fully transition its cybersecurity services to a SASE model. With a hat now in the SASE ring, Juniper will be partnering with its customers at all stages as the SASE market continues to develop. “There’s more to come,” Spanbauer told me.
Juniper’s $400 million acquisition last October of 128 Technology, a Boston-based supplier of advanced SD-WAN services, is a part of pulling together this long-view strategy. And the company took its first formal step into becoming a SASE supplier earlier this month, with the roll out of its Security Director portal. This is a managed cloud service designed to help companies consolidate policy management consoles for all of their existing security systems, as an initial step toward pivoting fully to SASE.
Gaining clarity about all security policies requires pausing to take stock of all security systems, a good idea at the start of a major re-architecting project. It’s a way to avoid creating fresh vulnerabilities while shifting the focus of security to the services edge.
“Addressing policy upfront is crucial to ensuring consistency,” Spanbauer says. “Having consistent security policies, no matter where the traffic may traverse in and out of the network, ensures that security and network operations teams can protect the environment, while also providing the best possible user experience.”
Disruptive transitions often lead us to a better place. SASE could turn out to be one giant leap towards making our digital connections as private and secure as they needs to be. Let’s hope so. I’ll keep watch and keep reporting.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-how-sase-has-begun-disrupting-it-by-shifting-cybersecurity-to-the-services-edge/