By: Mike Spanbauer, Field CTO, Security at Juniper Networks
The future of network security has a new shiny architecture to meet organizational needs with Secure Access Service Edge (SASE). Still, most network administrators are either not ready or able to decommission their existing on-premisessecurity solutions. Organizations are much more likely to need to support hybrid environments that require the support of on-premises capabilities and service-based offerings for the foreseeable future.
First, SASE is not a product but an architecture. You cannot just buy one off the shelf and plug it in. The fact is that most network decision-makers need to determine how to best leverage SASE to support the business. It is critical to engage with the ops team, as they are the most crucial stakeholder in this process, to ensure the network experience continuity is preserved. After all, this team must deploy and maintain both existing and new technologies to deliver business continuity to users and customers alike.
The benefits of cloud-based security delivered as-a-service are particularly dramatic for the experience of ops teams. These include:
- Unbroken visibility: With SASE, ops teams must have complete visibility, policy configuration, administration, and collective threat intelligence all in one place. Managing security from multiple dashboards in order to get a comprehensive view of the network is now a thing of the past. They need to monitor data center and cloud deployments, correct misconfigurations that put the network at risk, detect and react to threats, and handle any other security-related tasks from one console.
- Policy control: Effectively managing network security demands the ability to both tune and control policies at every point of connection. This is equally true in the cloud-delivered security world, making it more critical than ever to ensure consistent security policies across architectures. While SASE solutions stop at the edge, business risk does not, and an inconsistent policy structure can result in potentially catastrophic outcomes.
- Leveraging existing investments: It’s a common perception that SASE means little, if any, of the existing infrastructure will be of use and that it will require a complete rip and replace of the existing infrastructure and reworking the workflow and client onboarding to deliver this new architecture. It doesn’t have to be that way. With the right solution, it is easy to leverage existing SD-WAN or security investments as you transition to a SASE architecture at a pace that is best for your business with little or no disruption.
End user experience
End users want invisible technology. Technology should never impact or inconvenience them. Security requirements and user experience have often been at odds, but that is starting to change. Why? In the past, all network traffic would be routed through specific inspection locations, and this was rarely the most efficient path. As the volume of web traffic and applications grew, it became a bigger and bigger bottleneck. If you worked remotely or were a road warrior, you might be familiar with this painful experience where the slow performance was unbearable. With SASE and Secure Service Edge (SSE), users can connect directly to a network security and control point (regional Point of Presence, or PoP) and eliminate the hairpins back through the data center (which were previously required just to continue to the web). The experience has improved for the entire remote workforce as a result.
This is one of the key benefits of a SASE architecture, as it brings the inspection control closer to the user without any loss of security control or efficacy.
Ensuring success on SASE journey
As your organization looks at transitioning to a SASE architecture, here are a few considerations that will help map the journey, all while ensuring business continuity with existing controls and processes:
- Visibility and control: With a SASE architecture, it is essential to ensure that your ops team can see everything happening across your network. That requires unbroken visibility between existing controls and the SASE service-based capabilities that provide continuity that supports business and security operations without undue burden for the ops team. After all, you can’t protect what you can’t see. Visibility is critical for effective and accurate threat identification and, when you couple it with an intuitive mitigation approach, is reasonably straightforward.
- Management, management, management: Too many solutions require human intervention or integrations between disparate systems. If you have a different policy structure and syntax for the service vs. the on-premises data center, that will cause issues. It is unwise to hope the analyst team can work at digital speeds and interpret where a threat has traversed the two format environments. After all, “hope is not a strategy.”
- Plan for tomorrow but remain pragmatic about adoption: It’s unlikely that most organizations will be able to commit all security controls to a cloud-delivered service. This means accommodations and approaches must address on-premises (and in DC) apps, potential IoT security controls, and any other requirements without requiring ops team heroics to bring them together. Ensure the policy control and management approach, the tools and visibility, and ultimately the complete environment is viewable and manageable from a single management UI. This journey will take years for most, but it’s well worth it.
SASE answers the question we’ve asked for decades: “How can we improve security overall without introducing more operational complexity?” However, for each organization, the approach will be unique, and the operations team will lead the expedition that helps the organization forge its own path.