How do you know when your technology architecture is SASE ready?

Published: Friday, 02 September 2022 06:56

Many organizations are turning to secure access service edge (SASE) to help ensure cyber resilience while enabling safe remote working and effective digital transformation. Michael Wood provides some advice for organizations looking to start their SASE journey.

Over the last two years, organizations have been faced with some of the toughest IT and security challenges. Businesses are having to deal with the ever-growing cyber threat landscape, the era of remote working, and the process of digital transformation all at the same time.

As a result, many business leaders made the decision to adopt a secure access service edge (SASE) approach to their organization’s infrastructure. Integrating both networking performance and security performance into a single architecture, SASE’s framework brings together cloud native security technologies, such as zero trust, firewall as a service (FWaaS), secure web gateways (SWGs), with WAN technology to securely connect users, applications, and systems anywhere with no detrimental effect on usability, performance and connectivity for the business and end user.

There are many benefits to SASE, however, these can all be lost by not implementing it correctly. In order for their SASE journey to be as smooth as possible, organizations need to understand how prepared they are for the technology. Only by assessing their architecture can organizations fully reap the benefits of SASE and gain a return on their investment. So, how can organizations assess their SASE-preparedness?

Where's your starting point for SASE and what devices need to be secured?

There are several ways to approach SASE implementation, but it is crucial to know what you want to secure. Security teams must ask themselves, what are they actually securing? Is it laptops, computers, mobile devices, or all the above, for example?

Once this is understood, organizations can take two different approaches to implement SASE.

One of the approaches is to enable capabilities for employees when they’re not inside the office.

When users are on their mobile phones or laptops, ZTNA and secure web gateways are extremely important. This will ensure that SASE can provide high networking performance, maximum security, as well as complete visibility across all devices connected to the network.

Another method that an organization can take, is to enforce SD-WANs and security. Organizations can then enforce zero trust - the concept of eliminating explicit trust and ensuring users authenticate themselves to gain relevant access. SD-WAN is a well-defined approach that gives its users control and visibility of how systems are accessed. Between zero trust and SD-WAN, organizations have more visibility and control, which makes them better prepared for SASE.

These are the two common approaches that will lead to SASE implementation.

Another strategy is that companies decide to adopt both the models together simultaneously. Both these methods can bolster an organization’s security stance. However, firms need to measure what their security posture is before implementing this framework.

Measuring the organization’s security stance

It can be relatively easy to measure an organization’s security stance, by understanding your level of policies and protection.

When organizations know where to implement access control measures, the transition to SASE is much easier. Therefore, organizations must look at the list of applications that their employees use and identify who the provider of those apps is. They can then look at how many of those apps give their IT teams an opportunity to control access.

In order to find out this information, organizations can do an audit to see how many apps are off the network or off the grid. Applications that are off the grid are the apps that IT teams have no ability to provide any security to.

The second most important thing is assessing what applications employees are actually using. In other words, a business must ensure their employees are using the apps and documents that are approved by their IT teams, without compromising the privacy of their employees.

In most cases, an organization can look at 20 percent of their employees and see what they are accessing. It might happen that most employees have no visibility and hence an organization does not have an ability to protect them.

Once organizations have a full understanding of what devices and applications they need to secure, it is time to start looking at their hardware.

The importance of hardware neutrality - can SASE be deployed flexibly across different environments?

Businesses need to understand that hardware neutrality refers to looking at what hardware already exists inside the organization as an anchor point; and what kind of hardware this is, including mobile devices such as laptops and iPads. It is also important to understand what kind of multi cloud environments are being used.

Many organizations have not yet refreshed hardware inventories, which means they are still using outdated or more archaic hardware that can’t support a SASE implementation. If this is the case it is important to understand this early on in the process. Security teams don’t want to be going back to their executive board asking for more money because their technology is inflexible.

It is key to understand that when organizations do implement a refresh, they need to adapt a model or infrastructure that gives them full flexibility. Organizations want to be able to run the same SASE platform across the entire network, otherwise they don’t gain the full benefits of SASE.

Once organizations have sorted out their hardware, it is time to start looking at their security procedures.

Why implementing security procedures before delivering SASE is crucial

The SASE framework has its own security benefits but making sure that primary security procedures are in place is a must for implementation.

To protect transactions and the data, SASE requires encryption. Organizations must be able to not only inspect sessions but also terminate them where it is required, based on policy with a scalable framework.

SASE offerings need to be able to provide inline encrypted traffic inspection which is ideally delivered from the cloud without making use of any propriety hardware. In order to provide a high-quality user experience, SASE solutions must include line-rate encryption capabilities. If SASE is unable to deliver strong connectivity and high networking performance, then it’s a waste of money and no-one benefits.

What’s more, multitenant segmentation must also be implemented in order to achieve a successful SASE implementation. SASE works by isolating and segmenting the network traffic. It needs every user to have a separate profiles, privileges, policies, and configurations. By segmenting the network, it allows for SASE to be easily implemented, without losing visibility across the entire network.

By having the correct security procedures in place before implementing SASE, organizations can then implement an architecture which meets the demands required from a both a security point-of-view and a networking point-of-view.

When implementing SASE, organizations are looking for availability, scalability, cost savings, and flexibility; as well as security. SASE implementations can be hard work, however, by following the above steps, it doesn’t have to be such a difficult journey – and the rewards are more than worth it.

The author

Michael Wood, Chief Marketing Officer at Versa Networks.