November 18, 2021
Understand Your Existing Security Components When Adopting SASE
Implementing a SASE strategy requires knowledge of your current cybersecurity platform.
With cyberthreats continuously evolving, organizations are under increasing pressure to keep up, often requiring them to implement quick fixes to combat attacks. Secure access service edge architecture aims to enforce consistent security measures and stay ahead of shifting threats.
SASE combines several technologies — including Software as a Service (SaaS), cloud-based services, endpoint security and zero-trust network access — with WAN technology to help users securely connect to an organization’s network wherever they are. SASE removes the need for users to connect to the organization’s data center and instead delivers a secure network connection as a cloud-based service.
To implement SASE effectively, it’s crucial for an organization to proactively assess its current cybersecurity platform before implementing SASE architecture.
40%
The percentage of enterprises that will have concrete SASE plans by 2024
Source: AvidThink, “SASE-y WAN — A Kaleidoscopic View” (PDF), 2021
Security Components
Organizations adopting a SASE strategy should begin with an inventory of their existing cybersecurity controls. It is likely that they have already deployed many of the core technologies that make SASE possible and may use those components in their SASE programs with some reconfiguration or upgrades. While some organizations may need to acquire new solutions to fill the gaps in their current cybersecurity program, it’s likely they can begin with the technologies they have and then add on new capabilities as their SASE program evolves.
Secure web gateway (SWG; web proxy): Many modern threats gain their initial foothold on endpoints by deceiving end users into visiting malicious websites and downloading content that compromises the security of their systems. Secure web gateway technology seeks to mitigate these threats by inspecting end-user web activity and applying a consistent set of security policies to enforce safe browsing habits at the endpoint.
SWG solutions serve as web proxies, inserting themselves between end users and the web servers they wish to access. This intermediary approach allows the SWG to perform three core security tasks for all web requests from users: First, each request is subjected to URL filtering that confirms that the request is not for a web page known to host malicious content or other content that violates the organization’s filtering policies. Second, SWGs provide SSL/TLS inspection capabilities that allow them to peer inside otherwise encrypted content. Finally, these solutions provide malware detection with sandboxing capabilities that examine the actions and intent of executable software before it reaches end-user devices. SASE solutions build this SWG capability directly into the bundle of services provided to users, automating the deployment of SWG functionality.
Cloud-delivered outbound firewall: While SWGs play a crucial role in protecting users from malicious network traffic, it’s important to remember that not all network traffic uses the web. Cloud-delivered outbound firewalls provide a robust filtering service for other ports and protocols, protecting the organization with the ability to write context-specific rules for the types of network activity permitted from different endpoints. These rules may apply to the entire organization or may be dynamically modified based on contextual circumstances, such as a user’s role in the organization or the application being used.
Traditional firewalls focus on the legacy model of building walls around protected networks and controlling inbound traffic. Outbound firewalls are better suited to SASE deployments because they focus on protecting traffic from dispersed endpoints and filtering their outbound traffic to the internet.
Intrusion prevention systems: Intrusion prevention systems provide another layer of network security, analyzing traffic to and from endpoints for signs of malicious activity that might escape the notice of a firewall or SWG. IPS platforms combine signature detection techniques that look for known patterns of malicious activity with behavioral analysis technology that watches for activity deviating from normal baselines. Suspicious activity is automatically blocked before reaching endpoints. This approach stops distributed denial of service attacks, blocks command-and-control traffic associated with botnets and ransomware, and halts application attacks such as buffer overflows, SQL injection and cross-site scripting.
Domain Name System security and control: The DNS serves as a crucial backbone of the internet, allowing systems to determine the correct IP addresses associated with each domain name. SASE solutions incorporate DNS security tools that leverage this centralized lookup server to enforce security policies. SASE endpoints receive DNS service through a trusted, secure DNS server as part of their cloud-delivered bundle of network services. That DNS service, in turn, provides filtering capabilities by redirecting requests for known malicious sites, protecting against both user error and the automated activity of malware. This capability provides an added layer of protection against phishing attacks, botnets, ransomware and other malicious software.
Cloud access security brokers: Organizations use dozens, if not hundreds, of cloud services to meet different business needs. Each of these cloud services offers customizable security configurations that allow administrators to restrict user activity. Unfortunately, the proliferation of cloud services makes it extremely difficult for cybersecurity teams to stay on top of the many consoles and tools used to manage those security configurations.
Cloud access security brokers provide a unified platform that allows administrators to centrally configure policies for cloud service use. One common CASB solution is the proxy-based (inline) approach, which monitors and controls traffic between an endpoint and a SaaS system by proxying the HTTP/HTTPS connection. As the CASB monitors the session, it can both log events based on the observed traffic and prevent unauthorized actions.
In another approach, the CASB solution reaches into each of the cloud services used by the organization via its application programming interface and configures the cloud service to enforce that policy.
Both approaches allow SASE administrators to enforce consistent security policies rapidly and effectively.
Data loss prevention: DLP platforms focus on protecting data (rather than systems) from compromise by monitoring outbound network traffic for potentially unauthorized exfiltration of sensitive information. They then step in and block transmissions that would violate security policies, preventing data from being irretrievably lost.
As with other cybersecurity technologies, network-based DLP solutions may be delivered as part of a bundle of cloud security services provided over an end user’s network connection. Traffic that successfully passes through firewalls, SWGs and IPSs may be stopped in its tracks if it contains sensitive information being transmitted nonsecurely or to an unapproved destination.
Remote browser isolation: Some organizations go even further in their SASE approaches and seek to separate users’ browsing activity from their hardware. Instead of launching browsers on local devices where they may be affected by malicious code, remote browser isolation technology provides web browsing to users as a service over the internet.
In an RBI deployment, users see a familiar web browsing interface and can navigate to any website that meets the organization’s security policy. However, the user’s computer doesn’t run the browser and never interacts directly with the remote website. Instead, the user controls a web browser installed on the RBI platform. This approach provides a degree of separation, isolating the endpoint from any ill effects of browsing the web.
Story by:
Robert Herriage, a solution architect team lead with the CDW enterprise networking group, focusing on SD-WAN and SASE. He has been in the IT industry for more than 20 years, having worked as an engineer for a large retail customer, as a consulting engineer and as pre-sales architect. Robert is a Cisco Certified Internetworking Expert (CCIE) in Cisco routing and switching technologies.
Jack Wang, a principal solution architect for CDW’s secure access service edge (SASE) practice, focusing on solution design and developing strategic relationships with customers as he guides them in their decision-making. He is considered a trusted technology advisor to help grow business. Previously, Jack held positions in cybersecurity and network engineering in various industries. Throughout his career, he has attained CCIE and PCNSE certifications. Jack is also a published author on Cisco technology and a private pilot.
12%
The percentage of organizations that say they will embrace SASE entirely in 20212
Source: netmotionsoftware.com, “The journey to SASE,” Nov. 5, 2021
To learn more about how a cybersecurity assessment can help implement SASE architecture, read the white paper “How SASE Can Improve Security” from CDW.
MKT49863