When it comes to securing an organization, there are so many questions to answer. Where are the organization’s users predominantly located – onsite or remote? Are there any predicted shifts in these locations over the coming years? Is the organization running on-premises applications in the data center or primarily using cloud-based applications? How diverse are the applications and data types that users depend on for productivity?
No two organizations are set up the same. Some possess industry-specific custom applications, while others use common productivity apps for a simpler office environment. Combine these factors with distributed sites in multiple geographies – each with different service providers supporting the links and disparate security controls each with their own management system – and you get a sense of the number of variables that must be considered, if not addressed.
Once the organization understands these concepts, the complexity of securing an infrastructure becomes clearer. Securing this complex tangle of technology has been an operational balancing act for many security and infrastructure teams for more than 20 years.
IDS, IPS, firewalls, endpoint protection, Secure Web Gateway and many other individual technologies require specific expertise, coupled with applicable domain knowledge and some degree of operational investment, to initially deploy and then continually keep running smoothly. These are not “set and forget” technologies and must be adapted to changing situations, as adversaries rarely sit idle.
In the last few years, we’ve seen an increased interest in moving these technologies to cloud-hosted services, delivered as a package. Who better to tune these technologies than the vendors who develop, deploy and run them every day? This innovative concept has a few different labels around the industry, but the one resonating most is Gartner’s Secure Access Service Edge (or SASE).
Different Paths for Different Needs
Over the past decade, I’ve worked with many vendors in the security ecosystem and, therefore, can appreciate the appeal of SASE for organizations of all sizes. As a concept, SASE purports to deliver most of the critical capabilities that security architectures aspire to provide, including:
- Production class uptime
- Frequent security efficacy tuning
- Deployment flexibility
- Operational ease of use
This concept works very well for new sites or wholesale cutovers to this service. However, nearly all organizations have some degree of investment in technologies or process already, making a wholesale adoption difficult, if not impossible. As a result, adoption for most organizations will be a lengthy project, due to service and application dependencies, internal stakeholder buy-in and uptime mandates that don’t permit a single operational window in which to execute a cutover.
Remember that data center application question at the beginning of this blog? Customers who still have applications in their data center and use SaaS and/or public cloud-hosted applications can complicate the operational benefits of SASE. When troubleshooting user experience or application issues, policy consistency is essential. Having multiple policy engines, where the configurations are difficult or impossible to resolve conflicts, creates a new operational challenge that “clouds” rather than clarifies the visibility. If one of the tenets of this new service security vision is operational agility, one policy engine should be the goal. Otherwise, it creates new maintenance or operations challenges for day-to-day activities and incident or investigation challenges that delay the response or resolution for operations folks.
What about performance from or to the point of presence (POP) for the SASE service? Or, aggregation of multiple links, with both point-to-point links between data centers and campus or home offices to cloud? SD-WAN solves some of this; still, it can be challenging to ensure a high-quality user experience when security services are introduced that obscure the telemetry and details that are often relied on for service health.
“Choose Your Own Adventure”
Today, many offerings in the market have multiple policy configuration and deployment mechanisms for different locations in the network. With each instance having its management UI, policy structure and event format, troubleshooting is nearly out of the question, much less having visibility into the behavior of any given service or an application across the environment. Cloud-hosted security should make the operational consumption simpler, not more complex.