Today’s IT teams face a common challenge: how to securely enable the growing universe of roaming users, devices, and software-as-a-service (SaaS) apps without adding complexity or reducing end-user performance.
This month we are reposting an article from our technology partner, Cisco Umbrella.
It’s no secret – networking and security have left the building. Even before the major shift to remote working in the first half of 2020, workplaces had already made the transition to a decentralized network architecture, where computing resources are located outside the data center and most enterprise traffic is destined for public cloud services. There are more remote and roaming users than ever before, and as work moves outside the office, so does the need for secure access to enterprise applications and data. To be successful in the cloud era, IT teams need to identify a new approach to control and secure users, apps, devices, and data — anywhere and everywhere they go in the world, and no matter what apps they choose to use.
According to Enterprise Strategy Group research, 32 percent of organizations report that most of their apps are now software as a service (SaaS) based. That number is expected to increase to 60 percent within two years.1 In the past, most organizations would backhaul traffic through MPLS WAN links from remote offices back to the data center to apply security policies before sending the traffic to the public internet.
Today, that centralized approach has become impractical because of the high cost of backhauling traffic over MPLS and the resulting performance issues for both branch locations and roaming users. To overcome these cost and performance issues, some businesses are adopting a more decentralized approach to optimize performance for these users with direct internet access (DIA) paths. But this approach highlights a set of new security challenges.
Gaps in visibility and coverage
Centralized security policies can’t be effectively managed and enforced in a decentralized network. This is because most traffic from branch locations to the cloud and internet doesn’t cross a centralized policy enforcement point. This results in visibility and coverage gaps, which increase the risk of a successful breach or compliance violation.
Volume and complexity of security tools
Security teams already struggle to keep up with cybersecurity threats. Many of them have lots of point solutions that are difficult to integrate and manage. These point products generate thousands of alerts — making it very difficult, if not impossible, for analysts to keep up. As a result, many alerts go untouched.
Limited budgets and security resources
IT and security budgets are already constrained. Deploying multiple, costly point security solutions — such as firewalls, secure web gateways (SWGs), intrusion detection and prevention systems (IDS and IPS), and data loss prevention (DLP) — to multiple locations and remotely managing these solutions with limited security resources is both impractical and ineffective.
Introducing secure access service edge (SASE)
In its August 2019 report, The Future of Network Security Is in the Cloud, Gartner defined the secure access service edge (SASE) concept as “an emerging offering combining comprehensive [wide area network] capabilities with comprehensive network security functions (such as SWG, [cloud access security broker], [firewall as a service] and [zero trust network access]) to support the dynamic secure access needs of digital enterprises.”2
The SASE concept consolidates numerous networking and security capabilities and functions — traditionally delivered in multiple, siloed point solutions — in a single, fully-integrated cloud-native platform. This approach delivers some key benefits that are critical for organizations that need to address the modern networking and security challenges of an increasingly cloud-first, distributed, mobile, and global workforce.
Here are four key characteristics of digitally transformed organizations that are laying the groundwork for this new concept:
Identity-centric
Gartner suggests that “digital business transformation inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center.”3
Cloud-native
Gartner describes modern digital enterprises as having “[m]ore sensitive data located outside of the enterprise data center in cloud services than inside” and “[m]ore user traffic destined for public cloud services than to the enterprise data center.”4
Edge computing
To support the SASE concept, Gartner describes a “worldwide fabric/mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to.”5
Globally distributed
Gartner describes the need for an “intelligent switchboard” where “identities are connected to networked capabilities via the SASE vendor’s worldwide fabric of secure access capabilities.”6
Start your SASE journey
Remember: SASE isn’t a product, a company, or a solution. It’s a broad concept that invites you to think differently about how networking and security work together in the cloud era. Two major SASE concepts are consolidation and simplification, so it makes sense to chart a course that includes both networking and security elements from a single vendor.
1 Enterprise Strategy Group, The Rise of Direct Internet Access,2018
2 Gartner, The Future of Network Security is in the Cloud, 2019
3 Gartner, The Future of Network Security is in the Cloud, 2019
4 Gartner, The Future of Network Security is in the Cloud, 2019
5 Gartner, The Future of Network Security is in the Cloud, 2019
6 Gartner, The Future of Network Security is in the Cloud, 2019
This article How to address cybersecurity challenges in the cloud era with SASE was originally posted by Lorraine Bellon October 13, 2020 on the Cisco Umbrella blog page.
To find our more about Cisco Umbrella’s SASE and SWG solutions and to set up a free trial and get it deployed in under 30 minutes with a full management summary within 4 weeks, visit our DNS Security page.