When it Comes to SASE, Trust but Verify
The last 18 months raised important questions about what work looks like, where it happens and which applications count as truly “business-critical.” In some ways, though, the worldwide scramble to rethink enterprise IT was long overdue. The fact is, the access and security models most companies relied on have long been out of sync with the way businesses actually work.
Fortunately, two recent innovations can help: Secure access service edge (SASE) and zero-trust (ZT). These technologies create a more flexible secure access framework that’s much better aligned to the needs of modern, distributed users and applications. At the same time, SASE and zero-trust bring fundamental changes to the network. If you don’t have clear understanding about how those changes will impact your users and applications, you’re taking a big risk. The key to success is thoroughly, continually testing your implementation.
Why is SASE and zero-trust testing so important? And how can you make sure you’re doing it well?
Navigating a Changing Landscape
Modern IT is defined by a heavy reliance on cloud and software-as-a-service (SaaS), distributed users and resources and a constantly growing mix of endpoints. Yet, many access and security infrastructures are still designed as if most applications lived in a centralized data center and most of the people and devices using them operated from corporate offices behind the firewall.
SASE solves this problem by distributing access and security to the cloud, closer to users and applications. As defined by Gartner, SASE combines zero-trust (where users and devices can’t access any resource unless explicitly authorized), SD-WAN and a menu of cloud-based security services. In this way, SASE and zero-trust solve some of the biggest problems modern businesses face: Securing distributed applications and workforces and ensuring a good application experience wherever people work.
At least, that’s what’s supposed to happen. In practice, a lot can go wrong when implementing SASE and zero-trust. A poor design or misconfiguration can wreak havoc on the application experience. In a worst-case scenario, it could leave businesses vulnerable to new threats.
Guidelines for Effective Testing
It’s critical to test SASE and zero-trust implementations both before you deploy and on an ongoing basis—in depth and at scale. Here are four key guidelines to keep in mind:
- Test for any and every deployment, and keep testing: Your SASE and zero-trust infrastructure should support the full diversity of distributed applications and users. Avoid the need for frantic fixes by proactively testing against every network and access scenario. Ideally, you’ll want flexible virtualized testing tools that can run in a variety of public, private and edge cloud environments, as well as on virtual machines (VMs), containers or bare metal. And treat this as an ongoing effort. It’s not enough to validate your design, you also need to continually verify that things are working as they should as the environment changes.
- Test as close to real-life as possible: There’s no shortage of industry horror stories about solutions that looked great in a simulated environment but fell apart in the real world at scale. Your testing should put as much stress on your infrastructure and its associated policy engines as real-world traffic will. Evaluate every part of the environment (discrete applications, encrypted traffic flows) against the most challenging scenarios. At some point, you’ll almost certainly deal with impairments, system errors, latencies. Wouldn’t your developers prefer to know how the infrastructure will hold up ahead of time?
- Simulate threats with stateful emulation: Your SASE and zero-trust infrastructure should also be put through its paces against realistic attack scenarios. Testing should throw the same advanced attack and evasion techniques at your environment as actual hackers would. If you’re using stateful emulation instead of basic packet replay, you’ll get the added benefit of seeing the impact of your defenses in real-time, against real attack vectors. This can provide incredibly important insight. For example, if a given countermeasure degrades the performance of a critical application to an unacceptable level, you can find alternate approaches ahead of time—instead of scrambling while you’re under attack.
- Choose testing that’s standardized and vendor-agnostic: It’s not that vendor-specific testing tools can never be useful, but how much peace of mind can you have that you’re getting the full picture? Make sure you’re working with providers that focus on testing to avoid the risk of hidden agendas. And look for partners that work closely with standards bodies to ensure their solutions conform to all relevant standards and specifications across the full network and communications landscape.
SASE and zero-trust can deliver a long list of benefits to your developers, your users and your business. Done right, you gain a more nimble and adaptable access framework, simplified policy management, stronger security and consistent application performance. But you shouldn’t have to rely on trial and error to get there. Thorough, continuous testing and validation can be the greatest gift you offer to your users and developers—and to your own peace of mind.
