Let us go back in time to 2019 – a time when we could actually attend IT events in a physical way.
There I am, on the top level of a stand, having a coffee and scanning the hall, seeing “me too” after “me too” vendor stands, all proclaiming to have the latest, greatest “must have” security product. I imagined myself in former shoes as an IT manager, coming to the show and having to make decisions, not simply about which of these 300+ vendor products were each best in category, but also what did I actually need or could do without and, if I needed something, was it to replace an element of my existing security rear-guard, or to augment what was already in place?
Either way, how would I integrate said new technology or technologies into my (almost certainly) overly complex existing security architecture, and in such a way that I didn’t accidentally create a gaping hole in my attack surface? After all, the easiest way to let a cyber attacker in, is to misconfigure a device, such as a firewall. And this stuff happens – daily. Prior to said event, I’d been hosting a security panel debate between multiple vendors and a couple of consultants; when I raised the question as to “what is actually needed in terms of number and type of devices in your contemporary security framework?”, unsurprisingly none of the vendor could provide an answer. What IS generally accepted is that only around 20% of investment in traditional security products is actually in use at any time. For a Yorkshireman, this is most definitely as much of a crime as a cyberattack!
Backtrack around four years to one of my (once) regular Netevents appearances, this time ON the panel, along with my old mad mate, Jan Guldentops, I suggested, why not have security as a service (what is now known as SECaaS, since SaaS was already taken), along with an essential addition – CSaaS, or Common Sense as a Service, as a means of dictating the security strategy – i.e., only concern yourself with what really matters. And now we really do have SECasS at large, not least as part of a SASE oriented approach to security, something I’ve touched upon previously in this ‘ere blog.
What is important to understand is that, even as analysts and vendors attempt to simplify the concept of security, actually putting it into practice is anything but. When Garnet introduced its’ market guide for ZTNA – Zero Trust Network Access – so many vendors jumped on the proverbial bandwagon: here it is, security defined and simplified. But ZTNA is firstly a buzzword – and a meaningful one – but alone it is not enough. This is explored in more detail in a blog I found on Cato Networks’ website: https://www.catonetworks.com/blog/advanced-network-security-technologies along with more detailing of the component elements of SECasS, so is well worth a read.
Going down the “as a service” route immediately reduces the complexity of the scenario I’ve previously painted, accepting that companies aren’t simply going to throw out millions of quid’s worth of investment in product overnight (and the SecOps guy with it). However, as a means of managing a gradual handover from OnPrem to OffPrem, it makes a huge amount of sense. Obviously, even as a service, that security solution is going to have component elements to it, so what would you expect to find, or deem essential to the cause? Well, obviously cyber-attacks in the first place, otherwise none of this would be necessary -) But that all comes FOC, albeit with a very serious potential cost attached… The aim is, naturally to inspect all traffic whether WAN or Internet, meaning that a layered approach from the service provider will be required, from firewall, to secure web gateway, URL filtering, IPS and the obvious anti-virus/malware protection, down to endpoint.
So, it’s not a trivial solution to create, just that – as a service – you’re not responsible for creating and managing it, the SECasS provider is. Which is nice. It means that, from a customer perspective, it’s then all about defining the right security policy which the provider is capable of implementing; you’ll find a lot of self-service elements here, just as would with – say – modern-day service management solutions. After all, each company (customer) is different in terms of absolute requirements; from a service provider perspective it’s about having all the required elements in place and a failsafe means of deploying that service. Having that provider handle the day-to-day management of your security strategy and solution is both a potentially massive saving in terms of manpower and, more importantly, should provide both consistency and a far easier roadpath/migration route, as required, in the future. No over-engineered security architectures; no wastage of 80% of the investment, no hidden costs along the way… Go on, you know it makes sense; Common Sense as a Service – there you go!