As a former Gartner analyst and now a strategist at Akamai, I have had several conversations with CISOs across the world on the topic of "designing a future-ready security architecture."
The fact that so many CISOs are seeking a newer, and more effective, security model is a sign that the business context for most enterprises has changed. Data center and hardware appliance-centric security architectural models do not work in today's highly distributed work and business environment. The answer to these changed requirements is a security architectural model that integrates networking and security components and delivers these controls through an edge architecture.
Gartner proposed such an architecture in 2019, called secure access service edge (SASE, pronounced "sassy"). My colleague Lorenz Jakober wrote about Akamai's approach to SASE and edge security in a previous blog post.
The Gartner SASE architecture most effectively helps organizations adapt to change because it:
- addresses the "access pattern inversion" effectively -- i.e., the fact that users and apps are no longer within the confines of the corporate data center and network
- is broad enough to be applicable to a wide range of security use cases while being flexible enough to adapt to customers' unique environments
- rewards distributed and resilient architectural models for networking and security
A serious effort toward a SASE model sounds like a worthwhile investment of CISOs' time, but is this the correct time to embark upon an architecture refresh, given the economic uncertainty surrounding the COVID-19 situation? The answer is yes, because the Gartner SASE architecture directly addresses ongoing shifts in digital business requirements and technology consumption patterns.
Let's look at some key business benefits of using the Gartner SASE model as a guiding principle for security architecture design.
Adapt to Access Pattern Inversion
"Digital business and edge computing have inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside." -- Gartner, The Future of Network Security Is in the Cloud
This "access pattern inversion" applies both to employee-facing applications as well as consumer-facing websites and mobile applications. The central idea is that application functionality and associated security controls should be delivered as close to the end user as possible. This ensures user experience and performance are not compromised in the quest for an improved security posture. Delivering security controls one internet hop away from attackers can really do wonders in reducing organizations' risk posture. Making resources harder for attackers to discover (and therefore exploit) should be a central tenet of any adaptation of the SASE architecture.
Breadth of Security Use Cases Covered
Most of the current hype around SASE is intended to convince people that SASE is primarily about adopting specific security controls like Zero Trust Network Access (ZTNA) and cloud-based secure web gateway (SWG). These controls are an important starting point, but are the beginning of the journey -- not the end. A full SASE approach covers a range of access-related security use cases, as shown in the Gartner graphic below:
One of the security controls that is often overlooked is web application and API protection as a service (WAAPaaS). Quite a mouthful, this acronym refers to security controls like WAF, API security, bot management, and DDoS protection that protect web-facing applications. As important as it is to allow legitimate users to access resources, it is equally important to prevent malicious actors from getting in. This is where WAAPaaS comes in.
Further, while Gartner's initial recommendations on SASE seem focused on workforce or enterprise security, this model can easily be extended to apply to internet-facing websites as well. SASE can therefore be a game changer for many B2C businesses that are pivoting to a digital-first strategy in the current era of physical distancing.
Global Scale and Operational Resilience
"To provide low-latency access to users, devices and cloud services anywhere, enterprises need SASE offerings with a worldwide fabric of points of presence (POPs) and peering relationships." -- Gartner, The Future of Network Security Is in the Cloud
Gartner's SASE model places a lot of importance on delivering security controls -- one internet hop away from the user and on the SASE platform -- being able to stay resilient against large-scale DDoS attacks. Gartner recognizes that vendor platforms may be using public cloud IaaS for some SASE components, but that only an edge architecture can effectively bring those controls closer to the end user. Security vendors' ability to continue investing in a worldwide SASE platform that can deliver low-latency services consistently is highly dependent on their financial stability. Therefore, it is imperative that CISOs examine the financial stability and business model of their potential SASE platform providers as part of the evaluation process.
The most important thing for CISOs to remember is that frameworks like Gartner's SASE are not meant to be prescriptive, or "complied with." They are a way to spark new ideas and thinking in the minds of senior technology leaders. My recommendation to CISOs would be to use SASE as a "first principle" and customize the approach to your respective companies' context. For any new security-related deployments (or even technology refreshes), the first question that needs to be answered is: Can we do this more efficiently using an edge architecture? This can open up so many possibilities for direct value-add to the business. Think about web content caching and performance, edge computing, customer identity and access management (CIAM), IoT use cases, and so much more that can be achieved by truly internalizing an edge architecture into technology and security architectural rollouts.
We like SASE so much that Patrick Sullivan (our global VP and CTO) and I decided to do a 30-minute webinar on the topic. In this "sassy" chat, we discuss practical recommendations for security leaders as they embark on their SASE journey.