Under the SASE Hood: Key Components to Delivering Frictionless, Cloud-Native Security
By Kaushik Narayan, CTO Cloud Business Unit, McAfee
While cloud services deliver on promised savings and convenience, they still remain a challenge to implement securely – as a recent study found that 76 percent of security professionals still find it difficult to maintain secure configurations in the cloud. How is it that something so beneficial can still present such a challenge for today’s leaders?
One reason is that the enterprise perimeter has not only expanded but also pushed the service edge to anywhere business takes you – or employees choose to go. Consequently, many organizations must up-level how they protect cloud-based applications and data. Gartner recommends a Continuous Adaptive Risk & Trust Assessment (CARTA) strategy implemented in a Secure Access Service Edge (SASE) framework to secure the use of cloud applications.
Gartner predicts that by 2024, at least 40 percent of enterprises will have explicit strategies to adopt SASE frameworks. The key business goal of SASE is to protect applications and data in the cloud by building a pervasive edge to safeguard against unwarranted or unapproved access. In turn, the business benefits of SASE are numerous. In addition to increased agility to meet new demands, a SASE solution can eliminate the need for organizations to scramble to implement new cloud services securely,
potentially opening the business to threats. Organizations can instead apply consistent data protection and threat prevention policies across their entire spectrum of cloud services, along with the devices and physical sites that access them.
Building a seamless, integrated, and secure network
Organizations no longer have the liberty, time, or resources to research and ultimately implement disparate security tools and solutions for their network. As enterprise workforces continue to operate remotely across the globe, the dispersion of data is promised to increase even more. Maintaining control is of utmost importance as businesses struggle to meet revenue and keep operations moving forward – they may not have the time, funds, or resources to combat a threat or breach.
By combining the components of a Cloud Access Security Broker (CASB), next-gen Secure Web Gateway (SWG), and data loss protection (DLP) technologies, organizations can ensure coverage over distinct control points that deliver a pervasive edge.
- A CASB can provide direct visibility and control over cloud-native interactions that are impossible to a broker via a network/man-in-the-middle approach. This not only includes real-time data and threat protection for assets in the cloud but also on-demand scanning to identify both sensitive data and malware. This can include files and messages in applications like Microsoft Teams and structured data objects in business applications like salesforce.com, ServiceNow, Workday, and more.
- A SWG establishes proxy-based visibility and control over web traffic, offering deep awareness of cloud activity and data interactions. This keeps users safe from accidental data loss or malware and delivers the most advanced threat protection against ransomware, polymorphic malware, and other advanced attacks. Because proxy-based SWGs terminate traffic for inspection before sending it to its final destination, they also make an ideal orchestration point for seamlessly layering in new sophisticated threat protection technologies like remote browser isolation.
- A common DLP engine provides device-to-cloud visibility and control over sensitive data on personal or managed devices as well as data residing, transacted or transiting in the cloud. Data classifications are set once and shared across all enforcement points for devices, networks, and the cloud.
Enhancing safeguards with SASE
While important, SASE protection needs to be extended beyond user-to-cloud security – otherwise known as “front door” controls. Data and threats also need to be protected across “side doors” in the cloud – namely interconnected cloud applications and services. Finally, protection needs to be extended to the control and management plane “back doors” within the cloud.
SASE provides yet another reassurance here, allowing for continuous and real-time evaluation of risks and data policies.
- Connected application control can enable your architecture to discover (and in turn authorize or deny) 3rd party marketplace applications or home-grown applications connected to each other via API. For instance, if a sales vice president were to connect and integrate Clari, a sales forecasting mobile application, to Salesforce.com and then pull the Salesforce.com data into Clari, SASE architecture can discover all such app-to-app connections and have granular policies around what scope of access should be allowed.
- SaaS Cloud Security Posture Management (CSPM) allows SASE architecture to assess and manage the native security configuration of your SaaS provider to avoid any mistakes or oversights in your deployment. Specifically, Microsoft Office 365 has more than 200 individual configuration settings that need to be evaluated for an appropriate enterprise security posture. For example, the default sharing permissions on SharePoint make shared links available to anyone in the world and never expire.
- Sharing and collaboration control permits SASE to control the transaction flow of sensitive data being shared inappropriately between users within the organization or external collaborators when using popular collaboration platforms such as Microsoft OneDrive, Microsoft Teams, Slack, and more.
The Future for SASE
Long promised, cloud transformation is catching on at a time when enterprises increasingly rely upon cloud services to support their expanding distributed workforce. As organizations continue to rely on cloud-services to keep remote employees both connected and secure, leaders need a framework that can deliver on both fronts in the most frictionless and seamless way possible.
SASE delivers the framework needed to support remote workers, cloud adoption, and all the ways that risk is introduced in the modern, distributed network. Enterprises should look to the market for efficiency-driving consolidation in areas of synergy, such as data and threat prevention in a SASE framework, to secure their cloud transformation.
About the Author
Kaushik Narayan is responsible for Mcafee Cloud BU’s technology vision and software architecture. Kaushik joined McAfee in January 2018 with the acquisition of Skyhigh Networks, the leading cloud access security broker (CASB) company where he was co-founder and CTO. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class products.
Kaushik has been working in the network security and management space for sixteen years and a large part of that at Cisco systems where his last stint was as the Principal Engineer responsible for the Identity Services Engine product, which won the Cisco Pioneer Technology award. Kaushik helped drive key technology initiatives within Cisco in the areas of Policy Management, Cloud Centric Networking, and Network Automation. He has filed several patents and has also been an active member at the IETF, where he is responsible for multiple RFCs.
Kaushik holds a Bachelor of Science in Electrical Engineering from Pune University and an MS in Management Systems from BITS Pilani. Kaushik can be reached online on LinkedIn and at our company website, https://www.mcafee.com/blogs/author/kaushik-narayan/