One trend taking the spotlight in the cybersecurity space is Secure Access Service Edge (SASE) and is a solution to the global security needs of the mobile workforce. Richard Walters, CTO, Censornet, discusses the importance of utilising SASE as the demand for simple and cost-effective solutions to help support a long-term remote workforce remain.
The cybersecurity industry is packed full of acronyms, all there to define various solutions and technologies on offer to take business security to the next level. Most organisations will be familiar with the well-established terms, such as Multi-Factor Authentication (MFA) and Security-as-a-Service (SaaS), however, new terms are emerging all the time and one in particular is now taking a lot of the spotlight.
Secure Access Service Edge (SASE) was coined by Gartner in 2019 and it describes a single, cloud-based solution for the global security needs of a mobile workforce. While this solution was introduced before the pandemic, the mass shift to remote working kickstarted SASE’s journey into the world of business. The acceleration was so impactful that Gartner predicts around 40% of businesses will have a plan to adopt SASE by 2024.
The main current hinderance to wider adoption of SASE is ongoing confusion among security professionals on the definition of the term. Given that it is a collection of services, not a brand-new technology, the definition is much looser and therefore harder to categorise. However, with the demand for simple and cost-effective solutions to help support a long-term remote workforce, it’s time for SASE to take a step forward.
Let’s explore the foundations of SASE.
Getting to grips with SASE
Put simply, SASE is the unification of Network-as-a-Service and Security-as-a-Service, combining both network and security coverage into one encompassing solution. Gartner encouraged security leaders to ‘position the adoption of SASE as a digital business enabler in the name of speed and agility’. While only in the early stages of development, demand for SASE will undoubtedly increase in the next five or 10 years, when businesses plan ahead of an ongoing remote workforce and a perimeter that is no longer confined to legacy data centres.
SASE provides a single point of control, from which each user has access to the same level of capabilities from any location, either at home or in the office. An important point to make here is that SASE is not a product, it is a concept. It isn’t a silver bullet where all security issues are solved indefinitely. It requires time, resources and business-wide understanding.
Main steps to implementation
SASE offers numerous benefits, especially in the age of remote working. But as it isn’t an off-the-shelf product that businesses can simply install right now, most organisations will be at the planning stages of their SASE journey.
The whole implementation process can be quite daunting for businesses, especially those still getting to grips with the concept. To start with, it’s worth spending some time monitoring and logging user activity to get a better understanding of from where and when employees are accessing data. This will also link well with reviewing all admin rights to ensure that privileged access is restricted to those that need it. Leaving open access to sensitive folders is making organisations vulnerable to exploitation, so it’s important to consider the state of company databases.
While VPNs have been of great value to businesses over the last few decades, their time in the light has passed. Limiting further investment into existing VPNs and slowly phasing them out is another big step in adopting SASE. Once these previous actions have been completed, businesses can go a step further and prepare to segment their network, installing last defence mechanisms which can limit the damage to one area should an attacker successfully breach the perimeter.
Above all else, however, there is one element that all companies should look to adopt to successfully implement SASE.
The importance of Zero Trust
Zero Trust and Zero Trust Network Access (ZTNA) live at the heart of SASE. The concept of ‘verify first, then trust’, is what Zero Trust is founded on. Once implemented, trust is never assumed and users must continue to verify their account each time they wish to access databases. With the security landscape constantly evolving, the best policy is to assume all users are suspicious until proven otherwise.
The importance of Zero Trust is now even more apparent when you consider the hundreds of locations employees are working from. Previous network security solutions relied on IP addresses to determine trust, but this was when access to the network was granted in more controlled conditions. Now, however, with IP addresses recognised as weak identifiers, these solutions are no longer viable. Organisations may be left vulnerable to account takeovers, which could put sensitive data files and wider systems at risk.
With ZTNA, authentication is granted by an intermediary layer that validates the user’s identity and the way in which they are attempting to access certain data files. Instead of having to authenticate once you’ve connected to the network, ZTNA ensures users are made to authenticate before they get anywhere near the network. Adopting these solutions contributes to the end of VPNs and kickstarts a business’ journey to successful SASE adoption.
The future of SASE
Last year, Gartner confirmed that recent months had exposed limitations in legacy technologies, and so it was time to look ahead to the latest developments. All organisations are at different points on their security journey, influenced by factors such as priorities and budget. Before teams can even begin to think about SASE adoption, the entire business must get on board. Even if all departments bar one successfully implements SASE, vulnerabilities could remain in that one section that have the potential to unravel the time and effort put in by everyone else.
There will always be more to do – SASE is not a one-step process. It’s just about recognising the journey, taking it one change at a time and keeping eyes on the long-term benefits the company is working to achieve.