Today’s columnist, Michael Covington of Wandera, says the days of constructing a moat around the data center with lots of security hardware are being replaced by the cloud-based security model that Gartner coined Secure Access Service Edge (SASE). BrookhavenNationalLaboratory CreativeCommons Credit: CC BY-NC-ND 2.0

The borderless enterprise has arrived, and IT policy has shifted to accommodate more devices, more networks, and more applications in more places than ever before. A successful remote work strategy revolves around enablement. This means being more agile and flexible with the company’s security strategy to accommodate the varying needs of a dispersed workforce, and that requires a cloud-first model.

Secure Access Service Edge (SASE)  has emerged as a new cloud-based network security model that was coined by Gartner. It combines the best of network and security solutions into an integrated technology stack. This new approach will let organizations easily manage their security and connectivity in a more scalable and agile manner, and here are four reasons it’s so relevant today:

  • IT has become decentralized.

Despite a decades-long attempt to define corporate IT standards, the lack of standardization has become the standard. Workers based out of different locations are all using different devices to collaborate on the same applications. Contractors, partners and suppliers also need temporary access to shared business information. The disparity of devices used by these different groups introduces significant complexity.

The disparity of places data gets stored adds even more complexity. Cloud-based applications are easy and cost effective for businesses to deploy, manage, and maintain; both public and private cloud services have established acceptable track records, making them viable for businesses of all sizes. Similarly, SaaS solutions completely remove the development and maintenance burden from busy IT teams.

With users everywhere, and business applications everywhere, it doesn’t make sense for IT to own a lot of infrastructure anymore; instead, we see a trend towards leasing cloud infrastructure because it makes IT more agile by reducing latency and improving performance and allowing IT to provision and scale resources in a matter of minutes with seemingly limitless capacity.

Many organizations have adopted a decentralized, hybrid IT environment resulting in data that now resides across a diverse infrastructure. Some will maintain control of certain applications indefinitely, but cloud and SaaS solutions have enabled applications to sit outside the corporate perimeter, making access to them—and protection of them—a critical area of focus for security teams.

  • Networking and security have gone virtual.

Security appliances once made sense because organizations had a fixed number of network connections coming into the physical data center; for each network connection the business would add a security tool, such as a firewall or IPS, to protect data flowing in and out of the campus. Now data and users have left the perimeter, but security teams still need to protect and connect services to users. Many organizations are tackling this challenge by going virtual with their networking and security.

Virtual networks let service providers provision an optimized networking structure for the applications they host and to alter that structure as needed through the use of software rather than requiring physical changes to hardware-based infrastructure. This network virtualization gave rise to the first cloud architectures.

Virtualized security solutions are software-based and designed to work within a dynamic IT environment. Virtualized security’s flexibility comes in handy when it comes to securing hybrid and multi-cloud environments, where data and workloads move between multiple vendor products. Bringing networking and security services together in the cloud creates SASE, a model that enables intelligent routing, application-optimized networking, and inherent security by eliminating the constraints of tools tied to physical spaces. It’s a new way of delivering network security.

  • Companies need to rethink what they protect; we can’t assume trust.

Enterprises used to have one set of crown jewels they were trying to protect (the data center), and they physically controlled that space. A castle-and-moat security model was the norm, where trust was inherent to those inside the network. Legacy VPN was built around the foundation of a corporate perimeter and worked adequately when applications were run from the data center and devices were fully managed by IT. But with VPNs, potential attackers can access entire network segments when connections are implicitly “trusted” and when robust methods for verifying user identity or checking device security posture are not provided.

Cloud-delivered network security is a fundamental shift from the traditional approach. No more boxes, appliances, physical devices. And crucially, cloud-delivered network security can scale. Without it, security teams simply can’t buy enough appliances to protect all this data moving out of the corporate perimeter and into the cloud, let alone provide mechanisms for legitimate users to securely access those applications no matter where they may work.     

  • Efficiencies have been made in traffic inspection.

With the shift towards SASE, security services such as firewalls, cloud access security brokers (CASBs), and secure web gateways (SWGs) will still deliver value to IT. However, it no longer makes sense to have traffic inspection and monitoring self-contained within each virtualized security service. Security teams need to architect functionality in a way that lets analysis occur separately from traffic processing. There’s no need to have 10 different virtual appliances decrypting and encrypting traffic 10 times. Don’t force data through unnecessary hurdles, or the company’s users will have a poor experience with reduced performance, increased latency, and unnecessary bandwidth consumption.

With a SASE model, it’s possible to manage traffic flow more efficiently without relying on a centralized architecture. Not all applications require quality of service or security capabilities applied in the network. Companies need an agile network and should apply microservices to perform functions on the traffic on-demand, rather than all the time. Context-aware security has been written about in the literature for a long time, but we only now see rich amounts of context – on both users and endpoints –being incorporated into access policies.

The old assumptions of good security practices are changing before our eyes to meet the new normal. SASE will enable a technology ecosystem designed to deliver an optimal application experience for users, as well as a more manageable approach to delivering security capabilities in the network as businesses move away from legacy technologies.

Michael Covington, vice president, product strategy, Wandera