By Gary Audin
Digital transformation can affect network security architectures that employ the enterprise data center for connectivity. Businesses have more users, devices, applications, services, and data located in cloud services outside the businesses
data center. This presents an opportunity for the MSP to fill the gap that some businesses encounter when securing digital
Complexity and latency application requirements require a change in the security architecture. There are many issues that lead to the adoption of security-as-a-service capabilities into a cloud-delivered secure access service edge (SASE).
Security access by identity
Endpoint identities (devices and people) need access to resources that are connected to the internet. The security decisions can be based on the identity of the device or person or both.
The endpoint identity is an important part that needs to be factored into the applied security policy. There are other identity sources that include identity location, time of day, the risk, and trust of the user’s device, and the application and data sensitivity being accessed which expands the ability to block intrusions while supporting verified and approved users.
User’s access and work with multiple applications and resources simultaneously. It is common for a user/endpoint to have more than one session operating at the same time. For example:
- The user may be working with one or more internal applications that need to be monitored.
- As part of the internal application use, the user is participating in a collaboration session with screen sharing that requires monitoring and low latency.
- A user may be working with Google docs that do not require low latency.
- A Facebook connection with chat sessions needs to be analyzed for sensitive data but where low latency is not required.
- When Salesforce is employed, the session must be monitored for malware and the use of sensitive data.
- The user may also be accessing their personal Internet based financial accounts which do not need inspection.
The answer SASE
Secure access service edge (SASE) delivers cloud based service using the identity of the user/endpoint identity. This provides a real-time solution, employing security/compliance policies and while also evaluating the risk/trust assessment during the sessions. The entities can be associated with internal and external people, groups of people like collaboration sessions, devices, applications, IoT systems or edge computing. SASE delivers the services and ensures policy enforcement. This enforcement is independent of the identity location requesting the service.
In the Gartner report “Hype Cycle for Cloud Security, 2019,” SASE was located on the far left of the Hype Cycle at the post-trigger 20% position. It is expected that it will take a few years before SASE becomes mainstream. The Gartner report also stated that comprehensive SASE offerings are emerging, with slow adoption rates at about 1% in the near future. SASE presents a real growth opportunity for the MSP.
SD-WAN vs. SASE
SD-WAN is offered as a network-as-a-service. SASE is offered as a network-security-as-a-service. They are complimentary, not competitors. SD-WAN and SASE together in a single market and a single provider allows the enterprise to continue the use of SD-WAN services while deploying SASE. This capability will improve sensitive data awareness, secure the data, and also provide threat detection. SD-WAN security control is data center focused. The cloud service is the security focus with SASE.
Benefits of SASE cover:
- Improved security supports content inspection looking for and locating sensitive data and malware.
- Operational overhead will be reduced because the SASE service will support new capabilities without requiring the enterprise to invest in new hardware and software. SASE will block new threats as they emerge without requiring new deployments and foster early adoption of new capabilities.
- Zero trust networking is based on the user, device, and the application identity which can simplify security policy management. SASE supports end-to-end session encryption with optional web application and API protection that can be extended to Wi-Fi networks.
- SASE will reduce the cost and complexity through a single service provider.
- Security service transparency will reduce the number of software agents required on a device to a single agent.
- SASE delivers centralized policy management with local enforcement employing distributed enforcement points.
The existing network and network security architectures were designed for the centralized data center and are limited. They do not serve the dynamic secure access requirements. Business digital transformation needs the deployment of SaaS, especially for real time applications, edge computing and IoT, and other cloud-based services. This has stimulated businesses to reverse their thinking by looking from the network edge rather than looking from the center out. SASE provides another opportunity for the MSP to expand its service offerings and revenue stream.