What is SASE and is it worth it?
Secure Access Service Edge (S.A.S.E) is the convergence and integration of network connectivity and security functions. Designed to secure work-from-anywhere, at any time, and ensure that workers remain productive and optimized. The main areas SASE is comprised of are: Wide Area Networking (WAN), Cloud Access Security Broker (CASB), Firewalls-as-a-Service (FWaaS), and Zero Trust Networking.
If you’re like me, you appreciate a good IT acronym. A good acronym can either look good on paper or sound good when you say it, but to be great you need both – and I think I have found one of my favorites. I present to you, SASE.
Aesthetically pleasing to the eyes, S.A.S.E even sounds cool. It’s pronounced “Sassy” and I want to explain how this I.T. methodology is helping CDI customers adopt Zero Trust security.
First, the traditional way of doing things…
In the past, organizations would consume their security through legacy hardware networks and an outdated security architecture mindset. You can probably see where I am going here, but that presents some traditional VPN challenges like:
- Network-based trust model – inefficient security full vs. split tunnel decisions
- Hard to scale!
- Being hardware reliant
- Tough to manage static configurations
The Benefits of SASE
The shift to work-from-home has changed the game. Today’s work environment has forever shifted to a cloud-based model, meaning employees have access to the digital assets and applications they need to do their jobs no matter where they are.
This means many organizations are embracing SASE, while overcoming some major cultural hurdles along the way. But fear not, these same companies are quickly realizing some major benefits to SASE adoption:
- Flexibility: Seamless cloud-based delivery of DNS security, threat prevention, data loss prevention and next-gen firewall features
- Cost Effective: A single integrated platform is less expensive than a patchwork solution through multiple vendors
- Zero Trust: Eliminate network-based trust models and replaces it with trust models built on identity, devices, and applications regardless of network location
- Performance: Global access to cloud services that adjust to demand automatically
- Improved Security: A complete, integrated platform provides a more secure environment
Getting started with SASE
Even with the pandemic accelerating SASE adoption, transforming the legacy perimeter into cloud-based, converged capabilities doesn’t happen overnight. It requires work and planning. Most enterprises have already invested heavily in the hardware and software that underpin their existing data center–oriented model. Many businesses simply can’t afford to abandon those investments.
At CDI, we help our customers validate the transition to SASE through a series of workshops that make sense of the network and security markets, map out a tangible roadmap, and provide the first step on that journey.
Here is how we start:
Step 1: Define objectives and use cases
The first step in any SASE journey should start with an assessment of your existing investments. Take an inventory of hardware and software to fully understand their refresh cycles. Then, develop a reasonable timeframe for phasing out on-premises perimeter and branch hardware. Enterprises must understand the parameters of their existing contracts, the time that remains on them, and how that maps to near-term capacity needs.
Also critical: Soliciting input from voices on both the operations and network sides of the organization. This is one of the many areas CDI can add value. Enterprise network and operations teams often operate separately. This could further complicate a move to a new converged architecture, albeit one that relies on many of the same tools already in use, like secure web gateways (SWG), cloud access security brokers (CASB), firewall as a service (FWaaS), data loss prevention (DLP), SD-WAN, and Zero Trust Network Access (ZTNA). Any migration plan should include bringing together members of both teams — if not physically, then virtually — to assess potential benefits, sticking points, and impacts.
Enterprises should also take inventory of their human capital.
People are key to any successful SASE strategy. Understanding the existing skill sets of employees, particularly those who deal with operational and security issues, will help organizations build on those strengths as well as identify and fill in any gaps.
Vendors should bear scrutiny, as well.
After years of building on a data center–oriented and perimeter-based model, most organizations now find themselves managing a “mishmash” of software tools and vendors. And only some of those organizations will be capable of making the shift to an anytime, anywhere approach on their own. A note here: it’s crucial to find a vendor (or vendors) with platforms that can integrate all elements critical to a successful SASE strategy, and that can securely scale up as business horizons shift and workforces expand.
In the rush to move to SASE, it may be tempting to plunge in headlong without much prep work. But simply taking the above-mentioned steps alone can pick up the pace for SASE adoption, cutting the time to implement by half.
Like any project migrating from on-premises to the cloud, simply taking a “lift-and-shift” approach — i.e. assuming that the functional requirements for yesterday are the same as for tomorrow — is flawed. Taking the time to do a much deeper assessment at the beginning will save a lot of time and pain down the road.
Step 2: Know your data and let insights drive you
In the enterprise, data makes the world go around. It’s the lifeblood of an organization, the currency of modern-day business.
You need to get a grip on your data.
This means understanding what the business has, where it’s located, and how it’s used. Easier said than done, I know. This has proven confounding to many organizations. Migrating to SASE offers the perfect opportunity to assess your data landscape from both operational and security standpoints.
Knowing what data your employees need in order to do their jobs, and how to protect that data, will go a long way in securing newly defined ways of working. From there, the enterprise can turn its attention to developing a set of policies, processes, and procedures to implement as it migrates to a SASE architecture. We want to improve the end user experience, not hinder it.
Step 3: Document your plan
Using the post-pandemic accelerated rate of adoption as a guide, like Gartner, we believe a migration plan should include the following milestones:
- Phase-out of hardware and software: Let’s be honest, much of what’s in use is no longer needed in a cloud-first strategy
- Consolidate and eliminate vendors: From a management standpoint, the guiding principle should be “the fewer, the better.” Many of the tools currently in use were made for a data center–oriented environment and won’t transition easily to the cloud. This is where companies can save real money. CDI can help quantify this.
- Eliminate legacy VPNs used at the network level for remote access: As enterprises found when the pandemic forced workers home, VPNs just didn’t cut it and actually became an operational and security liability
- Establish metrics for measuring migration success: The best-laid plans might not always yield the expected results. Metrics can serve as an early warning system that something is off and give the enterprise an opportunity to fine-tune its game plan.
- Ensure continuous authorization for access requests: Couple that effort with continuous monitoring, which can help security teams ferret out risky behaviors and head potential security problems off at the pass.
Step 4: Nail down security
Security, stuck firmly in a box at the edge of the data center, hasn’t caught up with the move to the cloud. Putting a SASE framework in place will bring security up to speed to adequately protect the modern business.
The CDI Security Solutions team focus on these key security stages:
- Utilizing Secure Web Gateways: As we’ve advocated previously, an enterprise should start with a SWG to provide security coverage no matter where a user is located
- Rework and revitalize a data loss prevention policy: Layout where data can be stored, how it can be used, and who can access it
- Increase visibility into assets across the computing environment: Without clear visibility, security teams don’t know what to protect or where the real threats lie. This is especially true in multiple cloud environments that use both public and private cloud offerings.
- Adding Cloud Access Security Brokers: The addition of CASB data authentication and encryption points helps protect applications on the cloud, establish control, and improve visibility
- Adopt a ZTNA mindset: Assume no one is trusted, and grant access to resources given on a one-at-a-time determination
Wrapping up the SASE journey…
Here is the bad news: To be honest, none of these changes are an easy lift for companies to do on their own and adopting the SASE architecture with the proper security controls in place will take time and resources.
Here is the good news: For skittish organizations or those with limited resources, even a partial implementation will still yield the many benefits of SASE and put companies in position to meet the requirements of modern-day business.
When on the road to SASE, don’t forget to put a premium on the user experience. That’s what the journey is all about. Protect productivity by giving employees, administrators, and others access to the applications and tools they need to do their jobs, no matter where they are and without the friction that security can often cause. That’s just good business.