A Beginner's Guide to SASE
Author: Paul Graham
Release Date: 05/08/2021
So what is SASE?
The abbreviation itself stands for ‘Secure Access Service Edge’ and it is centred on protecting a company in line with how technology and working practices have changed since the inception of the Internet.
Think back to the old days of network security and the four walls mentality.
You had a network edge and it had to be protected. Trusted users, assets and applications would sit inside the overall perimeter. A variety of appliances and servers would reside in a plethora of sites such as head office, branch offices and data centres. Each of these locations would have their own four walls that had to be protected and a big bubble existed around all of them representing a larger set of four walls that had to be secured.
Employees would typically come into an office to work, they would usually log onto a desktop using an Active Directory username and password. This device would be trusted on the network but the user’s activity would not hence Anti-Virus agents, Secure Web Gateways, etc. were needed.
Some employees would work remotely and could access internal resources when connected to VPNs using their sanctioned mobile device such as a laptop which in turn allowed them access to internal resources but only after they had been identified and authenticated.
Then – Cloud came along and complicated things…
Note that when it comes to ‘Cloud adoption’, there are some who still view the term as solely relating to moving physical assets from on-premise infrastructure to a Cloud Provider such as AWS but the term really encompasses moving anything or adopting any Cloud based technology within a business.
The term ‘aaS’ or ‘as a Service’ is at the core of SASE but it really is nothing new.
Do you remember Hotmail?
Hotmail was founded in 1996 which at the time of writing was 25 years ago and at its core was ‘Email as a Service’. You signed up for a free account, got an inbox, could send and receive emails and didn’t need to worry about infrastructure or support. You just logged in and used it.
However, over time the concept of ‘aaS’ has grown from a simple email tool such as Hotmail to a state where an entire business can be run without the owner ever having to build a server rack or ever touch a physical asset that is not their own laptop.
Have a look at the Wikipedia page for ‘as a Service’ and note just how many abbreviations exist for the various things that can be adopted ‘as a Service’:
Who knew that such a thing as ‘Farming as a Service’ existed:
So what does this have to do with SASE?
Well in keeping with the four wall mentality, where does the below fit:
This is the sign in page for Office 365 which is one of the most used ‘as a Service’ apps in the World, which in itself is really a catch all for a number of apps that can be situated therein.
The O365 login page can be accessed from anywhere in the World at https://login.microsoftonline.com/ , it can be accessed from any device, anyone can create an account for the app but a company can also redirect their users from the login screen to their own instance if the information in their login details is correctly identified, once logged in the employee can likely access any hosted app inside of O365 such as Teams, SharePoint, Outlook, etc., and the employee can likely do any activity they are allowed to do within these apps such as upload any file they wish to OneDrive and share this with any user.
Note that the word any has been bolded throughout the above paragraph as it is this mindset that is at the basis of SASE. The four walls mentality for security is gone and the principle of ‘any’ has to be at the heart of all security considerations when Cloud services are adopted.
Taking the O365 login page as an example, here are some SASE based considerations when adopting it as a Service:
- The login page is public facing, how do we stop anyone from accessing it?
- Integrate O365 (Azure AD) with Okta and configure conditional access criteria such as location, device, etc.
- Integrate O365 (Azure AD) with Okta and configure Multi Factor Authentication for users.
- Integrate O365 with Netskope Next Gen Secure Web Gateway & Okta to enable Reverse Proxying so that granular controls are applied even when a user logs in from an untrusted device.
- How do we stop users creating or logging into personal instances of the app to exfiltrate data from their devices?
- Utilise Netskope Next Gen Secure Web Gateway to granularly control cloud app permissions and prevent users creating personal app accounts, logging into unsanctioned cloud apps, using company emails addresses to sign up for unsanctioned apps, etc.
- How do we control what a user can do in the app?
- Zero Trust is key to SASE, a user should only be able to access resources & apps that they need to do their job. They should have granular permissions within resources and apps that are applied via policies. Ideally, any elevated permissions should only be given when and only for as long as is required preferably via an approval workflow.
- How do we prevent the user uploading or downloading anything risky to/from the app or sharing with the wrong people?
- As most cloud storage apps don’t provide threat protection on uploaded files due to the compute power needed, a tool such as Netskope Next Gen Secure Web Gateway could prevent exfiltration of data or malware proliferation at source. It can also inspect data at rest in key Cloud Apps via API integration and inspect sharing permissions on files to alert and or automatically remediate potential risks.
- If a nefarious actor managed to phish credentials for a user and did log in, how would we know?
- Using Netskope phishing can be mitigated by blocking users from logging into sanctioned sites with company credentials.
- Netskope could also alert on strange user behaviour i.e. if a user logged in from London at 2pm and then China at 2.15pm, then it would call it out.
- Netskope could be integrated with Splunk to pass said messages to the correct teams to take immediate action.
These are just a few examples of the SASE thought process and some tools available that can help assist in overcoming risks in using an app like O365 that has a public facing login portal.
The above also only relates to a single Cloud App example but SASE encompasses a variety of methodologies of protection such as SD-WAN (Software Defined Networking in a Wide Area Network), Secure Web Gateway, CASB (Cloud Access Service Broker), FWaaS (Firewall as a Service), ZTNA (Zero Trust Network Access).
So think of SASE as every single entry point into a company resource, no more four walls, every single possible intrusion method be it on prem, cloud based app, VPN, etc. and how to prevent said intrusion. Every exfiltration point of data be it users or nefarious actors, how to prevent such data leaking either accidentally or purposefully. Every entry point of malware, be it users downloading it accidentally, nefarious actors propagating it, etc. Every app speaking to another app, every exchange of key or secret that has potential to be compromised. Again, the list is not limited but emphasis should be on moving away from the four walls mentality and viewing the company as a whole when it comes to threats and how these may enter or exit the business with the ‘any’ principles applied.
There is also no single overall SASE solution out there (yet) hence integration of the right technologies is key so when reviewing technologies to overcome an individual risk item or when refreshing legacy technologies to SASE focused ones, always include integration as an item of consideration to get the best out of what you are interested in.