Secure access service edge is one of the latest buzzwords that has emerged as part of the move to zero trust.
Agencies are looking at how they can implement SASE as part of securing their networks and systems.
Gartner predicts that by 2025, at least 60 percent of enterprises will have “explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”
Wayne LeRiche, the federal civilian field chief technology officer and solutions architect for Palo Alto Networks Federal, said SASE sets a framework for agencies to more easily implement a zero trust architecture.
“One of the main things about SASE is it’s evolving. It started off as basically a virtual private network (VPN) replacement so you had private access or you had companies that were creating a secure internet gateway,” LeRiche said on the Innovation in Government show, sponsored by Carahsoft. “What SASE really does, though, is it brings in a bunch of different use cases under that umbrella. We’re looking at not only the users working from home, but also users working from a remote branch. We’re cascading in there other things like cost savings, moving away from expensive Multiprotocol Label Switching (MPLS)-based networks. And as applications move from the data center to the cloud, with software-as-a-service (SaaS) things like that SASE can really help address those challenges.”
At the same time, LeRiche said SASE can help agencies meet the compliance goals detailed in recent OMB memos around things like security audit logging and sending data to the cloud aggregation warehouse that is run by the Cybersecurity and Infrastructure Security Agency.
Integration of SASE and SaaS
For many agencies, implementing SASE is a key piece to their zero trust strategy.
Gartner said it expects SASE to provide the necessary agility to deal with new and emerging cyber threats as well as help organizations maintain a standardized set of policies throughout their network environments.
“Zero-trust network access is likely to be a major feature in a SASE deployment. Its use reduces your cloud’s attack footprint. We predict SASE will improve enterprise application availability,” Gartner stated.
LeRiche said by using a SASE framework agencies can get the best of all security worlds.
“Doing things like device posture checking and stitching that user identity to that new session now that I’m not working from home or in the office, you still want to tie that user to that IP and that asset. That’s one thing that we can really do from a security perspective,” he said. “From a user experience perspective, SASE really brings that data plane and middle mile optimization, everything that we’ve done on the back end, and all the billions that have been spent on that cloud delivered architecture, it benefits the user. That’s really the most important thing, I think, when we talk to government customers. Security is important, but user experience is very important too. If it’s not beneficial to the user, they’re not going to use it and they’re going to find ways to get around it.”
Start small, iterate, expand
One of the big benefits of using the SASE framework, LeRiche said, is it’s tunable to meet user’s needs based on the use case.
He said SASE can help eliminate latency that can come with VPN or other split-tunneling architectures.
“In the sense, we can set it up to say, as soon as that device is booted up, the device is connected into the SASE service. Even before that user puts their common access card (CAC) or personal identification verification (PIV) card, and we can actually do some pre-logon work to make sure the device is up to snuff with its security posture with things like patches, maybe make sure the antivirus is turned on and up to date,” he said. “Once we do that, and the user pops in their CAC card, they get their two-factor authentication, and it doesn’t matter if they’re going to the cloud or going to a private app that is backhauled into the data center, or chatting with a colleague or connecting to the internet, they get that seamless user experience with that one device, one load and don’t have to click into different clients.”
LeRiche said clients usually start small with maybe 50 or 100 users, see how it works and then expands based on their experiences.
“The idea in the end is it’s just another consumption model for all the security pieces that we bring for zero trust,” he said. “Once we get past that initial stage, it’s very easy because it is all just software licenses now. You already have the infrastructure built, whether it was for 100 users 500 or 5,000 users. Once we do that, then it’s just a matter of turning that dial up.”
Additionally because SASE is software-based, LeRiche said it helps to future proof network and technology infrastructure against future cyber threats or capabilities.
He said as artificial intelligence, machine learning and other security tools become available, agencies can more easily implement them through the software defined-network approach that SASE runs on.