Cybersecurity strategies for years have been grounded in protecting the perimeter of the corporate network. Yet, as nearly every organization learned during the COVID-19 crisis, that perimeter no longer exists. Nearly all new software functionality is now deployed as a service (SaaS) that people access from a multitude of locations and devices. No company has the luxury of containing the enterprise IT environment within its four walls anymore.
The pandemic also exposed the limitations of virtual private networks, which enable remote access to secure computing resources. A VPN lets employees “tunnel” in through the corporate firewall using an encrypted connection that rides on top of the public internet. But during massive lockdowns, VPNs at many companies were overwhelmed by surges in demand that slowed traffic to a crawl. Even more alarming was when frustrated users disconnected from the VPN entirely to log in to their SaaS applications, thus bypassing any of the security controls and increasing the overall threat surface.
The rise of the secure access edge
A perimeter-less environment demands a new approach to cybersecurity. “Just a few short years ago we would talk about remote access for short periods due to travel, and typically for a small proportion of the workforce,” said Anand Ramanathan, chief product officer, Skyhigh Security. “Today we are adapting to a vast, permanent work-from-anywhere cultural shift.”
Three years ago, Gartner coined the term Secure Access Service Edge (SASE) to describe an architecture that combines software-defined wide-area networks (SD-WANs) with a portfolio of cloud-based security tools —including secure web gateway (SWG) cloud access security brokers (CASB), and zero-trust network access (ZTNA).
The goal of SASE is to shift from traditional perimeter protections to identity-based controls that securely connect people with data and applications from any device and location, even when they aren’t on the VPN. Gartner predicts that more than 40% of enterprises will have SASE in place or progress by 2024, up from fewer than 1% at the end of 2018.
Introducing Security Service Edge
Transitioning to a full SASE environment is a long process for large enterprises. Recognizing that all-or-nothing approaches are impractical at a time of urgency, Gartner proposed splitting the security and SD-WAN components and unifying the former under the banner of Security Service Edge (SSE).
SSE brings together the elements needed to secure access to websites, cloud services, and internal applications in a way that yields immediate benefits in the form of reduced risk, cost and complexity while allowing organizations to fold in the SD-WAN components at their own pace.
This prudent approach has several benefits to customers. No single vendor can deliver the full functionality required of a complete SASE. Splitting SSE apart from SD-WAN enables network and security vendors can focus on their respective core competencies rather than trying to be all things to all people. The approach also speeds time-to-market, since vendors can deliver – and users can implement – individual components faster, and thereby realize more immediate results.
“A tightly integrated SSE solution can address the management challenges of setting up policies in multiple vendor management interfaces by deeply integrating security controls to reduce overhead, complexity, and cost, while increasing performance,” Ramanathan said.
Convergence of Security Solutions
A converged security approach to SSE is badly needed. By most accounts, the average enterprise uses between 50 and 100 different security products. The highly fragmented nature of the security industry means that few of those products talk to each other, so the task of integrating them has been mostly left up to the customer.
The key business goal of SSE is to protect applications and data by building a pervasive cloud edge that spans all manners of accessing these applications and data. An SSE solution delivers this pervasive edge and enables organizations to apply consistent data protection and threat prevention policies across their entire estate, including users, devices, locations and applications. Under the covers, SSE is the convergence of Cloud Access Security Broker (CASB), next-gen Secure Web Gateway (SWG), Zero Trust and DLP technologies delivered via a single global cloud fabric – with consistent policy and incident management. Each of the closely integrated components provide coverage over distinct controls points that seamlessly deliver the pervasive edge.
A unified SSE platform helps facilitate:
- Policy enforcement and incident management from a single pane of glass,
- Centralized visibility and control over data, apps, and users,
- The ability to apply security controls to data wherever it goes – such as websites, cloud services, unmanaged endpoints, and private applications – and
- Reduced operational complexity of managing multiple disparate solutions
SSE presents an opportunity for IT organizations to simplify their security fabric by replacing multiple, special-purpose hardware devices with comparable functionality delivered as cloud services. It simplifies a chaotic mix of point products and ensures security outcomes while making it simpler for business users to access the resources they need. It’s a cybersecurity reboot at just the time IT organizations need it most.
Click here to read more about how SSE can boost your cybersecurity strategy.