Maksim Kabakou - Fotolia

Security Think Tank: What to find out before investing in SASE

Petra Wenham of the BCS shares her thoughts on what organisations need to consider as they investigate whether or not to invest in secure access service edge technology

SASE is the new acronym on the block, but what is it, and should companies investigate and/or invest in it? SASE stands for secure access service edge, which implies that access security is being provided at the edge of a service, rather than to an IT system or architecture as a whole. That is to say, the services and applications are in a distributed matrix or an internet-based, cloud-provisioned set of services or applications, rather than in a defined datacentre with traditional firewall and security appliances.

The term was coined by Gartner in 2019 and was described as an IT architecture that is cloud-based and where IT services and applications can be distributed across the internet, thus requiring those distributed services and applications to be individually securitised.

But from an enterprise viewpoint, all of those distributed services and applications must be consistently managed in compliance with an enterprise’s security policies and requirements, including regulatory requirements. That implies management from a single centralised location, which means centralised management but with distributed control. Which makes me think of my earlier wide area packet network days and Tymnet II technology.

In organisations that employ a “follow the sun” schedule for network and IT management, a SASE implementation must be able to fully support this type of operation, which might mean one site is established as a master site while others have reduced capabilities.     

So, should companies investigate this technology? Yes, I believe so, because as more “stuff” is being moved into managed internet services (OK, read cloud) and having to deal with more than one set of technologies to set up and manage security, is a move calculated to allow for mistakes that may go unnoticed until it is far too late. SASE is, or rather will become over time, a key element in what is being termed zero-trust, which means any access to any system, application or service must be authenticated, authorised and, preferably, encrypted. 

Investigations into SASE should, as a minimum, look at:

  • Which orchestration and security management technologies are supported by each SASE platform being investigated? Remember that security management should also include key management (public key infrastructures or PKI), as should information security event management (SIEM) or security orchestration and event management (SOAR) systems.
  • What products, systems, services, applications and end-point devices are supported by each SASE platform? Remember that end-point devices might be third-party systems (suppliers, distributors, etc) and/or staff devices that might not be company-supplied or maintained.
  • Are the connections between all systems, services, applications and endpoints encrypted? This is why key management systems are important.
  • Does the SASE platform address identity authentication, authorisation and access management controls?
  • Can identity authentication, authorisation and access management controls be applied consistently and uniformly across all systems, services, applications and endpoints? In some locations, such as a warehouse or a shared building, controlling ports on an Ethernet switch (turning on or off) can be viewed as an access control in some circumstances, as can MAC address locking.

This list is not exhaustive but should form a “starter for 10” for any SASE investigation.

So, what about investment in SASE – do you jump in now or wait until there is more maturity on the market? 

While many security companies are moving towards SASE, only a few have the tools to implement a comprehensive SASE architecture and, at the moment, Microsoft has an edge that few others do, in that it has mature identity authentication and authorisation controls.

Other players I think are worthy of a look include Palo Alto Networks and Broadcom, but there are more.

It’s a difficult call and will depend very much on your organisation’s risk acceptance profile, whether a pilot could be implemented and whether any specific SASE company has the availability of skilled staff to implement and support a full and comprehensive SASE architecture in your organisation.

Read more from the Security Think Tank

Read more on Network security management