SASE is one of the hottest buzzwords in IT and security in 2021, but reaching it can feel like a long way off. Here are some tips for building your SASE strategy for secure access
Secure Access Service Edge (SASE) is something that analysts, vendors and other experts will insist that you simply must do. What often seems to be missing, however, is exactly how to do that. Crucially, while it may be easy to talk about zero trust, the cloud and operating at the edge, the reality is quite different. Many IT professionals are still struggling to manage antiquated legacy systems and dealing with the consequences of decisions made a decade ago. For those reasons and more, a large number of those working in IT clench their teeth when thinking about SASE.
Put in the most basic of terms, SASE represents the new tools and processes an organization will need to secure workers in a world that is no longer centered on the perimeter. Employees operate from their homes, outside the office and on unmanaged networks. They also access resources spanning the public web, IaaS, SaaS and on-premise applications. SASE includes modern functionality to better reflect this new working environment, avoiding the cumbersome and complicated network gymnastics that legacy technologies demanded – firewalls, SWGs and hardware VPNs.
This all sounds great on paper, but the vast landscape of SASE technologies can be intimidating to even know where to begin.
The simplest may even be with something you’re already doing. CDNs or SD-WAN, for example, represent an attractive place to start. These offer enhanced connectivity and optimizations, albeit typically for branch-based workers rather than home-based ones. For that reason, many IT leaders are leveraging SD-WAN as an early cornerstone of their SASE strategies.
Ultimately, however, most SASE strategies will focus on the secure access part of that acronym. If not VPN and SWG, then what? More specifically, how can SASE solutions help keep employees and corporate assets protected in the new, distributed and cloud-heavy workplace? The following steps help IT and security leaders navigate at least one corner of their SASE roadmap – focusing on secure access and the path from legacy VPNs to modern zero-trust network access (ZTNA).
Step one: fragmented legacy access
If you’re not yet leveraging the cloud to manage secure access, then you’re not alone. Prior to the events of 2020, most businesses relied on a fragmented set of VPN tools to manage remote workers. Often, IT teams managed more than one remote access solution, using free products or those with a poor UX to ‘make do’ for the rare occasions that employees worked away from the office. In many instances a more robust, specialized product like NetMotion was used only with workers who could not afford to compromise on experience, such as field workers.
Managing multiple VPNs is a headache, though, and treating remote workers as a priority, rather than an afterthought, is the first step on the pathway to SASE. The simplest place to start with this mindset is consolidating and scaling your remote access solution to a dedicated product designed to support mass distributed working. A key step here is to standardize on software-based solutions, especially those that can provide optimizations and policy controls.
Recommendation: amalgamate and upgrade remote access solutions to a single, dedicated and software-based product for all workers
Step two: embracing zero trust
This step can happen before or after step three; it will depend entirely upon the culture and maturity of your organization. If you are already content with your delivery model for consuming secure access (whether that is an SDP, ZTNA or VPN), then you may start considering zero trust. An end-to-end zero trust policy for all use-cases, applications and personnel is unrealistic.
Instead, security professionals should select a limited group. This could be a single department or, more likely, a particular resource (or set of resources). From this starting point, start leveraging the policy engine of your secure access solution. Map out the risks associated with unwanted usage of that resource. Who can access it? Where should they be located? Which devices can they use? What time of day is access expected? On which networks, or types of networks, can it be reached?
Asking and answering these questions will build out a risk profile and set of desired conditional access rules that can be implemented via a ZTNA or SDP solution. Experimenting with the risk tolerance and combination of contextual policies will find the right security-experience balance, and by limiting it to a single application, the impact of such experimentation will be confined. This reduced-scope approach to zero trust is the best way to build familiarity without exposing the wider organization to major potential usability and experience concerns.
Recommendation: experiment with the zero trust capabilities of your secure access solution by selecting a very limited scenario and testing it
Step three: zero trust and the cloud
This might happen in tandem with your early experimentation with zero trust: the timing will fluctuate with your own priorities. Once you’ve selected a secure access solution that can deliver the functionality required for a SASE environment, the next step is to manage a migration plan for where it is hosted. The unique nature of your organization will hugely influence this plan. Some companies, industries and geographies will maintain long-term requirements for on-premise options – at least for subsets of workers or apps. Most, however, will be looking to migrate a majority to the cloud.
Whether that is managing secure access in their own IaaS (Azure, AWS, Google Cloud) environment or consuming the solution entirely via SaaS, many IT departments are seeking a cloud-first strategy for network security. Ensure you select a vendor that is flexible to the needs of all three (SaaS, IaaS and on-prem) to gradually chart the journey to SASE without compromising on certain use-cases, which are rarely homogenous.
Recommendation: ensure your delivery method for consuming your secure access solution is scalable, streamlined and future-proof, without compromising the requirements of today
Step four: expanding zero trust
By this stage, you will be several years into your journey to SASE, perhaps also implementing solutions from other areas of the framework such as CASB or FWaaS. Having developed a deeper intimacy with zero trust (as outlined in step two), by now you should be prepared to start scaling zero trust policies across your organization. More departments, a wider scope of devices, a greater range of applications and a never-ending list of use-cases should be the objective. The principles of zero trust demonstrably reduce the attack surface, and so expanding its implementation across the enterprise is essential to staying both secure and agile.
Recommendation: continue to rollout new zero trust policies to individuals, teams, applications, geographies and use-cases across the enterprise
Step five: integrated SASE
Alongside this simple maturity model, you will have almost certainly adopted other technologies. Most specifically with secure access, the most important will have been a Cloud Access Security Broker (CASB) and a cloud Secure Web Gateway (SWG). These help the enterprise secure SaaS applications and the broader public web respectively. Several years into your SASE journey, the sophistication of your approach to SASE technologies will be reaching the zenith – you’re almost at the Gartner-grade panacea of modern secure access.
The final stage is about ensuring each of your solutions is well integrated, or at least inter-operable, with the others. Some vendors will promise any and every solution from a single source, suggesting this is possible from the start. The reality, however, seldom matches the marketing. Only in very rare instances can a single vendor truly deliver a full suite of products to an industry-leading standard, and so the more likely outcome is that businesses are managing several solutions from several vendors (just as they were for traditional network security stacks). Taking advantage of integrations between ZTNA, CASB, cloud SWG, cloud VPN, FWaaS, SD-WAN and other disparate technologies will be crucial in realizing the full benefits of a SASE strategy.