A How To Guide To Secure Access Service Edge (SASE)

Security at the edge is vital because the growing number of end points including IoT and IIoT serve as additional attack vectors. As organizations continue to become more digital, they are adopting cloud-native Secure Access Service Edge (SASE) solutions which combine software defined wide area networking (SD-WAN) and network security technologies to ensure zero trust at the edge. Access to applications, resources, or data is granted, denied, or updated based on the identity of an individual or device and the context of use as opposed to relying on a location such as a data center, a virtual machine, or an IP address.

In their 2019 report entitled, "The Future of Network Security Is in the Cloud," Gartner analysts introduced the SASE concept and made the following prediction:

"The emergence of SASE will create a significant opportunity for security and risk professionals to securely enable the dynamic access requirements of digital transformation, providing secure access capabilities to a variety of distributed users, locations, and cloud-based services."

Prior to 2020, CISOs were actively expanding their scope of security mechanisms to secure the exploding universe of hardware, software, and data that pushed past the desktop, web, and mobile to the IoT and IIoT. When the COVID-19 pandemic hit, enterprises rushed to enable remote work for business continuity purposes. However, such emergency response initiatives opened the door to potential cybersecurity threats because there was not time to address security in a "business as usual" fashion.

While "Zoom bombing" garnered headlines, CISOs were concerned with many things including home Wi-Fi vulnerabilities, COVID-19 phishing scams, ransomware, the potential misuse of business laptops at employees' homes, and employees sharing home computers with other members of their families. While many organizations had some sort of work from home policy, they were not prepared to support a 100% remote white-collar workforce, essentially overnight.

2020's remote work scenario caused organizations to expedite their cloud plans and adopt more SaaS software to enable remote communication and collaboration with employees, partners, and customers. These unplanned circumstances underscored the need for zero trust mechanisms at the edge and comprehensive cloud-based security options to protect data, intellectual property, other enterprise assets and resources.

This guide explains SASE in more detail, including a list of use cases, vendors, and questions CISOs and CSOs should ask.

Table of Contents

• What Is SASE?

• How Did the Pandemic Impact the Demand for SASE?

• What Are the Benefits of SASE?

• What Are SASE Use Cases?

• Who Are the SASE Vendors?

• What Questions Should I Ask SASE Vendors?

• Conclusion

What Is SASE?

SASE is an emerging cloud-native cybersecurity category that Gartner defined in 2019. It combines software defined wide area network (SD-WAN) and network security functionality so enterprises can manage security at the edge more effectively. In fact, Gartner predicts 40% of enterprises will have explicit strategies to adopt SASE by 2024, up from 1% in 2018. More recently, Gartner estimated that the SASE market would swell to $11 billion by 2024.

SASE solutions vary among vendors because they have different backgrounds (SD-WAN or network security). The way Gartner defined it in 2019, the core elements of SASE include cloud access security brokers (CASB), firewall as a service (FWaaS), intrusion prevention systems (IPS) secure web gateways (SWG) and zero trust network access (ZTNA). In 2020, Gartner also stated "Other capabilities include sandboxing, web application and API protection (WAAP), remote browser isolation (RBI), recursive DNS, and even traditional VPN."

The combined capabilities provided by SASE simplify the otherwise complex architecture that would result from a collection of point solutions. The reduced complexity also lowers latency.

Because SASE is cloud-native, its capabilities are delivered as services. Gartner expects 20% of enterprises will rely on the same vendor for CASB, FWaaS, SWG and ZTNA by 2023, up from 5% in 2019.

Importantly, SASE enables zero trust enforcement at the edge, providing access based on the identity of the individual or the device as opposed to a data warehouse or a virtual machine. SASE's cloud-native architecture provides the dynamic access capabilities modern digital businesses require, including dynamic policy enforcement based on context.

Digital transformation is driving the need for SASE.

How did the Pandemic Impact Demand for SASE?

In 2019 and several years before, organizations were executing digital transformation strategies that involved plans and rollouts. Most of them were increasing public cloud investments and building their new applications as cloud-native apps, although their security budgets were distributed between existing on-premises infrastructure and cloud.

2020 disrupted individual organizations and entire supply chains around the world. IT's heroic efforts to enable remote work and digital alternatives succeeded. However, security teams had to respond to the trends with additional cloud-based security. Areas of focus have included managing identities in the cloud, controlling access and permissions to data and resources, and monitoring and managing cloud risks. In short, 2020 has necessitated greater investments in cloud security, faster than originally anticipated.

Enterprise networks had suddenly evolved which made orchestrating secure network access more difficult. Instead of supporting n number of company offices, IT departments and security professionals found themselves faced with hundreds or thousands of employees working from home using various devices and connecting to different clouds. Because IT was forced to implement solutions in days, some security-related purchases were driven by urgency rather than a reasoned understanding of actual needs.

The two most important lessons of 2020 have been that organizations must be more agile and resilient than ever which is reflected in terms such as "agile security" and "security resiliency." SASE is a means of achieving both.

Another 2020 trend was a renewed focus on business continuity. While business continuity planning is always necessary from a risk management perspective, most plans anticipated regional disasters such as a flood or a power outage whereas the COVID-19 pandemic has been a global phenomenon impacting every industry for better or worse. From both business and IT perspectives, business continuity became synonymous with becoming more digital virtually overnight. SASE can support the digital aspects of a business more effectively than traditional, on-premises equipment because it is cloud based.

SASE also contributes to the ability to ensure business continuity by providing malware detection, intrusion prevention, and behavioral monitoring to reduce the possibility of business disruption by security incidents.

What Are the Benefits of SASE?

The main benefits of SASE are:

• SASE can adapt as the business changes.
• Higher performance/lower latency.
• Massive scalability.
• Comparative architectural simplicity. SASE is easier and cheaper to manage than a collection of point solutions.
• Cloud-native design which is better suited to mobile, IoT, and remote work than on-premises equivalents.
• Continuous monitoring of connections, user behavior, sessions, and data.
• Dynamic policy enforcement.
• SASE does not interfere with everyday user experiences.
• Scalable provisioning/self-service.

SASE growth is being fueled by increasingly digital businesses that are moving more data, workloads, and applications to the cloud. As enterprises continue to consume more infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS), the need for SASE will continue to grow.

What Are SASE Use Cases?

• Mobile professionals using hotel or coffee shop Wi-Fi still need access to corporate resources. SASE can provide access to applications and data while minimizing public Wi-Fi threats.
• Remote work/work from home scenarios in which family members are sharing computers and other devices. SASE can help control access to applications and resources.
• Office/workstation sharing changes the context of who is accessing which resources from where. SASE can adapt permissions based on context and monitor users' behavior.
• Branch offices can take advantage of an enterprise resource versus using dedicated on-premises solutions. At the same time, they can benefit from local access speed.
• Workgroups can be granted permission based on policies that can adapt as the workgroups change. For example, some employees are only temporarily assigned to teams.
• IoT/IIoT/edge computing, like other organizational assets and resources, need to be secured. SASE provides a single software-defined means of securing the edge as well as cloud services and data centers.

Who Are the SASE Vendors?

SASE vendors are a mix of well-established SD-WAN and network security companies as well as newcomers determined to capitalize on the market opportunity. Following are some of the self-identified SASE vendors:

• Akamai
• Axis Security
• CATO Networks
• Cisco
• ForcePoint
• Fortinet
• McAfee
• Microsoft
• Netskope
• Palo Alto Networks
• Proofpoint
• Perimeter 81 (startup)
• Symantec
• Versa
• VMware
• Zscaler

SASE Barriers to Adoption

• Vendors. Vendors want to sell products, so much so that marketing literature may simply put a new spin on old products. Given the newness of the SASE category, media hype may also set unrealistic expectations. In fact, in Gartner's Hype Cycle for Cloud Security 2020, SASE appears at the apex of "the peak of inflated expectations."

• Existing tools. Enterprises tend to have a collection of tools from different vendors, not all of which may seem ripe for replacement.

• Existing vendors. Businesses as well as IT and security leaders and teams tend to favor some vendors over others. However, not all vendors who could pursue SASE opportunities will do so in the same way or at the same speed. As always, "the best" vendors at any point in time may not always be the right vendors forever.

• Traditional mindsets. The shift from on-premises data center-oriented security to cloud-native security is a very real trend. However, members of the team with traditional security mindsets may view SASE as a threat. Similarly, vendors with traditional product offerings will be motivated to sell against SASE because they too feel threatened by it.

• Respective Vendor strengths. As noted earlier, some SASE vendors are SD-WAN solution providers while others are network security companies. Their traditional core competencies may overshadow their capabilities in non-traditional areas.

• Tactics versus strategy. Tools should fit into a company's cybersecurity strategy, not define it. Some vendors will likely be better fits than others.

• Belief that "one size fits all." Different enterprises have different security fabrics comprised of different products from different vendors. Maturity levels also vary among organizations. Therefore, approaches to adopting SASE will depend on the customer's starting point and its goals. No one solution will be equally suited to every organization.

Smart Questions to Ask

SASE has been identified as a new category even though its elements have existed for many years. New product categories are subject to predictable patterns of marketing, adoption, market expansion, and market consolidation. Verify vendors' claims.

Some questions CISOs and CSOs may want to ask vendors and themselves include the following:

• Does your SASE product integrate with my existing tools?
• If you integrate with my existing tools, what kind(s) of information can they share?
• Do you have any options that will help me optimize network performance? What are the SLAs and associated costs?
• What's the best way to reduce risks and costs simultaneously over the short-term and the long-term? What are the tradeoffs?
• Does your SASE offering have automated and/or autonomous capabilities? What are the limitations?
• What has been your approach to SASE? What's on your roadmap for the next 12 – 24 months?
• What will you do to help ensure our SASE implementation is successful?
• Is the vendor's global footprint able to provide the kind of local performance the local offices require?
• What holes do individual vendors have in their respective product offerings? How does that fit with what exists in the enterprise? What plans do vendors have to complete their offerings (e.g., acquire, build).

Conclusion

Digital transformation created a market opportunity for SASE before the pandemic hit. In 2019 and the few years leading up to it, companies were executing multi-year digital transformation strategies to survive in an era of digital disruption.

Then the pandemic hit. Business continuity became synonymous with "digital," accelerating cloud plans including IaaS, PaaS, and SaaS adoption.  As the nature of businesses changed, security leaders and teams found themselves facing a new set of challenges arising from a 100% remote white collar workforce and new digital business initiatives designed to help their companies survive and thrive amid "the new normal" of a pandemic-stricken world.

As always, as IT infrastructures evolve, so must security practices. Over the next few years, many organizations will embrace SASE because it helps enable the security, agility, and resilience their companies require.