Security Think Tank: SASE – more than the sum of its parts?

SASE (secure access service edge) is delivered as a service based on the integration of five technologies: software-defined WAN (SD-WAN), secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA) and firewall as a service (FWaaS).

SASE is being pushed quite heavily at the moment by various suppliers, though in terms of maturity, it is just past the “Peak of inflated expectations” on the Gartner Hype Cycle. As for the component technologies, FWaaS is just at the peak of the curve, while the other four – CASB, SWG, SD-WAN and ZTNA – are climbing the “Slope of enlightenment”.

So what makes an integration of these component technologies more than the sum of its parts? What are the benefits and pitfalls? And what should we be asking the suppliers at the end of their pitch?

Most large enterprises typically operate a hybrid model, with some services and data in the cloud and others on-premise. These organisations will already be using a CASB to broker identity between different cloud services and the fixed environment – and most will have users either working from the office or remotely via a VPN connecting into a central site.

The traditional approach would be for remote workers to connect via a full-tunnel VPN, so that all traffic goes via the enterprise’s fixed infrastructure. With a small number of remote workers and most data and services on-premise, this works well. However, as a result of the pandemic and more services and data moving to the cloud, we have seen a dramatic increase in remote access, resulting in overload of VPNs as well as bottlenecks in centralised infrastructures as remote users access the cloud.

SASE aims to avoid this by allowing remote users to securely connect directly to cloud services and the enterprise infrastructure, as appropriate. This is achieved partly through using SD-WAN to dynamically change connectivity and CASB to broker the various services. Nevertheless, SASE also adds zero-trust through ZTNA, WSG and FWaaS to provide more fine-grain access to data and services and to improve overall security.

This is offered as a single service, which from a user’s point of view provides a direct secure connection to all services and data, without the bottleneck of the enterprise’s fixed infrastructure. From the enterprise’s point of view, it provides additional security and is provided as a service, reducing initial investment and maintenance overheads.

Given that SASE is an integration of existing technologies, why not look for best of breed of each technology and do the integration yourself? In theory, this could be possible, but in practice, SASE requires very tight integration between the different component technologies – particularly around identities. CASB, ZTNA, SWG, etc need to be configured to a greater or lesser extent with users’ access rights.

Taking different developers’ components and configuring access rights separately for each is impractical and may lead to errors, while trying to integrate them through APIs (application programming interfaces) and provide a single configuration interface would be challenging and could lead to errors that compromise security.

Moving to SASE does not solve all security problems, however. In moving away from the traditional VPN connecting to the enterprise and regional offices connecting to head office and then out to the internet, users will be connecting directly from wherever they are. Any enterprise fixed infrastructure will effectively be a set of services accessible through the cloud, with the enterprise still responsible for the security of that element. Also, end-users’ machines will still be the responsibility of the enterprise.

In the traditional model, a full-tunnel VPN would have been used for users and remote offices, ensuring no direct connection to the internet. With SASE, user PCs and remote offices will need to be configured to connect only to the cloud access point, or if a VPN is maintained also to the enterprise fixed infrastructure. Also, the adoption of SASE would mean that the approach to security monitoring and incident response would need to be reviewed and updated. 

If users are connecting via the cloud and predominantly using cloud services, then it will be necessary to rely on monitoring provided from the cloud. The fixed infrastructure services and data storage would still need to be monitored, but now with users coming in via the cloud. Also, if internet access is via the cloud service rather than via a VPN, or from within the enterprise, then there may be no view of attackers’ command and control channels or data being exfiltrated from a compromised end point. 

The SASE service provided will therefore need to be part of day-to-day security operations and an integral part of any incident response activity. 

SASE is also a relatively new service, with providers fighting for a foothold. Nonetheless, the key to SASE is tight integration between the technologies. You should therefore beware of systems created by acquisition of promising startups to gain access to the component technologies and loose integration of their technologies. This approach is unlikely to fulfil the promise of SASE.

Also, because of the need for tight integration of several different technologies, which will not all be best of breed and with the individual technologies developing quickly, the best now is not likely to be the best in a few years’ time. A cautious approach, with the ability to switch suppliers, or step back if things don’t work out, is advisable.

A SASE service effectively extends your security perimeter into the cloud and gives users direct access via that extended perimeter, or cloud edge. It also provides more controlled access to data and services, reducing both the configuration burden and maintenance costs at the same time. Nevertheless, this does put more responsibility for security into the hands of the service provider.

Therefore, for some enterprises, such as defence, critical infrastructure and finance, that traditionally keep all security in-house, this may be a step too far, at least for now. But for others that don’t have a large investment in fixed infrastructure and are looking to outsource, it could be an attractive option. The others will follow in good time.