In our first insight of this series on Secure Access Service Edge, or SASE (pronounced “sassy”), we looked at the titanic shifts accelerating a move away from traditional data centers to the cloud, and the impact on network security. We also explored the promising marriage between SASE and SD-WAN. In Part 2 of the series, we go deeper, looking at the risk caused by an exploding number of endpoints and SASE’s approach to securing the network and mitigating risk.
Let’s begin by exploring Software as a Service (SaaS)—one of the primary drivers compelling enterprises and government agencies to move to the cloud environment. SaaS gives customers access to their enterprise applications over the Internet, rather than having the software be hosted at a data center and requiring physical installation across network devices. With SaaS, applications can be built, maintained, and updated automatically in the cloud.
A Growing “Attack Surface”In addition to SaaS, the issue of workforce mobility has complicated matters for network security and management. With sophisticated and targeted cyber-attacks, such as ransomware, each user endpoint, or device, constitutes a potential risk when it comes to security. Yet giving workers the flexibility to work remotely or from branch offices has essentially become a requirement. This has been clear during the health crisis when millions of employees have needed to find a way to work from home and access their networks.
Endpoint risk isn’t just limited by the number of users on the network. The Internet of Things (IoT) compounds the challenge further. IoT includes all the smart devices or machines on a network, like thermostats, heat pumps, refrigerators, flood sensors, security cameras, healthcare equipment, wearables, emergency monitoring, and management tools, and so much more.
Collectively, these users and endpoints comprise (and increase) the attack surface.
With the network attack surface so highly distributed, especially as it extends to multiple cloud service providers and locations not under enterprise control, it is a challenge for existing or legacy network protections to provide adequate security coverage.
That’s where SASE comes in. SASE protects against this explosion of network entry points, even when they are not controlled by the enterprise. SASE provides the security fabric that enables identity-based control and context, where the identity is associated to users or user groups. This allows for the granting of access to all employees or even access based on roles, or by the creation of sub-groups for specific teams or by management level.
This identity-based approach can also be set by type of device, including IoT and mobile devices. This includes being able to limit system access to only approved devices and setting roles for “non-human” users, for those networks involving machine-to-machine connectivity requiring little to no human input.
With SASE, all of these endpoints that interact with various network resources and SaaS applications, public and private cloud resources, data centers, and others (like vendor and partner resources) are authenticated and secured within the context of that particular access or communication request. Requests can also be set based on other parameters, such as enterprise policies for governance, geo location, and time of day.
The Zero Touch Model
SASE depends on a centralized security broker to provide the visibility, policy framework, management structures, and service level agreements necessary to effectively execute endpoint access, security, and control measures. This varies from the more typical approach in which any authenticated device “inside” the network is deemed to be a trusted device. Under this scenario, if a hacker attacks a server and hijacks a device on the network, the network is vulnerable from this insider attack.
SASE assumes that no request can be trusted automatically. In this way, SASE applies a “Zero Trust” model, verifying every access request before permission is granted, no matter where that request comes from. With SASE’s Zero Trust approach, the security fabric between users and resources tightens and reduces the attack surface. The result? Significantly decreased risk and heightened security across the entire enterprise network – regardless of how many endpoints or how distributed it may be.
In Part 3 of our series, we explore connectivity everywhere, for everyone and everything, and the role SASE and SD-WAN have in making that a reality. To learn more about SASE and SD-WAN, read Part 1 in our series.