Menlo Security: Navigating the SASE Maze
The shift to hybrid working and the adoption of cloud-based infrastructure has forced a new approach when it comes to security: introducing Secure Access Service Edge, also known as SASE. Coined by Gartner, the term simplifies security in today's disparate network perimeter. This article looks at SASE under a microscope, uncovering the unique opportunities, solutions, challenges, and complexities it creates for network leaders and users today.
Say Hello to SASE (pronounced ‘sassy')
Following the enterprise-wide cultural shift to placing the cloud, rather than the data centre, at the heart of network connectivity during the height of the cloud computing revolution, organisations needed a cloud-native approach to wide-area network (WAN) security and access management. In a nutshell, the security world needed a new security model and in 2019, their prayers were answered. Global business and IT analyst firm Gartner introduced the world to SASE in a research paper entitled The Future of Network Security is in the Cloud:
The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.
These said WAN capabilities were to be delivered as-a-service and based upon the identity of the entity (i.e. associated with people, devices, applications, services, IoT systems or edge computing locations), real-time context, security/compliance policies, and continuous assessment of risk/trust.
What SASE Means for Network Leaders and Users: The Benefits and the Challenges
Bundling network and security functions into one cloud service are beneficial for network leaders, users, and businesses as a whole. For one, it's a way to implement all security functions and policies from web and email security to firewall and access control. This is down to the fact that SASE relies on a distributed group of cloud gateways called local points of presence, or POPs, which are equipped with internal and external threat protection. Such tight integration of networking and security enables network leaders and users to remain rest assured that company data and personal information is secure against attacks and data leaks.
Further advantages of deploying security in a SASE framework also include the chance to simplify and centralise the management of security tools, decrease the likelihood of end-users skirting security -- security operates in the cloud and behind the scenes, lower WAN costs, plus maintain full visibility regardless of location or device type.
SASE does not, however, come without its challenges, especially during the adoption stage. Ensuring that the cloud-native security architecture is smart and scalable enough to deliver secure access to resources, no matter where a user is located, requires a lot of work. Choosing the right SASE vendor is key to a smooth transition and management because although a one-stop cloud-based security shop is ideal, it risks being a single point of failure, potentially resulting in an entire system shutdown if technical issues arise.
Key Components of SASE
SASE is comprised of five components:
- SD-WAN - A software-defined approach to controlling network operations and managing the distribution of data over a wide network, SD-WAN is the foundation of SASE. The virtual WAN architecture decouples the networking hardware from its control mechanism, simplifying WAN management.
- CASB - Cloud access security brokers provide a centralised hub for policy and governance across multiple cloud services. The nifty tool sits between an organisation's on-premise infrastructure and a cloud provider's infrastructure, ensuring that traffic between the two sides comply with the security policies of the customer/company.
- SWG - This security solution is the first piece of the SASE adoption puzzle. Secure web gateways stop unauthorised traffic from infiltrating an organisation's internal network and protect users from web-based threats by blocking access to malicious content.
The Convergence of SWG and CASB
The unification of SWG and CASB within SASE is particularly powerful. Along with being the perfect central aggregation point through which all traffic flows, the two security tactics work together to remove security blind spots and deliver risk-free access to digital assets and applications.
- FWaaS - A synonym for cloud firewalls, firewall-as-a-service delivers advanced next-generation firewall security that goes beyond on-site network protection. Made to be a part of a company's cloud infrastructure, the service, similar to the standard firewall, monitors ingoing and outgoing traffic and enforces an organisation's security policies.
- ZTNA - Zero Trust network access is based on the Zero Trust model, which posits that no user, device, data, location, or network is trusted. The service authenticates users, granting access only to applications required for a particular user or occupation to do their job.
The Relationship between SASE and ZTNA
Although SASE and ZTNA are commonly pitted against each other, they are not separate entities or competing, nor conflicting, network security models. Rather, the SASE framework builds on the Zero Trust model, embedding it within its architecture to provide a fully integrated, robust secure edge connectivity framework.
SASE: Why Now?
Network security has greatly developed over the last decade, but nothing has disrupted, transformed, and accelerated it as much as the COVID-19 pandemic. Worldwide lockdowns and consequential remote working throughout 2020 resulted in a dramatic workplace transformation: workforces and their critical tools were forced to disperse from office buildings and migrate elsewhere. People, data, and applications were everywhere, so network security could no longer be confined to a single data centre. Turning to virtual private networks also wasn't feasible as they simply don't scale. The heavy adoption of SASE across the enterprise was, thus, a no-brainer as it underpins the ‘anytime anywhere' access model that companies had no choice but to embrace.
Fast forward to 2021, and despite talks of ‘post-pandemic', remote working is here to stay, with flexible, hybrid work becoming the ‘new normal' for organisations today. Hence, SASE couldn't have come at a better time and this is just the beginning. Gartner predicts that ‘by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at the end of 2018.' The more companies get on board with SASE, the more positioned and well-equipped they will be to secure and support the future of work.
Getting SASE Ready: The Menlo Way
The decision to take up SASE may come easy to business leaders, but the journey towards implementation and adoption requires much planning. According to the global trusted web security vendor Menlo Security, there are four critical steps businesses need to take to get SASE ready:
Step 1: Assess your stack
Assess your existing investments. Take an inventory of hardware and software to understand refresh cycles and develop a reasonable timeframe for phasing out on-premises perimeter and branch hardware.
Step 2: Know your data and let insights drive you
Getting a grip on what data the business has, where it's located. and how it's used is key. Migrating to SASE offers the perfect opportunity for the enterprise to assess its data landscape from both operational and security standpoints.
Step 3: Document your plan
In line with the post-pandemic accelerated rate of adoption, a migration plan should include the following milestones:
- Phase-out of hardware and software. Much of what's in use is no longer needed in a cloud-first strategy.
- Consolidate and eliminate vendors. Many of the tools currently in use were made for a data centre–oriented environment and won't transition easily to the cloud. This is where companies can save money.
- Eliminate legacy VPNs used at the network level for remote access.
- Establish metrics for measuring migration success. Metrics can serve as an early warning system that something is off and give the enterprise an opportunity to fine-tune its game plan.
- Ensure continuous authorization for access requests.
Step 4: Nail down security
Focus on these key security stages:
- As we've advocated previously, an enterprise should start with an SWG to provide security coverage no matter where a user is located.
- Rework and revitalize a data loss prevention policy. Layout where data can be stored, how it can be used, and who can access it.
- Increase visibility into assets across the computing environment. Without clear visibility, security teams don't know what to protect or where the real threats lie. This is especially true in multiple cloud environments that use both public and private cloud offerings.
- Add CASB data authentication and encryption points to protect applications on the cloud, establish control, and improve visibility.
- Adopt a ZTNA mindset that assumes no one is trusted and access to resources is given on a one-at-a-time determination.
Menlo Security's SASE Solution
"Users go anywhere, malware gets nowhere."
Menlo Security's cloud-based Isolation Platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end-user experience. Leveraging the principles of Zero Trust, the platform provides a foundation for your journey to secure access service edge (SASE), replicating the content end-users are consuming and letting them access web apps, download documents, collaborate online, and open emails safely and securely.
Want to learn more about Menlo Security's approach to cloud-native network security? Interested in acquiring their SASE solution? Click here