Chief Information Security Officers (CISOs) are being encouraged to build a Secure Access Service Edge (SASE) migration plan to create a robust Zero Trust architecture, while also consolidating the security vendor suite. Yet, while the concept of single vendor SASE solutions may appear to meet goals for rationalising security costs and complexity, it creates untenable risks for any organisation operating in a high assurance industry. Paul German, CEO, Certes Networks, explains why a best of breed SASE framework from a single Managed Service Provider is key to de-risking SASE for high assurance companies.
Trusted Framework
Secure Access Service Edge (SASE) is the future, according to market research analysts including Gartner, which predicts that by 2025 at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020. Encompassing multiple security capabilities into a single deliverable, SASE deployments include Software Defined Wide Area Network (SD–WAN) connectivity, Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Firewall-as-a-Service and Secure Web Gateway.
But while vendors are beginning to flood to the market with branded ‘SASE solutions’, there is a degree of confusion about SASE that is adding significant operational risk, especially to organisations in highly regulated industries, where data sensitivity combined with the threat landscape demands a far more robust approach.
One of the touted benefits of the SASE framework is the opportunity to address the challenges created by a patchwork of vendors and policies deployed incrementally, often over many years, in response to evolving security threats. The result has often led to complexity for both users and administrators, with different product lifecycles creating both confusion and potential weakness within the security posture. SASE is viewed as a pragmatic security model that provides an opportunity to rationalise and consolidate vendors to reduce complexity and potentially cut costs.
High Assurance Risk
For smaller organisations and those in un- or lightly regulated industries, single vendor SASE is a viable option. It provides a clear security framework and, with a single contract and single console, an organisation has a complete view of its security posture in one place, most likely for the very first time. For those organisations operating in regulated industries, including government, finance, critical national infrastructure and healthcare, however, single vendor SASE creates an unacceptable risk – and one that no CISO should countenance.
A key point is that no vendor can offer best of breed technology across the entire SASE solution, which means organisations will by default compromise the quality of technology in one or more areas. Far more concerning, though, is the risk created by the single source of all security components: one of the many benefits of SASE is its delivery as a cloud orchestrated service, but if there is any vulnerability within the single SASE product set, it will affect every part of the framework, every part of the infrastructure.
In contrast, a SASE framework built upon individual, best of breed suppliers for each part of the solution increases the end to end quality of the SASE deployment. Furthermore, the inevitable overlap between supplier solutions also further reduces risk by adding redundancy – if one firewall is compromised, for example, another part of the SASE solution will likely include functions that provide some degree of protection to safeguard the enterprise. Critically, by implementing a solution based on multiple vendors, an organisation avoids the risk associated with a single code, minimising the chance of a vulnerability affecting the entire security stack.
SASE without Compromise
SASE is becoming an increasingly important security model for businesses of all sizes, in all industries. But there never has been a security silver bullet. While a single vendor approach creates too much risk for high assurance businesses, the concept of SASE as a framework with all of the key components built in is absolutely the right approach. The goal is to find a solution that integrates best of breed security components from multiple vendors to de-risk the security posture, while also delivering the benefits of a single managed solution, including consolidated security dashboard, from one organisation.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.