For years, we have talked about our network and security edge expanding to the point where it disappears, but we thought we had time to plan it all out. In 2020 the edge nearly disappeared due to the demand of the remote workforce just to keep businesses running.
We, as IT professionals, pulled out all the stops and performed our wizardry to meet the needs of this rapidly changing world. As we know, magic comes at a cost, and the question is, “Have we taken on any additional risks during this aggressive transition?”
The Safety Blanket Gets Holes
Let’s first start by defining “the edge”. For years it’s been our safety blanket where all our traffic would flow through a secure ingress and egress point that we could heavily fortify and defend. As we started to see an increase in remote work, we simply tunneled that traffic back to headquarters and put it through that same point.
This worked for a while, but with the proliferation of cloud technologies and the XaaS (anything as a service) movement, it was no longer practical to tunnel everything back to a single point to just shoot it back out to the Internet. That’s when we started to see the adoption of split-tunneling, which allowed us to tunnel traffic to our datacenters while allowing internet accessible XaaS traffic direct over the internet – bypassing our secure edge.
The Edge Erodes
This was the first step to the downfall of our precious edge. If we are sourcing traffic from various points, how do we secure it? We started with robust endpoint clients to protect assets, but these got bulky and painful to manage. Then we started looking at localized proxies that would act as a regionalized edge or putting our favorite web proxy in a cloud environment and pointing our users at it to protect them while they were at home or on the road. These all worked, but the overhead of cost and management became a pain point. In addition, maintaining a consistent security posture with multiple technologies that mirrors our enterprise edge was almost impossible to attain.
SASE is Born
There needs to be a solution that allows the same enterprise grade security solutions, with optimized paths for remote workers, and utilizes the same policies we have in our enterprise edge. This was the birthplace of SASE (Secure Access Service Edge) and the framework that defines our future “edge”.
As we see with all our technologies, the focus is on securing the individual (identity) more than an endpoint or device. The foundation of SASE is exactly that: identifying the individual and then applying policy based on their role within the organization, regardless of where they are at. This gives us ultimate flexibility in policy control and eases management: as users bounce from device to device, the policy is maintained.
7 Essential Steps to Deploying SASE
So where do we flip the magic SASE switch and adopt this? Well, it’s not quite that simple. As with any technology like this, there are several steps to be taken before going headfirst into a SASE deployment. Below is a high-level approach we take at Core when looking into SASE for our clients:
- Evaluate the need (“Will SASE make sense for my organization?”)
- This is a critical first step for any technology we look at with a client. Just because it’s a cool buzzword doesn’t mean it makes sense for everyone.
- Understand the architecture and what pieces are needed
- SASE is not a single solution but a collection of complimentary products. Determine if there are existing components of a SASE solution, if they can be leveraged, and what gaps are in the implementation. This will help paint the picture of the end state.
- What are the capabilities around Identity within your organization?
- Since policies are focused on individuals, this requires a heavy reliance on an identity platform (typically Microsoft Entra ID). Before you can wrap policy around an identity, you must first answer many questions including “What state is this in?”, “Is it healthy?”, “Is it up to date?”, “Does it have proper groups?”, and more.
- Do we know who needs to talk to what?
- This is probably the largest undertaking as we begin looking to secure the individual and give them access to their resources when they log in. Do you know what they need access to? Answering that question is usually assisted by some tools to gather data over time for analysis.
- Start the pilot
- We always encourage pilots or phased rollouts for technologies that impact end users. Identify a group, push the necessary policies and controls, and test it out.
- Tweaking and clean up
- Take the lessons learned from the pilot, modify the policies, clean up any “test” items still out there, and prepare the production roll out.
- Go live
- Create the rest of the phases for general production, coordinate with end users (especially for training and adoption), and always have a rollback plan just in case.
Protect Your Remote Workforce
We know 2020 made us do a lot of “unnatural” things to keep businesses going, but we’ve also seen that this remote work era is here to stay. Therefore, it’s critical to look at architectures like SASE and ensure that the remote workforce is protected to the best of our ability.
We at Core are always here to assist with any of these steps including evaluation of products, assessment services, and security testing of the architecture once it’s up and running to ensure it is protected. Contact us to learn more about how we can help you protect your workforce.