JANUARY 2020

F O U R

P I L L A R S

O F S A S E

U n d e r s t a n d i n g S e c u r e

Ac c e s s S e r v i c e E d g e

Prepared by: Michael FergusonNetskope

JAN 2020FOUR PILLARS OF SASE //

T H E P R O B L E M S E V O L V E D

In 2018 Gartner coined the term “Secure Access Service Edge” or simply SASE,pronounced Sassy, and it was spoken of as the new frontier in Cyber Security. Since then everyone has been working to understand what’s meant by SASE, what isrequired of a SASE, and where can I buy a SASE!? With any new Gartner acronym comes a wave of excitement, eye rolling, andconfusion. Therefore, we need to help explain what changes have taken place in theway businesses operate today, so that we can understand what problem sets aSecure Access Service Edge is there to solve.

A N E W S E C U R I T Y M E T H O D O L O G Y

SASE at its core is simply a methodology for delivering your entire Network Securitystack from outside the traditional perimeter. We need this new entity to deliver the“entire” Security Stack from outside a traditional perimeter, because for years thatperimeter has been disintegrating. Year on year the number of users who decide to work from outside the office grows.Whether at home, on the bus, or in the pub, and on an increasingly diverse array oftechnology types; macbooks, Surface Pros, Chromebooks, iPhones, Androidsmartphones, it has become almost impossible to expect the traditional NGFWs orproxies to see this traffic, let understanding the new traffic types if it does.

0 2

JAN 2020FOUR PILLARS OF SASE //

T H E C E N T E R O F D I S T R I B U T E D C H A O S

See, our business services, applications and data are no longer found at a centralizedlocation i.e. inside our networks. Instead our networks have evolved into asegmented network of Private and Custom applications, SaaS, PaaS and IaaS. Andthere are literally 10s to 100s of thousands of Apps to choose from, which just makesthe complexity seem bottomless! However, whilst there are lots of options, the biggest players in the SaaS and IaaSare all well known, and are accessible via a single well known URL;drive.google.com, dropbox.com, aws.amazon.com. For every business in the world,they have to use the same URL to access their private instance of a large sharedapplication. How can a traditional web proxy, built 20 years ago to look at HTTPtraffic and GET requests, distinguish between each of those various instances? So our users are highly distributed, our network of services is highly distributed,across multiple geographical areas, and yet it’s still our role to maintain HighAvailability, Confidentiality, and Integrity of our data and business services.Therefore, the SASE Security Cloud has to sit in the middle of all this distribution andprovide all our security controls, and these are the four pillars each SASE shouldprovide.

0 3

NEXT GENWEB

PROXY

CLOUDACCESS

SECURITYBROKER

ZEROTRUST

VPN

NETWORKAS A

SERVICE

JAN 2020FOUR PILLARS OF SASE //

N E X T G E N W E B P R O X Y

In the last 5 years, the internet has evolved dramatically, we no longer use ourinternet connections just to access websites and check the news. We use the internetto access and leverage our critical business services and data. Therefore, the mechanism at the center of this new SASE Security Cloud has to bethe internet gateway, the Web Proxy, or SWG. It's the tool we tunnel all our internettraffic through, but this traffic has evolved into something more. It's the connectionto our Critical business services. This means that whilst the Web Proxy has to be themechanism for controlling this traffic, the web proxy will need to evolve as well. Cloud apps offer an array of services and activities that allow our businesses to bediverse, and competitive in our own marketplaces, but they are not all built to thesame standard. Therefore any Next Gen SWG must include a huge compliance libraryof Cloud Applications that provide Cloud Confidence Index variable for easyunderstanding of the risk Fortunately for us these cloud applications are also built on a type of underlyingcode that can tell us the actual Instances of the application, and the Activities thatusers are doing inside them; API calls and JSON strings.

0 4

TOP SECURITY CONCERNS SOC TEAMS ARE STRUGGLING WITH

52%DATA PRIVACY /

CONFIDENTIALITY

51%DATA LOSS /

LEAKAGE

Given less than 5% of apps are managed with IT administration rights and a fractionof those are corporate instances, protecting the data flowing into unmanaged andnon-corporate instances of apps becomes the elephant-in-the-room for cloud SWGdeployments. Being able to decode this API/JSON language is a critical capability of aNext Generation SWG solution as we want to distinguish between corporateinstances and all other instances of the same application. This drives theconvergence of SWG, CASB, and DLP inline capabilities finto a single NextGeneration Web Proxy to deliver complete visibility and granular policy controls intothousands of apps. As we can no longer rely on Group Policy and Active Directory to control the thingswe do inside our sophisticated critical business services, the Next Gen SWG part ofyour SASE Security Cloud needs to be able to deliver the same level of activity basedcontrols inside your Cloud Applications in granular policy controls. The shutdownactivity on a EC2 server in the production instance of AWS may not make sense, butin the Development instance it might. Same can be said for who can Delete files outof your Corporate instance of OneDrive? Activity level control is critically important,and your Next Gen SWG has to be the mechanism to deliver this.

JAN 2020FOUR PILLARS OF SASE //

N E X T G E N W E B P R O X Y - C O N T

0 5

JAN 2020FOUR PILLARS OF SASE //

C L O U D AC C E S S S E C U R I T Y B R O K E R

The SASE Cloud should provide an ongoing view of your cloud application usage byleveraging information provided by the NG-SWG along with standard compliancechecks like the Cloud Security Alliance’s Cloud Controls Matrix to assess theenterprise readiness of cloud services. This serves as a guidepost to mitigate risk,influence usage and reduce costs for the cloud services in your organization. SASE Security Cloud should also allow you to run ad hoc queries and dynamic reportsin real time for custom reporting needs. UEBA capabilities should allow you toidentify anomalous behaviour such as data exfiltration or compromised credentials. Your SASE Security Cloud should also be able to utilize a key component of the CASBto scan the data at rest inside your Corporate Instances of your Sanctionedapplications, to check for any misconfiguration issues or compliance violations. Leveraging the public APIs of critical Cloud Applications your CASB can make aprivate connection to your specific instance, and check to see if data types importantto your business or region in your SaaS apps have been shared with the wrongpeople, and see whether or not your resources inside your private IaaS environmenthave been configured to the necessary compliance standards. Reporting and Auto-Remediation of your cloud app and infrastructure by your CASBcan ensure that your new Cloud Application Network is built and configured.

0 6

JAN 2020FOUR PILLARS OF SASE //

Z E R O T R U S T V P N

As enterprises adopt a cloud-first or hybrid IT infrastructure, and deploy newworkloads in the public cloud or move data center workloads to the public cloud,they need to adopt a modern remote access solution that provides easy and secureaccess to applications in multiple locations, while reducing the “appliance sprawl” oflegacy point-to-point access solutions. Your SASE Security Cloud must include the ability to provide secure access to specificapplications in AWS, Azure, and Google public clouds as well as on-premises datacenters and helps enterprises comply with regulations such as HIPAA, PCI-DSS andGDPR. Unified SASE Desktop Clients that steer both VPN and Web Traffic to your SASECloud ensures reduced complexity and interoperability across all requirements.

0 7

YOUR ZERO-TRUST VPN SHOULD

Provide users with remote access to applications running in thepublic cloud and private data center environments

Avoid the need for remote users to VPN through the corporatenetwork to gain access to private applications

Establish the identity of users, and confirm the security posture ofdevices, before allowing remote access

Reduce the surface area for attack and decrease business risk by notexposing your private applications to the Internet

JAN 2020FOUR PILLARS OF SASE //

N E T W O R K AS A S E R V I C E

Interconnect with consumer and commercial last mile providers so that it candirectly hand over your critical traffic to those services without relying on thepublic internet.Optimize routing to cloud providers so that wherever your users and executivesare in the world, they can still connect effectively to any global service theychoose.Performance and availability-aware routing so that latency is reduced whilstincreasing availability.

As enterprises embark on their digital transformation journey and adopt cloud, andmobile, their security program needs to evolve to address the shortcomings thatexist with legacy security tools. The security tools of yesterday force a trade-offbetween performance, security, and availability, limiting the scope of what securitycapabilities can be provided given the lack of an infrastructure that can deliver themreliably and at scale. Your SASE needs to be built on a hyper-scale network infrastructure that will powerthe security stack controls in the cloud, enabling the delivery of robust securityservices without forcing a trade-off between performance, security, and availability. Whilst an increased the number of data center locations in your SASE platform isimportant, it is also critical to address the performance and reliability of theconnections to and from that security cloud. Businesses need a fast and reliable on-ramp to the SASE security cloud and simply steering them over the public internetresults in poor performance and unreliable connectivity. The challenge is that theinternet is not optimized for performance and scale. Your SASE Security Cloud should address this by implementing the following:

All of this should provide your SASE Security Cloud with the performance budget toallow the other key pillars the ability to apply the security controls needed to protectyour data inside your new network of Cloud Applications.

0 8

JAN 2020FOUR PILLARS OF SASE //

S U M M A R Y

SECURITY IN THE CLOUD WITHOUT A TRADE OFF

The rapid adoption of cloud apps, services, and mobiledevices has resulted in data going to places wheretraditional security technology is blind. Your SASE needsto take a data-centric approach to cloud security,following data everywhere it goes. From data createdand exposed in the cloud to data going to unmanagedcloud apps and personal devices, a SASE protects dataand users everywhere. When it comes to security, performance and scale areoften the biggest challenges. Reliance on the publicInternet to deliver inline security causes performancechallenges, and an appliance-based approach todeploying security does not scale. The SASE Security Cloud should deliver real-time, cloud-native security, without the traditional performancetrade-off. As we continue to build one of the world’slargest and fastest security networks, you can be certainyour security is always on, always present, and never aroadblock.

0 9