The Road to SASE: Know Your Gaps & Interdependencies

Over the last year-and-a-half, SASE has become a hot topic in security circles. Gartner predicts that by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020. 

Yet, the journey toward SASE adoption is a complex one. To help businesses better understand the importance of SASE in today’s cybersecurity landscape, as well as the gaps and interdependencies that may exist for their organization along the way, Tehama’s Jaymes Davis sat down with Evgeniy Kharam, Co-Founder and Host of the Security Architecture Blog and VP, Cybersecurity Solution Architecture at Herjavec Group.

Jaymes: Welcome, Evgeniy, we are delighted to be speaking with you today. Let’s begin by defining Secure Access Service Edge, or SASE, for our readers. In your view, what is SASE? 

Evgeniy: The best way to define SASE is the unification of network and security under one connected architecture. The SASE framework isn’t confined to a single vendor, instead it is comprised of many different vendors in this space offering SD-WAN, Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG) and Firewall-as-a-Service (FWaaS), and Cloud Access Service Broker (CASB) technologies. And within the SASE framework there are two buckets – the network, which is everything related to how the data and applications are transported to the organization, and security which protects how the infrastructure is being accessed by the data and applications.

Two years ago, prior to the pandemic, the idea of SASE was already in play but nobody was calling it a framework. We were looking at it more as “beyond perimeter” and some were calling it “cloud proxy.” It is now defined as a framework because there are multiple vendors contributing the solutions that comprise today’s SASE architecture. It is also important to note that established and emerging vendors are coming together to contribute solutions that now comprise the SASE framework, which means there is still a lot of opportunity for growth in this space for companies like Tehama and others who are designing offers to help accelerate the journey to SASE for their customers.

Jaymes: Let’s break it down. What are the components of SASE? Why is it important in today’s cybersecurity landscape?

Evgeniy: SASE, as defined by Gartner, is a “security framework prescribing the conversions of security and network connectivity technologies into a single cloud-delivered platform to enable secure and fast cloud transformation.” Forrester, in its definition of Zero Trust, says “a Zero Trust edge solution securely connects and transports traffic, using Zero Trust access principles, in and out of remote sites leveraging mostly cloud-based security and networking services.” This concept of bringing security and networking together transcends both ZTNA and SASE.

What we can all agree on is the idea that the technology solutions comprising the SASE framework will be delivered at scale, and with the majority of components residing in the cloud. In a way, the COVID-19 pandemic heightened the need for the SASE framework. The dramatic shift to work from home drove the need to ensure that work was being done in a manner that was secure, productive and collaborative. 

First of all, workers need to be able to securely connect to their offices, their cloud-based applications and the internet to do their jobs. On the other hand, companies also need to put enforceable policies in place to keep their workers from accessing non-work related applications and websites, and protect their businesses from bad actors peddling malware, ransomware, malicious files, etc.

SASE addresses both of these needs by centralizing the access and delivery of data and applications to the endpoint, regardless of whether it is located on-premises or in the cloud, thereby effectively securing the widening perimeter created by work-from-home and remote work. Ultimately, the organization gains control over who is accessing their data and applications, when and from where they are accessing these resources, and whether they are doing so in a secure manner that is in accordance with the policies they have in place. 

Jaymes: Implementing any new technology comes with its own unique set of challenges, and SASE is no different. What are some of the most common pitfalls for organizations embarking on a SASE journey. How can they avoid/overcome these mistakes?

Evgeniy: One of the common challenges for organizations embarking on their journey toward SASE is knowing where to start. A good place to begin is by looking at the needs and requirements of the organization. We saw this a few years ago in the migration from MPLS to SD-WAN. In that case, it was all about improving connectivity and reducing costs. 

The rapid migration to work-from-home at the start of the pandemic drove the need for businesses to adopt more secure remote connectivity solutions to protect their networks. Initially, many companies were using VPNs just to get their employees connected to organizational resources including data and applications. It quickly became clear, however, that more access controls were needed than could be provided by a traditional VPN. 

As a result, organizations began looking at ZTNA as a way to provide their end users with access only to the applications and data they needed to do their jobs. SWG and FWaaS solutions became important for organizations that didn’t have a clear understanding of which applications, both sanctioned and unsanctioned, were in use within their organization, and who should be getting access to those applications, this became a common pitfall on their journey toward SASE. 

I believe the main culprit in this case is “shadow IT” — something that organizations have been dealing with now for almost a decade, and which they must overcome on the road to SASE adoption. Once they can create a list of all of the applications in use, who is using them and why, access can be given only if and when it is needed through zero trust, user-based policies. 

Organizations also need to be able to create these policies and define access eligibility based on user identity, not location. Related to this is the need for an SWG/FWaaS solution for instances where end users are bringing their own devices, or BYOD. Any organization that says they don’t allow BYOD, probably doesn’t know the entire story. The fact is, end users will find a way to access corporate resources or login to applications and files while on vacation, visiting family members, etc. This is why user identity and policy-based access, created using a logical framework, is key to overcoming this challenge.

Jaymes: We know  that SASE can help organizations better protect their data, applications and IT infrastructure from cyber threats. What are some of the key steps an organization must take to determine their SASE “readiness”?

Evgeniy: There are a couple of things that organizations can do to ensure they are ready to start  on their SASE journey. The first one comes back to “shadow IT” and understanding how many cloud-based services and applications that are in play within the organization. Next, they need to understand how much access to the internet their end-users need to do their work.. There are very few companies today where workers do not have to use the internet to do their jobs, so cloud security remains important regardless of whether the end-user is working remotely or on-premises. As such, organizations should consider having SWG, FWaaS and/or or CASB solutions in place to support ZTNA, in both of these scenarios. 

Also, organizations should remember that SASE is not just a stick, it is an enabler of work-from-anywhere (WFx). Any organization that uses the internet can benefit from a SASE framework.To determine SASE “readiness” the organization should understand user identity and be able to create rules based on identity using, for example, single-sign-on, Active Directory (AD), multi-factor authentication (MFA) and other identity management solutions. They will also need to ensure that policies are created and that security controls are linked to those policies.

Jaymes: When it comes to SASE adoption, what are some of the biggest challenges (or common gaps) to achieving a successful outcome? 

Evgeniy: One of the biggest challenges is vendor selection, and some of the key considerations include the vendor’s ability to handle:

• Traffic routing optimization

• Exclusions

• Device posture/user identification

• User behavior/risk-based policy

• Policy creation (DLP, malware)

• Reporting

• Logging

It is important that the organization understand these areas when adopting a SASE framework, as the vendor may not always address them with their solution. 

For example, if the ZTNA provider is in the cloud and the SWG provider is in the cloud, it will take my traffic to the cloud, then it will go to the data center and then the internet. If the vendor is different for each of these technologies, it can create routing problems. There are a lot of reasons to have one vendor, or multiple vendors that work together as it becomes easier from a management and policy enforcement perspective.

Another example is reporting and logging. When you look at user behavior, knowing that a particular user will be going to the office, and connecting to the internet during certain times and from that one office location, as well as which device(s) they are using, i.e. company owned or BYOD, then the organization can track that behavior and conduct forensic auditing to flag a potential security risk, and in some cases even disable the account, should that user login to their device or the network from an unusual location or at an unusual time. The organization can also create policies that restrict the user to certain devices and work hours to ensure to minimize security risks.

Reporting and metrics are also key to justifying the investment in the technology supporting the SASE framework. A customer may wonder why they are spending so much money and how the solution is helping them secure their infrastructure. Reporting and logs can demonstrate the value of the solution and create the business case by showing instances where it protected the organization and also areas where it is saving time, money and resources.

Jaymes: Best practices can help organizations overcome the hurdles they face in adopting new technologies. What are your top three to five recommendations you have for organizations that want to facilitate a smoother SASE adoption?

Evgeniy: If the last 18 months have taught us anything, it is the need to constantly reassess and adapt. Many organizations will want to create a five-year plan for SASE, but that is not realistic given the way things continue to change. My first recommendation for any organization planning to adopt SASE is to create a plan that involves regular assessments and adjustments to ensure that the implementation is meeting the needs of the organization. They should always be looking at how they are managing data loss prevention (DLP) and application security within their organization, and be open to changing their approach as needs evolve. For example, today we may think SD-WAN is the best approach for office connectivity, but in a year, that may be totally different. This flexibility is incredibly important to achieving a successful SASE adoption.

Next, the organization should understand the end user and how they are using applications and data within their organization. With an increasing amount of information moving to the cloud, organizations need to understand how to classify that data within the SASE framework and cooperation is needed across departments within the organization to avoid failure.

Finally, organizations must also look at the solutions they currently have before moving to a SASE framework, to determine which solutions will be complementary to the vendors that they choose, and which solutions they will no longer need. In some cases, the organization may be working with vendors that are already part of the SASE framework and they can adopt those solutions to meet certain requirements within their organizations.

Jaymes: Thank you Evgeniy, we really appreciate all of your time today in sharing these important insights with our readers. I want to end by noting that Tehama’s enterprise-ready virtual desktops are designed to help organizations along their path to SASE as we have eight of the 13 of the trust principles built-in:

• ZTNA

• SD-WAN

• FWaaS

• Sensitive-Data and Malware Inspection

• Network Sandbox

• DNS Protection

• Support for Managed and Unmanaged Devices

• Network Obfuscation and Dispersion

Through the Tehama platform, organizations can also accelerate to the remaining five trust principles:

• CASB

• Line Rate Operations

• Remote Browser Isolation

• API-Based Access to SaaS for Data Leakage

• Web Application and API Protection

To learn more about how Tehama’s platform can accelerate your organization’s adoption of SASE, visit: https://tehama.io/solutions/sase/