The COVID pandemic has transformed every area of life, from how we interact with our friends and family, to where and when we work. While most of us are clamouring to get back to some semblance of normal, there are significant changes that will remain and which require businesses’ attention.
Although we’re unlikely to see the back of offices completely, remote working and a hybrid workplace are set to stay. According to research carried out by S&P Global in June 2020, 80% of companies surveyed had implemented or expanded universal work-from-home policies in response to the crisis, and 67% expect these to remain in place either for the long-term or permanently.
Getting equipment to workers and arranging subscriptions to cloud services like Zoom and Microsoft 365, as well as ensuring everyone could access the elements of the company network they needed, were immediate concerns as lockdowns were imposed across the UK. Now, though, thoughts are turning to how to manage this dispersed workforce long-term. In particular, how can organisations enable their employees to work remotely while ensuring security is applied.
Perimeter-less architecture
One answer to this is Secure Access Service Edge (SASE).
Coined by Gartner analysts Neil MacDonald and Joe Skorupa in the company’s 2019 Enterprise Networking Hype Cycle, and published July that year, SASE brings together network security functions, including secure web gateways, SD-WAN, anti-malware, DLP and VPN – and delivers it via the cloud ‘at the edge’.
The concept acknowledges that it is no longer practical to build a secure perimeter to serve as an enterprise security programme. Over this last year, the workforce was predominantly outside of that perimeter, but even before that happened there was a hazy border line. Strategic technology architecture decisions have weakened the idea of the perimeter as cloud services have moved data out of the secure enterprise-owned data centre, and business models – a growth of collaboration and shared IT repositories between organisations – have meant that defensive walls were often deliberately penetrated.
Neil Thacker, EMEA CISO at Netskope explains, “SASE focuses on inverting the traditional model. Instead of defending a perimeter with a data centre at its heart, the SASE model is focused on a dispersed, data-centric approach. The architecture, being microservices driven, requires the use of context awareness to navigate a complex landscape where the workforce uses hundreds, if not thousands, of cloud apps, with many individual apps breaking into many personal, corporate or third-party instances. SASE is, fundamentally, cloud native and context driven.”
Revolution, not evolution
Often, new advances in business technology are described as an evolution rather than a revolution. SASE is the opposite: It’s transformational at an architectural level and while its roots are in technologies such as cloud, it’s not just a continuation of the same technology.
To be truly successful, SASE needs to be built from the ground up, rather than trying to retrofit it to existing products to a new model. For example, an existing network security product will likely struggle with the core ‘identity-driven’ zero trust tenet that underpins SASE. Zero trust requires that every enterprise resource – be that a person, an application, a device or a service – is a variable component and that no access or allowances are granted unless specifically approved for the exact situation. For cloud services, these variable components need to be more granular than ‘Bob from accounts + Google Drive = yes’. Zero trust requires that the network security can identify Bob’s personal and corporate Drive instances as separate, and SASE also demands an understanding of whether the document Bob is trying to upload contains customer data, employee data or intellectual property and so on.
Netskope’s Thacker sees this as a core reason why there is no other effective way to secure data than within the cloud. “Enterprise data lives within the cloud,” he says. “It is stored, shared and used without ever being visible to legacy security controls. The idea that security would sit on an on-premises appliance and require traffic and data flow to be redirected... it’s completely illogical and causes friction.”
Once it is agreed that security needs to live in the cloud, it is also important to think about what kind of cloud is being used. “For most applications, latency matters,” said Gartner’s MacDonald in a Netskope video, “So, some of the emerging SASE vendors, they’re going to use public cloud infrastructure as a service, which is great for backbone capacity, but there’s latency to and from these public clouds. Now, in contrast, other SASE vendors are investing in worldwide points of presence and peering relationships.”
According to MacDonald, the reason for this is to bring the security functionality of SASE – secure web gateways, anti-malware, data loss prevention and so on – as close to the user as possible. This means there’s no degradation of experience caused by latency, resulting in a smoother and more transparent user experience.
Netskope is a SASE vendor that has done just this, building a highly connected network for cloud-native data security. Thacker explains what this means in practice: “Our NewEdge network was purpose built to ensure that organisations no longer have to make the traditional trade off between security and performance. Every data centre in our network has direct peering links to the cloud services customers use most (such as Microsoft 365, Google Workspace, Salesforce, Box and many others), and this has a dramatic impact on the performance of traffic. In fact, customers find that adding security – using the NewEdge network – improves user experience and performance times.”
A blueprint for the future
SASE was already causing a stir in 2019, but in many ways it’s even more vital now. Whereas in the past, organisations may have had a few people who worked remotely all the time or were often travelling, for many that’s been the reality of day-to-day operations for the past year and will continue to be for much of 2021. Even if organisations decide to return to being an office-based business once the pandemic is over, many workers will want flexibility to work remotely at least some of the time. More traditional forms of effective remote working – such as “road warrior” sales teams – will also make a comeback, and eventually even business travel will return.
“The pandemic has provided a catalyst for urgency, but even if the world’s workforce had not been forced to become remote workers in the last year, SASE would be making headway into organisations,” says Thacker. “The old model of security puts a ‘data centre’ at the hub of network architectures, and organises around the concept of a secure perimeter. But even before employees all moved outside of that perimeter, the applications that they were using had migrated into the cloud, and it’s simply nonsensical – not to mention costly – to hairpin these workflows into a largely redundant data centre just to perform security functions which we know to be too basic, non-contextual and lacking in the granularity required in a cloud environment.”
Whatever the exact nature of our future working models, remote working and the cloud will be fundamental to the way businesses are run – and our security systems need to reflect this. IT and Security teams should look for vendors that adhere to Gartner’s original definition of SASE to be certain the services and products they invest in are suitable for our changing future.
