Bottom line: Identities are the new security perimeter, making the integration of network technologies and security essential for any organization.
The cybersecurity industry has seen many smart, connected, next-generation products come on the market recently, along with the services that support them at the recent RSA Conference. In order for those products and services to succeed, the organizations creating them need to create tighter integration between network technology and security. Employees, suppliers, service teams and, most importantly, customers, all need anytime, anywhere access to cloud applications, platforms and services, all in real-time. Add to that sky-high customer expectations for network speed and low latency, and enterprises begin to see the perfect conditions to forge a new approach to network technology and security.
Demystifying cybersecurity networks in 2020
Gartner, the world’s leading research and advisory company, has observed a new trend of converging network services and cybersecurity technology. That trend has become so prevalent that in the last year, the Gartner coined the name Secure Access Service Edge (SASE) to describe it. According to Gartner, “the secure access service edge is as an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises,” that is delivered primarily as a cloud-based service. (Gartner, “The Future of Network Security Is in the Cloud,” by Neil MacDonald, Lawrence Orans, and Joe Skorupa, published Aug. 30, 2019.)
Executives identified the following factors that are accelerating SASE evaluation and adoption across enterprises today:
- The best digital business models adapt and flex in real time to customer requirements, unrestrained by branch office locations. SASE’s design is responsive to the rise of highly distributed enterprises, and the strain they place on on-premises systems. With SASE, a sales representative completing a deal using a smartphone in a coffee shop has the same application availability and security as one located in headquarters. SASE is designed to flex and treat every identity as a new security perimeter. This is why Gartner included Zero Trust Network Access (ZTNA) in the framework. ZTNA protects the proliferating number of endpoints across a growing digital business.
- Devices, not data centers, need to drive cybersecurity strategies today. A large driver in the development of SASE is the recognition that data centers don’t need to be the hub of their networks anymore; in fact, relying on data centers constricts the ability of any organization to stay adaptable. Smarter networks are using devices, identified by machine-learning algorithms that analyze their usage patterns, as the building blocks of network security.
- Building a business case for any new digital product or service requires IT, security and real-time reporting to be integrated. Considering how connected, contextually intelligent and always-on customers expect current and next-generation products to be, integrating networks and security is an essential part of building a compelling business case. It’s become table stakes for the future development of new products.
Defining the SASE Identity-Centric Architecture
Given the business case for SASE and its foundational role for the next generation of smart, connected products and contextually intelligent services, the components that compose the framework need to be explored. Since its introduction last year, dozens of vendors have claimed that they are already fully SASE-compliant, many without understanding the framework in depth. In my opinion, the key components of the SASE Identity-Centric Architecture include:
- Cloud-native microservices architecture capable of handling policy-based contexts for users, devices and applications. A true SASE architecture will be able to scale and support identities and credentials, treating them as the new security perimeter for an organization. The architecture will also be able to provide real-time risk and trust assessments, role definition, location, time and device profile data that is analyzed in real time using machine learning algorithms to evaluate and quantify risk. Above all, the microservices architecture needs to be constructed so that API-based cloud-to-cloud integration is possible with minimal development effort. Infoblox, a leading network services provider, has led the way in this regard, having invested in the cloud-native BloxOne platform for containerized microservices over the past several years.
- Define identities as security perimeters and keep them in context relative to resource requests including real-time cloud application access. This is one of the true tests of any claim of SASE compliance, as it requires real-time orchestration between networks and network security components. When a vendor can properly accomplish this, the network can enable anyone, anywhere to have the same access privileges, security, application and resource access as a colleague located in an office at headquarters.
- SD-WAN integration that is adaptive enough to enable remote locations least-privilege access based on ZTNA while providing real-time system availability. Integral to the SASE Identity-Centric Architecture, SD-WAN is essential for the framework to deliver the many benefits it’s designed for.
- Real-time network activity monitoring combined with Zero Trust Network Access (ZTNA) access privilege rights to the role level. While Gartner lists ZTNA as one of many components in its Network security-as-a-service, I believe it is essential to treating identity as the new security perimeter. ZTNA makes it possible for every device, location, and session to have full access to all application and network resources and for a true zero-trust-based approach of granting least-privileged access to work. Vendors claiming to have a true SASE architecture need to have this for the entire strategy to work.
- The ability to combine data from all elements in the SASE architecture and identify sensitive data, then adapt ZTNA least privilege access to the role level. Another excellent test to see if a vendor has a true SASE architecture is whether the data generated can be used to fine-tune least-privilege access. This reflects how well data policies interpret and act on the quality of security data. Understanding sensitive data in cloud-based applications, databases and platforms requires APIs that inspect data and can classify and analyze it to continually fine-tune the architectures’ resiliency.
With the majority of work occurring outside of organizations today, the SASE Identity-Centric Architecture is timely in its design, specifically in the areas of integrating network technology and security. The future of digital business is being built on the foundation of smart, connected, contextually intelligent products and real-time services that enhance and add value to customer experiences. The disconnect between IT and security needs to be fixed so existing new digital business models can flourish and grow.