Companies are now more willing to realize that traditional security practices are no longer really suited to the way we work. This does not mean that everything is to be thrown away, of course. But RSSIs and CIOs clearly note that the transition from many IT services to the cloud challenges many of the paradigms that we thought were firmly established. In particular that of the perimeter: when data and applications have left the data center to be delivered from multicloud environments to mobile employees, perimeter security becomes ineffective.
And this situation applies to everyone today, because the COVID-19 pandemic has forced millions of employees to work remotely. It is impossible, of course, to say whether the massive use of telework in a crisis situation will change mentalities once the epidemic is overcome. However, the current situation has highlighted a reality: trying to secure these modern working environments using traditional security concepts makes little sense: at best it does not meet the needs of the user, and at worst this opens gaps in the defense of the company.
To make matters worse, the risk landscape is also changing: we are now witnessing targeted attacks against specific users. If the victim does not work on the usual secure network, but uses mobile (sometimes personal) devices to simultaneously access data and applications in the cloud and on the network, private and professional, the risks of compromise are greatly increased . This is where new security approaches are needed.
SASE to the rescue
The SASE (Secure Access Service Edge) model was designed by Gartner and inspired by new business requirements in an era marked by the (multi) Cloud and mobile users. This model – which will become even more essential with the generalization of IPv6 and equipment permanently connected to the Internet – has been designed on the premise that security must also come from the cloud in order to be omnipresent.
The golden rule of SASE is that traffic must be secure throughout its journey, from the user to the application, regardless of where the user is located or where the application is hosted. . This is a real break with the traditional network-centric approach: security is now user-centric!
This type of model was first designed to secure mobile users and cloud traffic. But it also demonstrates its merits today when companies adopt it to secure the connections of all their employees. In this context, SASE eliminates the need to divert network traffic to a data center via the MPLS network – which is an expensive and now unnecessary approach.
Gartner’s concept also takes into account the constantly evolving application landscape. Because the various applications that an employee may need to access can be hosted by different cloud providers, the associated infrastructure becomes increasingly complex to design and maintain. In addition, users expect to be able to access their apps from anywhere, with any device, and preferably without complicated setup. It is with this in mind that Gartner designed the SASE approach, which protects data throughout its journey from the user’s device to the destination – rather than just securing the destination.
Understanding the SASE model
Implementing the SASE model will not happen overnight. Fully embracing the concept of “perimeter” end-to-end security will require a true cultural revolution. The objective of the security teams will no longer be to secure a network: it, as they know it, disappears. Or more precisely: it is available anywhere, including from the public Internet. A true SASE model must therefore be considered as a global and holistic service. It secures the space between the user and the service to which he connects. The SASE framework therefore covers all of the user’s communication between an origin point – whatever it is – and an end point, wherever it is; it does not interfere with the user’s work, but allows them to securely access the applications and data they need. SASE cannot be compared to any other known service, since it is a complete framework made up of different elements, including SD-WAN, a software-defined perimeter and access and identity management services.
Here are five key steps that will help implement a SASE-based security system:
1) Know your user base
First, companies must be able to identify their users. They should be able to answer questions such as “who needs access to which services?” How can this user base be classified according to the access rights they need in order to establish different policies for different types of users “? An identity provider such as Azure AD, Okta or Ping is usually a useful tool for building the user base.
2) Get an idea of user destinations
In addition to knowing their users, companies will also have to think about their “destinations”: what should they have access to? Where are these applications hosted? This question becomes all the more important in the context of multicloud infrastructures, which are now more and more widespread. There is no longer any question of all applications being hosted in a single data center: they are distributed between several cloud providers and between private and public environments. These two pieces of information – the user and the destination – are therefore the real starting point for a SASE-based solution.
3) Group the service categories and understand their topology
Businesses should not only think about why a user has access to a service, but also where that service is and how the user can get there. Since modern apps can be hosted on any cloud, it’s important (and complex) to keep an overview. Cloud service providers will continue to diversify, new niche providers will join them to compete with the main market players such as AWS, Azure and Google. Because companies want to avoid supplier locking out, they are often looking for the most appropriate environment for each application. It is therefore essential to develop an architecture making it possible to understand precisely where each application is located. In addition, it is important that companies think about how their applications can be grouped into service categories to facilitate (and unify) access control rules.
4) Define the rules
To be perfectly frank, SASE can be complex to implement, but only if an organization rushes in and tries to do it all at once. It is rather good practice to apply the rules of SASE to a known and controlled perimeter, and to observe over time where it is possible to extend this model (to the posting of new applications, to the integration of a new tool in SaaS mode, etc.). It is an iterative process and there is no real emergency.
Especially since a SASE service must be adaptable, so that the company will have to define different rules for different types of circumstances (raise the level of authentication requested according to the risk factor given by the user, the application and the way to get there). To achieve this, it will be necessary to manage access control at the origin and destination points to decide whether a connection should be established between the user and the application and, if so, how. This is where “Zero Trust” solutions can be used to guide the user to the application concerned according to the applicable rules and context.
5) The optimal path to the application
The last step is to direct user traffic to the app as short as possible. Here, a static path definition is rarely the most effective: it is necessary to take into account the mobility of employees, who must be able to be directed dynamically to the required application from any location. And for that, an important criterion must be taken into account: that of the optimization of bandwidth, so that priority is given to critical applications. This is where local disruptions to the Internet will come in with SD-WAN models and bandwidth management, as well as quality of service control.
Once an organization has passed these five stages, it will be in an excellent position to try the SASE model: select a single application or a group of users and start the implementation process on this reduced scope.
Ultimately, the goal of digital transformation should be to accelerate innovation rather than curb business processes. The SASE model can help companies build a global IT infrastructure that can scale without limits and that takes into account all application, network and security requirements.