Why SASE Framework is a menu, not a recipe

Who knew that we would miss eating out so much? After months of being forced to peer hopefully into our refrigerators or pick from increasingly uninspiring takeout options, at last we can sit down in a restaurant. Choice is back on the menu for many of us.

It turns out we like making our own choices, and that goes for our work environment as well. So when the next enterprising salesperson comes along and tells you that if you want to implement the secure access service edge (SASE) framework, their products are the only recipe for success, you can dismiss them with the same vigor you use to throw out that pile of takeout menus.

Because if there’s one thing we’ve observed from working with our enterprise customers, it’s that no one has a “secret sauce” recipe for SASE success. Every organization is different, with different priorities for protecting their employees, customers, data, devices, and applications. Businesses are at very different stages of security maturity, network sophistication, cloud adoption, and in-house capability to adopt what is, without doubt, a step change in architecture for unifying networking and security in the cloud.

Our advice is to forget the idea of finding a SASE secret sauce recipe and think of SASE as more of a themed menu of converged technologies, from which you get to choose the ones that will deliver maximum business impact.

Why it’s time to formulate your perfect SASE menu

The only type of normal business that organizations have seen over the past 18 months is the continued escalation in cyberattacks—with 86 percent of organizations experiencing a successful attack this year.^[1] Add this intense continuity risk to the pressures of supporting hybrid working, an exponential shift to the cloud, and accelerated digital transformation projects, and it’s easy to see that IT and security professionals have a lot on their plate. 

Why should there be an appetite for a strategic transformation program such as SASE? The reality is that network modernization and security are essential long-term business differentiators—organizations need a framework that protects productivity by shifting security closer to users, their data, and applications without unpalatable restrictions. And for hard-pressed IT and security professionals, SASE also promises converged, granular visibility and policy management regardless of location or device type. So perhaps it’s unsurprising that industry analyst Gartner predicts that by 2024, at least 40 percent of enterprises will have explicit strategies to adopt SASE, up from less than 1 percent at year-end 2018.

If that whets your appetite to get a seat at the SASE table, then it’s time to create your own deployment menu.

What’s on the SASE menu? A convergence of technology tastes and talents

When you start to scan the SASE menu, the individual items—secure web gateway (SWG), cloud access security broker (CASB), Zero Trust network access (ZTNA), cloud data loss prevention (DLP), Firewall-as-a-Service (FWaaS), and SD-WAN—will not be a surprise. What is new is planning how these core, consolidated services can be brought into balance with each other.

Some organizations may have started their architecture change with an investment in CASB because their organization relies heavily on SaaS platforms, but often the first pick on the menu is deploying a SWG that’s designed for the cloud and supports Software-as-a-Service (SaaS) applications by default. When you’re choosing the right SWG for your organization, it’s important to apply a SASE lens and choose a solution that converges all SWG capabilities into a single cloud-native platform—including CASB, DLP, RBI, proxy, FWaaS, and private access—and that provides extensible APIs and access to a single interface for policy management, reporting, and threat analytics.

The right SWG gives organizations a positive taste of SASE—providing protection from sophisticated web-based cyberthreats, enabling full visibility and control into web and cloud app usage to help prevent data leaks, and giving users unimpeded access to the web so they can do their jobs without having security bump up against them.

But SASE is much more than a technology refresh. To be successful, it requires network and security specialists to sit at the same table and share their talents, as well as focus on technology convergence. SASE creates a shared appetite for managing risk and empowering business. When  combined with the application of Zero Trust principles—applied wherever data is flowing, being used, or controlled—this new partnership between network and security specialists will drive availability and business resilience. Trust will be required, and ironically, Zero Trust is part of this redesign that’s required to meet the changing needs of every business.

Zero Trust and SASE: The perfect pairing

A SASE approach shifts security to the cloud—closer to apps, users, and data—but it will not fulfill its promise without a fundamental change to an organization’s detect-and-remediate controls. In order to outsmart threats and liberate users, cybersecurity teams are seeking to fundamentally change the way they protect the enterprise from malicious threats on the Internet.

Part of the SASE mantra is simplification, but this doesn’t mean making things easier for cyberattackers. Our reliance on the Internet can make it too easy for bad actors to customize phishing themes based on social engineering research, infect trustworthy sites through malvertising, or spin up fake login forms to maximize their chances of infection. And even if an attack is detected, one simple code change makes the attack virtually undetectable again. Cybersecurity teams are constantly playing catchup, patching holes in the network, and hoping that one of the cracks doesn’t result in a damaging breach.

Developing an effective Zero Trust mindset means that all content is regarded as suspect and subject to enterprise security controls. But to do this without offending another SASE rule—that of scalability—requires a central framework that provides complete visibility and control over web-based traffic, making it instantly available to any user in any location around the globe. To achieve this, organizations need web isolation. When deployed correctly, isolation is like salt in your meal—invisible but making all the difference. Isolation works behind the scenes to prevent online attacks from malware, phishing, and other attack vectors without impairing user productivity.

The value of SASE

Forward-looking organizations that want to take advantage of accelerated cloud adoption will be curating their own SASE menu of technology and process improvements to build smarter, more secure networks. Security and network teams will:

• Taste productivity gains. The SASE focus on technology convergence aims to simplify the management of security tools—delivering enhanced central visibility and control to reduce demands on security teams. For the business, consistent policy control across all devices from the edge to the cloud also offers limitless scalability and flexibility for employees to work how and where they need to.

• Invite more people to the table. As well as technology convergence, SASE requires greater collaboration. Not only between network and security specialists, but also with the right solution partners to create an architecture fit for future business. SASE puts security in the cloud, which enables better relationships between security teams and users who no longer have to experience any barriers—improving their experience and avoiding the need for those security workarounds.

• Create a mix of satisfying integrated controls. SASE offers new levels of networking and security integration, increasing the potential to prevent data loss, provide dynamic secure access, and protect against advanced threats across an organization’s systems. For example, by converging SWG and CASB, organizations can create a central aggregation point for all traffic flows. This is a satisfying place to establish deep visibility and policy into cloud apps in order to apply nuanced policies and granular policy controls that go beyond just allowing or blocking applications or traffic. And where there is potential risk—risk of data loss, risk of downloading malware, risk of oversharing—security teams can implement deeper controls around that cloud app usage from the SWG, since it provides visibility into all that traffic.

According to ESG, a logical starting point for the journey to SASE is to focus on eliminating attacks on users by targeting where they spend most of their working day—in a web browser. To learn more about taking a phased approach to implementing the SASE framework, download this ESG white paper.

[1] 2021 Cyberthreat Defense Report