The technology deployment revolution
SASE, or secure access service edge, located in the cloud, offers a holistic solution to provide a secure environment in an era of zero trust
Cybersecurity management at a distance can be a headache, even before the pandemic hit and remote working became the norm for many. That businesses had already moved enthusiastically towards cloud-based ways of working made old forms of network defence, the so-called castle-and-moat approach, less viable. A certain level of control had to be ceded.
Over the years, approaches such as CASB, or cloud access security brokers, firewall-as-a-service and identity and access management went some way towards assisting companies to build better defences. But without a joined-up, holistic deployment strategy, organisations still lacked the visibility necessary to manage security in the digital-first cloud world.
These technologies, and more, are now being bundled together under the umbrella of SASE, secure access service edge, pronounced “sassy”, with a service wrap that's easy to sell and pay for, says TechMarketView principal analyst Martin Courtney. Because the framework is cloud native, SASE-led programmes lend themselves well to zero-trust networks, which guarantee no single person is given inappropriate credentials by default.
The idea is to enable secure access on a case-by-case basis, giving users permissions they need to accomplish a specific task, rather than letting them into the entire network. SASE promises to bring reduced cost, less complexity and fewer integration challenges across an organisation, with better visibility.
While SASE isn't the only approach to zero trust, it can deliver a neatly packaged solution, says Courtney, one that delivers the tools needed to verify end-users and devices according to location, device, IP address and network.
Modern solution overcomes legacy
SASE is a modern solution to overcome legacy problems, adds Kevin Curran, professor of cybersecurity at Ulster University. Traditional security is no longer fit for purpose and zero-trust models are simply more relevant in the digital era, he says.
"SASE is a perfect fit to usher in zero trust," says Curran. "Organisations have been fire-fighting for some time, adding connections, systems and people to their networks to provide fast solutions for connectivity."
This led to an ever-increasing hotchpotch, with organisations struggling to provide a snapshot view of what's occurring at any time. "SASE, with its foundation in the cloud, offers a holistic solution to provide a secure environment for these difficult times," says Curran.
SASE should be introduced slowly in steps, entailing pilot projects and tweaks in a lab environment before deploying
However, the extent to which SASE components are successfully combined into a single, manageable interface varies significantly, according to Courtney, as some suppliers are "shoehorning whatever product or solution they can into the mix".
As with most things, it's actually the ongoing integration into an organisation's practices that deliver the real value. Businesses should avoid viewing SASE as an off-the-shelf solution and instead align their operations to it continuously.
Risk assessment comes first
Every touchpoint needs to be mapped for a SASE strategy to be successful, adds Curran, and that means first conducting an in-depth risk assessment that examines all data storage access, employee authentication and the role third parties play within a network.
"SASE is not as simple as changing one email client for another," he says. "It should be introduced slowly in steps, entailing pilot projects and tweaks in a lab environment before deploying, and it is crucial to ensure SASE is seamless for employees."
Ensuring seamlessness is a cultural question as much as a technical one. Security leaders should begin by instituting strong organisation-wide governance processes, but concurrently combat initial misgivings from staff with user training. Motivations for such sweeping programmes should clearly be explained to all staff.
Perhaps most important is leadership buy-in. Luckily, there are clear lines of attack to communicate value. The benefits of zero trust are somewhat self-evident as a mitigation strategy, but also security and network convergence is strategically important. It enables firms to grow their networks more safely as their businesses grow.
With such buy-in, it should be emphasised that SASE is not a one-off, box-ticking exercise. IT and security leaders should instead view SASE as part of a journey, charting a path strategically in line with the wider business.