What are the security considerations associated with SASE?

17th July 2020

In my first two blog posts, we defined Secure Access Service Edge (SASE) as the melding of both network and security into a means of the IT end-user seamlessly being protected no matter their location while being able to leverage circuits that do not need to be dedicated or private resulting in cost savings for the enterprise.

In this blog entry, we will look more at the security considerations as an organization looks to kick off their SASE journey.

Many of the conversations that we are having today concerning SASE are focused on the underlying hardware and software. Xalient’s view of SASE is not that it is a single technology partner solution, but best in class solutions that can be integrated via APIs to evolve with a focus on reduction in the target attack areas while allowing for secure public internet access.

Zero Trust Networking Access (ZTNA) – At the heart of the SASE model lies ZTNA.  ZTNA represents an evolution from a legacy VPN architecture where users, once authenticated, could traverse an enterprise’s network unchallenged once they had established a VPN tunnel. In more simplistic terms, if you were an employee then you were trusted, and outsiders were not trusted. As enterprise requirements changed to include developers, contractors, interns etc., this policy did not provide adequate controls to truly secure the organization and its intellectual property against insider threats.  Zero Trust effectively segments the users to trust absolutely nobody (employee or not) without proper access granted. 

Ideally, a ZTNA is made up of Identity Access (IAM or IdAM), Privileged Access Management (PAM) and Identity Governance.

ZTNA solutions can be used to easily onboard new employees/contractors and grant them access only to the applications they require to do their job.  As that same employee changes roles within the enterprise, ZTNA allows for an evolution of applications to do their new role without just layering in software licensing costs on top of what was initially provisioned for that employee when they joined the organization.  Finally, as that employee leaves the organization, it provides the enterprise with a means to eliminate their access. A great example of where ZTNA comes into play is with the Public Cloud providers. When the employee needs to spin up infrastructure on the Public Cloud, they are initially granted access via their domain to an AWS, GCP or Azure.  If the enterprise does not police their access after the employee leaves the organization then they can continue to spin up resources via their old domain credentials leaving the enterprise exposed from a security perspective but also on the hook for the costs of those resources. ZTNA gives the enterprise the controls to readily disable that access when the employee has left the organization.

Things to consider around ZTNA are, can the underlying vendor support both on-premise and cloud-based solutions?  How many API integrations exist today to make the application support and onboarding a check the box activity rather than a large development effort?

Next-Generation Firewalls (NGFWs) – One of SASE’s main premises is that the end-users should traverse the internet from the Edge to reach SaaS or cloud-based applications rather than that traffic being backhauled over a private/dedicated network to an enterprise datacenter. Applications like Microsoft 365, Salesforce etc. should allow the end-user to avoid the latency and cost of a backhauled, dedicated network by accessing the internet at the edge itself.  But how do you protect that end-user where historically there may not even be a firewall in place at the edge itself?  Many SD-WAN vendors have embedded that Next Generation FW into their physical/virtual appliances or a stateful firewall. For those vendors with a stateful firewall in place at the edge, it makes sense to steer that traffic to a cloud-based NGFW before reaching the internet.

Cloud Access Security Broker (CASB) – A CASB solution is either a premise-based or cloud-based security policy enforcement tool where network traffic is directed between a public cloud consumer and the Public Cloud service provider to layer in the enterprise security policies as the public cloud resources are accessed.  Effectively it allows an enterprise to enforce its security policies into any public cloud facing interactions to reduce its threat surface. The right CASB tools will also allow you to also inspect firewall proxy logs for further insight into the usage of cloud applications. CASB will allow an enterprise to enforce security, compliance and governance policies for cloud applications.

Secure Web Gateway (SWG) – A SWG protects an enterprise’s end users from web-based threats in addition to applying and enforcing enterprise acceptable use policies. Instead of the enterprise end-user directly accessing a website, traffic is diverted through an SWG to the desired website and performing URL inspection and filtering, malicious content inspection, web access controls and other security policies. SWGs allow an enterprise to block access to inappropriate websites, enforce security policies, and help protect data from unauthorized access.

As you can see, there are many things to be considered as you begin the network transformation journey from a Security perspective. Reducing the threat landscape is paramount for an enterprise to consider as Cloud First strategies continue to evolve. The good news is that there is a myriad of solutions today that greatly reduce the threat surface areas that can be used for both premise-based applications and Public Cloud applications.  A single vendor approach does not exist today but with the right partners and the pre-existing API integrations that exist today, you can greatly enhance your security posture, allow appropriate access to applications required for an employee to do their job, and to provide secure network access using the tools defined above. The right partner can help bring SASE-as-a-Service to life.

About Xalient

Xalient was ‘born in the cloud’ where rapid deployment and remote management of new software-defined networks, cloud-driven security, access and communication solutions are the norm. We’re independent of solution providers and carriers, so our clients have choice and we offer tailored, not standard solutions.