Organisations are investing heavily in broadening their network connectivity capabilities to ensure their data is accessible to the right people at the right times. For those pursuing a cloud-based, highly connected and agile business model, ensuring proper access to data and systems in this way is absolutely essential for organisational success. David Shephard from Bitglass Australia shares his views on Secure Access Service Edge (SASE), and what it means for the Australian security landscape.
Along with greater connectivity there comes a need for network and data security that delivers protection from the risks associated with increasingly complex infrastructures. Threats ranging from data leakage and misconfigurations to rogue employees can become parts of any complex cloud and network ecosystem when the proper protections are not put in place.
This is where the concept of Secure Access Service Edge (SASE) enters the conversation. The acronym SASE is being used to describe the consolidation of network and security tools into single solutions or platforms. This pairing ensures both effective and secure access to organisations’ IT resources.
However, this combination of security technologies (including CASB, SWG, ZTNA, DNS Protection, and FWaaS) with WAN technologies (like SD-WAN) is multifaceted and can become dizzying. So, helpful details on these converging technologies follow.
CASB – A Cloud Access Security Broker (CASB) is a policy enforcement point that delivers data and threat protection in the cloud and on any device, anywhere. There are three requirements for a CASB vendor: including visibility and clean-up after high-risk events; proactive security that prevents high risk events from happening in the first place; and zero-day protection from known and unknown data leakage risks and malware threats.
Corresponding to these requirements there are three types of CASB.
First, there is the API-only CASB which delivers only reactive visibility. Such CASBs use API access to SaaS apps to remediate after data-leakage events.
Next, there is the multi-mode first-gen CASB that delivers both after-the-fact visibility and proactive security, but not zero-day protection. Such CASBs offer only signature-based protection for known malware and known data leakage paths on a fixed set of applications. Finally, the multi-mode next-gen CASB delivers visibility, security and zero-day protection. Such CASBs dynamically adapt to deliver protection for known and unknown data leakage risks and malware threats on any app.
Secure Web Gateway (SWG) – SWGs deliver URL categorisation, reputation and threat protection. They make sure that people are exhibiting appropriate web usage only, all while protecting them from threats such as phishing sites and malware. These technologies can also include intrusion prevention systems (IPS), intrusion detection systems (IDS), and firewall functionality.
Zero Trust Network Access (ZTNA) – ZTNA ensures secure access to enterprise applications that are hosted either in the public cloud or in on-premises networks. When remote employees are accessing specific IT resources, they are often granted full access to everything on the network. Clearly, this violates the principle of zero trust and represents a data leakage threat. Fortunately, ZTNA provides access to specific applications via an access tunnel that doesn’t require VPN (virtual private network).
DNS Protection – These technologies carry out lookups on domains for existing risks and threats, such as known malware hosts. When threats are found, the response can be to sink-hole access to that DNS server to prevent the malware infection.
Firewall-as-a-Service (FWaaS) – FWaaS tools offer port, protocol and app-based policies for network access and segmentation. They can also provide modules for quality of service (QoS), IPS, IDS, and VPNs.
SD-WAN – This is widely used to provide secure network access that is required by many organisations – it is an MPLS (multi-protocol label switching) alternative for site-to-site connectivity. There is also WAN acceleration or optimisation between separate locations, such as offices and data centres.
In addition to the above, SASE is driven by increasingly heterogeneous device environments and the emphasis on ever-greater mobility.
People access corporate apps and data from corporate devices, but also take their personal laptops to coffee shops or airports and expect to work with the same apps and data. Some people working in the field may never go into the corporate environment. Regardless, there is now a huge range of different access points that are presenting challenges around how best to secure data in the cloud and on the network.
Emerging approaches to SASE
In terms of SASE implementation, we are seeing the development of two main approaches:
- Appliance and simple endpoint agents. This involves placing physical appliances in the data centre at the customers site or from the vendor to provide the security and control organisations seek. The challenges here are that appliances can be inelastic in handling bulk traffic. They are also expensive to manage and upgrade, and operate through a simplistic endpoint agent that forwards traffic to the appliance and causes latency. This is particularly problematic for large organisations with thousands of users.
- Smart endpoint agents and cloud proxy technologies. This approach offers a way of controlling activity on each device by pushing network control and cloud security from the perimeter down to the endpoints themselves. Delivered via a cloud service, this approach is highly elastic and removes the reliance on physical appliances as well as the downsides of latency induced by backhauling traffic.
SASE is a trend that is already gaining significant traction. The expansion of network infrastructure is driving the need for more comprehensive solutions that meet the business, technology, and security needs of organisations around the world. As such, we will see the market develop rapidly in 2020 as the cloud continues its success story.