Conclusion: Identities are the new security perimeter, making the integration of network and security technologies essential for any organization.
The cybersecurity industry has recently seen many next-generation smart and connected products hit the market, along with the services that support them at the recent RSA conference. For these products and services to succeed, the organizations that create them must create tighter integration between network technology and security. Employees, vendors, service teams, and most importantly, customers, all need anytime, anywhere access to cloud applications, platforms, and services, all in real time. Add to that exorbitant customer expectations for network speed and low latency, and enterprises are beginning to see the perfect conditions to forge a new approach to network technology and security.
Demystifying cybersecurity networks in 2020
Gartner, the world’s leading research and consulting firm, has observed a new trend in the convergence of network services and cybersecurity technologies. This trend has become so widespread that last year Gartner coined the name Secure Access Service Edge (SASE) to describe it. According to Gartner, “The Secure Access Service Edge is an emerging offering that combines full WAN capabilities with comprehensive network security features (such as SWG, CASB, FWaaS, and ZTNA) to meet the dynamic secure access needs of digital enterprises,” which is provided primarily as a cloud-based service in their recent research report, Gartner The Future of Network Security Is In The Cloud (Gartner subscription required) by Neil MacDonald, Lawrence Orans, and Joe Skorupa published on 30and August 2019. You can see a graph illustrating the convergence of these two services below:
Leaders identified the following factors that are accelerating the evaluation and adoption of SASE in enterprises today:
- The best digital business models adapt and adapt in real time to customer requirements, unrestricted by branches. SASE’s design responds to the rise of highly distributed enterprises and the pressure they place on on-premises systems. With SASE, a sales rep completing a transaction using their smartphone in a coffee shop gets the same application availability and security as a sales rep in the head office. SASE is designed to adapt and treat each identity as a new security perimeter. I think that’s why Gartner included Zero Trust Network Access (ZTNA) in the framework. ZTNA protects the growing number of endpoints in a growing digital business.
- Devices, not data centers, must drive cybersecurity strategies today. An important driver of SASE’s development is the recognition that data centers no longer need to be the hub of their networks; in fact, relying on data centers limits any organization’s ability to remain adaptable. Smarter networks use devices, identified by machine learning algorithms that analyze their usage patterns, as building blocks of network security.
- Developing a business case for any new digital product or service requires the integration of IT, security and real-time reporting. Considering how much customers expect current and next-generation products that are connected, contextually intelligent, and always-on, integrating networks and security is an essential part of crafting a compelling business case. It has become a table stake for future new product development.
SASE Identity-Centric Architecture Definition
Given the business case for SASE and its foundational role for the next generation of connected smart products and contextually intelligent services, the components that make up the framework need to be explored. Since its introduction last year, dozens of vendors have claimed they are already fully SASE compliant, many without understanding the framework in depth. In my opinion, the key components of SASE identity-centric architecture include:
- Cloud-native microservices architecture capable of managing policy-based contexts for users, devices, and applications. A true SASE architecture will be able to scale and support identities and credentials, treating them as the new security perimeter of an organization. The architecture will also be able to provide real-time risk and trust ratings, role definition, location, time and device profile data that will be analyzed in real-time using learning algorithms to assess and quantify risk. Above all, the microservices architecture should be built in such a way that API-based cloud-to-cloud integration is possible with minimal development effort. I think Infoblox, one of the leading network service providers, has led the way in this regard, having invested in the BloxOne cloud-native platform for containerized microservices over the past few years.
- Define identities as security perimeters and keep them in context to resource requests, including real-time cloud application access. This is one of the true tests of any SASE compliance claim, as it requires real-time orchestration between networks and network security components. When a provider can accomplish this correctly, the network can enable anyone, anywhere to have the same access privileges, security, access to applications and resources as a co-worker located in a head office office.
- SD-WAN integration adaptive enough to enable ZTNA-based unprivileged access to remote sites while providing real-time system availability. An integral part of SASE’s identity-centric architecture, SD-WAN is essential for the framework to deliver the many benefits for which it was designed.
- Real-time network activity monitoring associated with role-level Zero Trust Network Access (ZTNA) entitlements. While Gartner lists ZTNA as one of many components of its Network Security as a Service, I believe it’s critical to treat identity as the new security perimeter. ZTNA enables every device, location, and session to have full access to all application and network resources and for a true zero-trust approach to granting the least privileged access to work. Vendors who claim to have a true SASE architecture must have it for the whole strategy to work.
- The ability to combine data from all elements of the SASE architecture and identify sensitive data, then scale ZTNA least privilege access at the role level. Another great test to see if a vendor has a true SASE architecture is if the data generated can be used to fine-tune least-privilege access. This reflects how data policies interpret and act on the quality of security data. Understanding sensitive data in applications, databases, and cloud-based platforms requires APIs that inspect the data and can classify and analyze it to continuously adjust the resilience of architectures.
With the majority of work being done outside of organizations today, SASE Identity-Centric Architecture is timely in its design, especially in the areas of technology integration and network security. The future of digital business relies on intelligent, connected and contextually intelligent real-time products and services that enhance and add value to customer experiences. The disconnect between IT and security needs to be bridged so that existing new digital business models can flourish and grow.