Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Secure Access Service Edge (SASE) solutions close network cybersecurity gaps so enterprises can secure and simplify access to resources that users need at scale from any location. Closing the gaps between network infrastructures and supporting technologies helps streamline trusted real-time user authentication and access, which is essential for growing digital businesses.
Zero Trust Network Access (ZTNA) is core to the SASE framework because it’s designed to define a personalized security perimeter for each individual, flexibly. It’s also needed for getting real-time integration and more trusted, secure endpoints across an enterprise. Ninety-eight percent of chief information security officers (CISOs) see clear benefits in SASE and are committed to directing future spending towards it, according to Cisco Investments. In fact, 55% of CISOs interviewed by Cisco say they intend to prioritize 25% to 75% of their future IT security budget on SASE. Additionally, 42% of CISOs said that ZTNA is their top spending priority within SASE initiatives. The finding highlights how closing network infrastructure and cybersecurity gaps is essential for enabling digitally-driven revenue growth.
What is SASE?
Gartner defines the SASE “as an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic, secure access needs of digital enterprises” that is delivered as a cloud-based service. Esmond Kane, CISO of Steward Health, says to “understand that – at its core – SASE is zero trust. We’re talking about things like identity, authentication, access control, and privilege. Start there and then build-out.”
Gartner’s clients want to define identities as the new security perimeter and need better integration between networks and cybersecurity to achieve that. The SASE framework was created based on the momentum Gartner is seeing in the growing number of client inquiries focused on adapting existing infrastructure to better support digitally-driven ventures. Since publishing the initial research, the percentage of end-user inquiries mentioning SASE grew from 3% to 15% when comparing the same period in 2019 to 2020.
Integrating Network-as-a-Service and Network Security-as-a-Service to create a unified SASE platform delivers real-time data, insights and defines every identity as a new security perimeter. In short, unifying networks and security strengthen a ZTNA approach that has the potential to scale across every customer, employee, supplier, and service touchpoint. The goal is to provide every user and location with secure, low latency access to the web, cloud, and premises-based resources comparable to the corporate headquarters’ experience.
What needs to be on CISO roadmaps in 2022
Enterprise networks and the identities that use them represent the greatest cybersecurity risk to any business. Sixty percent of CISOs believe their networks and the devices on them are the most difficult assets to manage and protect, according to Cisco Investments’ survey. In addition, many CISOs told Cisco that shadow IT isn’t going away, and apps, data, and endpoints are proliferating in response to greater reliance on digital business models.
CISOs are going to need the following on their roadmaps in 2022 to succeed at integrating network infrastructure and cybersecurity, securing every customer identity while enabling real-time integration:
- Implement ZTNA as a core part of the SASE roadmap to replace VPNs first. Starting with replacing VPNs creates scale to secure all users regardless of location. The Cisco Investments survey implies that selecting a vendor with an integrated ZTNA component within its SASE platform is critical to getting the most from a SASE initiative. ZTNA enables organizations to implement a least-privileged access approach that provides real-time security and visibility to every user-device-application interaction, making identity effectively the new perimeter. Ericom’s ZTEdge cloud is the only provider that has done this with a platform designed specifically for mid-tier organizations, replacing VPNs globally. What’s noteworthy about the ZTEdge platform is how it’s been engineered in a single unified cloud-first platform for mid-tier organizations, yet also provides microsegmentation, Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG) with remote browser isolation (RBI), Cloud Firewall, and ML-enabled identity and access management (IAM). Strengthening SASE platforms through acquisition is a dominant strategy industry leaders are pursuing to become competitive more quickly in enterprises. For example, Cisco acquiring Portshift, Palo Alto Networks acquiring CloudGenix, Fortinet acquiring OPAQ, Ivanti acquiring MobileIron and PulseSecure, Check Point Software Technologies acquiring Odo Security, ZScaler acquiring Edgewise Networks, and Absolute Software acquiring NetMotion. “One of the key trends emerging from the pandemic has been the broad rethinking of how to provide network and security services to distributed workforces,” said Garrett Bekker, Senior Research Analyst, Security at 451 Research in his recent note, Another day, another SASE fueled deal as Absolute picks up NetMotion. Garrett continues, writing “this shift in thinking, in turn, has fueled interest in zero-trust network access (ZTNA) and secure access service edge.”
- Real-time network activity monitoring combined with Zero Trust Network Access (ZTNA) access privilege rights specified to the role level are essential for a SASE architecture to work. While Gartner lists ZTNA as one of many components in its Network Security-as-a-service, it is a key technology in delivering on the concept of treating every identity as the new security perimeter. ZTNA makes it possible for every device, location, and session to have full access to all application and network resources and for a true zero trust-based approach of granting least-privileged access to work. Vendors claiming to have a true SASE architecture need to have this for the entire strategy to scale. Leaders delivering a true SASE architecture today include Absolute Software, Check Point Software Technologies, Cisco, Ericom, Fortinet, Ivanti, Palo Alto Networks, ZScaler, and others. Ivanti Neurons for Secure Access’ approach is unique in how its cloud-based management technology is designed to provide enterprises with what they need to modernize VPN deployments and converge secure access for private and internet apps. What’s noteworthy about their innovations in cloud management technology is how Ivanti provides a cloud-based single view of all gateways, users, devices, and activities in real-time, helping to alleviate the risk of breaches from stolen identities and internal user actions. The following graphic illustrates the SASE Identity-Centric architecture as defined by Gartner:
- Real-time Asset Management spanning across all endpoints and datacenters. Discovering and identifying network equipment, endpoints, related assets, and associated contracts leads CISOs to rely more on IT asset management systems and platforms to know what’s on their network. Vendors combining bot-based asset discovery with AI and machine learning (ML) algorithms provide stepwise gains in IT asset management accuracy and monitoring. Ivanti’s Neurons for Discovery is an example of how bot-based asset discovery is combined with AI & ML to provide detailed, real-time service maps of network segments or an entire infrastructure. In addition, normalized hardware and software inventory data and software usage information is fed real-time into configuration management and asset management databases. Leaders in this area also include Absolute Software, Atlassian, BMC, Freshworks, ManageEngine, MicroFocus, ServiceNow, and others.
- APIs that enable legacy on-premise, cloud & web-based apps to integrate with SASE. Poorly designed APIs are becoming one of the leading causes of attacks and breaches today as cybercriminals become more sophisticated at identifying security gaps. APIs are the glue that keeps SASE frameworks scaling in many enterprises, however. Each new series of APIs implemented risks becoming a new threat vector for an enterprise. API threat protection technologies, in some cases, can scale across entire enterprises. However, adding API security to a roadmap isn’t enough. CISOs need to define API management and web application firewalls to secure APIs while protecting privileged access credentials and identity infrastructure data. CISOs also need to consider how their teams can identify the threats in hidden APIs and document API use levels and trends. Finally, there needs to be a strong focus on API security testing and a distributed enforcement model to protect APIs across the entire infrastructure.
SASE frameworks will bolster the future of enterprise security
ZTNA is core to the future of enterprise cybersecurity and, given that it needs to interact with other components of the SASE framework to deliver on its promise, it needs to ideally share the same code line across an entire SASE platform. Whether it’s Ericom’s ZTEdge platform designed to meet mid-tier organizations’ specific requirements, or the many mergers, acquisitions, and private equity investments into SASE players aimed at selling SASE into the enterprise, getting ZTNA right has to be the priority. For CISOs, the highest priority must be accelerating ZTNA adoption to reduce dependence on vulnerable VPNs that hackers are targeting. ZTNA immediately boosts protection by securing every identity and endpoint, treating them as a continuously changing security perimeter of any business. SASE is achieving the goal of closing the gaps between network-as-a-service and network security-as-a-service, improving network speed, security and scale. The bottom line is that getting SASE right significantly improves the chance that digital transformation strategies and initiatives will succeed, and getting SASE right starts with getting ZTNA right.