Secure Access Service Edge (SASE) is a holistic approach to protecting data, intellectual property and networks both in the cloud and on-prem.
Federal agencies received new marching orders in May about how to manage and secure their data and networks. President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity even called out specific cyber strategies such as zero trust networking architecture and cloud-based software-as-a-service that agencies are mandated to implement under the EO.
If there’s one thing that President Biden’s EO makes clear, it’s that the status quo can’t remain.
“Incremental improvements will not give us the security we need,” the EO states. “Instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
The EO also makes clear that federal agencies can’t do this on their own and need industry to help.
“Protecting our nation from malicious cyber actors requires the federal government to partner with the private sector,” it states. “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace.”
One of the most important tools that the private sector has developed to address the cyber threats facing federal agencies is Secure Access Service Edge (SASE) architecture. Not a product in itself—you can’t buy a box of SASE—it is a collection of security and networking services that many organizations already have. These can be delivered via the cloud, and most importantly for federal agencies, can also be delivered as on-prem capabilities while the federal government adds cloud to existing infrastructure.
In a 2020 report, research and advisory company Gartner said that SASE is a game changer
“Gartner expects SASE will provide agility to cope with rapidly changing network and security conditions. We predict that it will help manage complexity for network and security in a distributed solution,” the report said. “SASE orchestration provides the means to maintain a single security policy throughout a distributed environment for control, inspection and monitoring. SASE’s cloud-native design improves the ability to scale network traffic and security capabilities. Zero-trust network access is likely to be a major feature in a SASE deployment. Its use reduces your cloud’s attack footprint. We predict SASE will improve enterprise application availability.”
Due diligence for SASE implementation
Due diligence is required when implementing SASE architecture, just as it should be done for anything related to securing data, networks and intellectual property. Here are six suggestions for federal IT managers looking for a SASE solution to help them comply with Biden’s cybersecurity EO.
Security in the cloud is a shared model. AWS and Google, for example, make it very clear that they’re only responsible for securing their infrastructure. That means the federal organization is responsible for securing its own assets in the cloud. Security should not be based on traditional port and protocols, but should be based on user device, group application, time of day, context and content. Those are important constructs for ZTN architecture and identity-based authentication.
Don’t get boxed in. Vendor lock-in is something that you absolutely don’t want to do. It’s important to make sure that the platform that is giving you all these different features should be a true hybrid-cloud platform that can be deployed at the IoT or 5G edge. You should also be able to deploy it in an on-premises branch of a data center, on commercial clouds, and any gov clouds. It should have the same language of networking and security so there’s no stitching required between them.
Network traffic should be agnostic to the backbone. To get intelligent hybrid cloud connectivity among on-premises, commercial products, and gov clouds, ensure that network traffic is agnostic to whatever backbone is employed: the Internet, MPLS, another private backbone or a commercial cloud backbone. That requires the use of SD-WAN service-level agreements (SLA) to monitor in near-real time any service interruptions that are experienced across these different channels, and then reroute traffic around those non-SLA-compliant segments in seconds. That is very powerful.
Multi-tenancy is necessary for organizations with multiple departments. Think about any federal organization. Does it have just one department? No, it has many departments like finance, personnel and engineering. Such an organizational structure requires that traffic be isolated from a control-plane, data-plane and management-plane perspective across all of these different departments. Organizations that lack a multi-tenancy capability means that they would need, by definition, multiple instances in the cloud. With multi-tenancy, you only need one instance in the cloud. That can ensure logical segregation across all these different departments, which is very powerful for making sure that you have security, and at the same time reducing costs. With multi-tenancy, security is not a cost inhibitor.
The SASE solution has to support template-driven workflows. From a configuration standpoint, it has to support orchestration and automation to a great degree because the number-one cause of inadvertently opening a potential attack is a misconfiguration that happens during a change maintenance window. This occurs when somebody accidentally misconfigures something because they were doing it manually without intelligent, automated checks on top of their environment. So it’s important to make sure that everything is managed by templates and a team configuration workflow.
Single-pass architecture is required for efficient network and security. Single-pass architecture is the one architecture wherein you can do better processing of the metadata for inline encryption/decryption and inline services at hyper speed. This is very important. It’s not only bringing together all these features and functionalities, but making sure they work in multiple clouds, which is where single-pass parallel processing basically comes into play.
It’s important to make sure that federal organizations wanting to make use of a particular SASE service, whether it’s networking or security, have the choice of deploying it on premises, at the edge, in the cloud, or in any blended combination. There are many environments where federal agencies, for one reason or another, cannot move all their data to the cloud. They have to keep some of it on-prem. SASE applications should be an enabler for that use case and function in all operational scenarios.
Apurva Mehta is founder and CTO of Versa Networks.