Secure access in COVID times
Much has already been written about how COVID-19 lockdowns have changed the workplace location and in so doing, the IT dynamic. In hindsight, many commentators have admitted that worldwide lockdowns accelerated a trend that was already picking up steam – work from home, work from anywhere, as long as you work!
When we engage with our customers, this “trust-but-monitor” cultural mindset is clearly articulated in the feedback they offer. Chief Technology Officers (CTOs) are telling us that ‘we trust our employees to work from anywhere. As long as they are productive, we don’t care where they are’ and critically, that ‘we need to monitor our employees – for governance, compliance and productivity reasons of course’. And as the need for secure remote working has grown, they are telling us that “it’s IT’s job is to make business happen SECURELY. Just make it happen. And don’t get hacked”.
From my perspective, the essence of these insights from customers align with several of the buzzwords already top of mind for C suite executives (CISOs, CIOs and CTOs):
- Cloud Access Security Broker (CASB)
- Firewall as a Service (FWaaS)
- Secure Web Gateway (SWG)
- Zero Trust Network Access (ZTNA)
- Software defined WAN (SD-WAN)
These technologies/frameworks align perfectly with the introduction of SASE (Secure Access Services Edge) that was first used by Gartner in 2019. Pronounced sassy, this new category of technology solution is currently at the top of the 2020 Gartner hype cycle ‘peak of expectation’ for Cloud security, and is defined as all the above technologies, or at least, some sort of venn between them.
Wrapped up into a single pane of glass goodness, delivered as a service, seamless security for the user and the administrator, SASE will ensure perfect secrecy for all your employees – onsite and remote, technical or technophobe, malicious or technologically illiterate.
However, due to the vast expanse of SASE’s intended goals, there is no one-stop-shop.
You might buy a Cloud Access Security Broker (CASB) solution, with elements of SD-WAN, Secure Web Gateway (SWG) and Firewall-as-a-service (FWaaS) from a vendor that historically provided only one of the elements, and has built; acquired or integrated the other components.
Alternatively you may take a Zero Trust Network Access (ZTNA) approach to deploying SaaS applications, and a different approach for endpoint security.
One size does not fit all.
Selecting one of the aforementioned technologies as the centerpiece of a security strategy, would depend on a combination of technical goals, appetite for risk, level of maturity and importantly, budgetary constraints.
For example, if you’re buying an SWG you need to force people browsing through the nearest cloud based proxy. You will need an identity mechanism, and the tools to implement forward proxies and/or tunnels to get you there.
You then want to get as much out of your SWG spend, by turning up the security dials until the security/convenience trade-off tilts too far. And, then dial it back to a more usable level of security, while still implementing a level of Data Loss Prevention (DLP).
On the other hand, ZTNA presents more complicated architecture decisions, given that the goal is to provide direct access to IaaS, PaaS and SaaS apps, without a VPN perimeter. Identity (and two factor authentication [2FA]) comes to the fore when thinking about ZTNA, and you will rely heavily on the authentication tools provided by your SaaS vendors.
That said, ZTNA is one of the frameworks that places heavy emphasis on the end user experience, by ensuring that convenience is top-of-mind – a proven method to ensure that users don’t have to think of creative ways to bypass security controls.
CASB could be viewed as the middle ground. The vendor provides cloud on-ramps at multiple locations (POPs – points of presence) to ensure low latency access for ingress and egress traffic. Reverse proxying enters the arsenal of tools.
If you run a business on laptops and SaaS applications only, CASB has the potential to evolve into your SIEM (Security Information and Event Management). But what about your endpoints? You’re probably going to need an Endpoint Detection and Response (EDR) solution, , and the trusty old Firewall, perhaps with a “Next Generation” sticker.
SASE has nothing to do with endpoints, and is therefore not the complete solution.
It could therefore be thought of as a framework, composed of a bundle of services, which achieve a percentage of your security goals.
The winners and losers have yet to be determined, and indeed most of the large vendors are jostling for dominance, either through mergers and acquisitions or strategic partnerships. For example, VMWare has established partnerships with Menlo Security and ZScaler, while Cisco leverages its acquisition of Meraki, Viptella and Umbrella to piece together secure access to public and private Clouds.
The following peripheral services could also be components of a SASE solution:
- Remote Browser Isolation (RBI)
- Web API Protection as a Service (WAAPaaS)
- Identity Access Management (IAM) – delivered via an IDP
- Virtual Private Network (VPN)
- Data Loss Prevention (DLP)
- Advanced Threat Protection (ATP)
- Quality of Service (QoS)
This acronym soup reminds me of the UTM narrative security vendors pushed in the early to mid 2000’s. They combined WF, AV, AS and AC (Web Filter, Anti Virus, Anti-Spam and Application Control respectively) into a single box to rule them all, but were ultimately superseded by the Cloud. Of course these vendors are ideally positioned to pivot into SASE.
This series of blog posts will follow this exciting world of evolving security technologies. I’ll explore many of the above concepts in more detail in subsequent posts.
Stay tuned for the trough of disillusionment.