Four Essential SASE Security Must-haves for CISOs

By Nirav Shah | April 23, 2021

As cybersecurity innovation has progressed, organizations have invested in multi-edge networking strategies to not only enable their work-from-home employees, but also support workers as they become increasingly dependent on cloud applications and environments to do their jobs. But as these networks expand, the attack surface also increases. Legacy security solutions are unable to keep pace with cloud-based networking innovations and struggle to protect the growing areas of the network dependent on this expanding cloud edge. This has resulted in a growing gap between network functionality and security coverage, exposing organizations to more points of compromise. 

What is Secure access service edge (SASE) Security?

Secure access service edge (SASE) security enables organizations to converge and scale their security and networking strategies, and securely deliver new network edges that will meet the demands of a distributed hybrid workforce. To succeed in today’s digital marketplace, providing support to this new distributed and performance-heavy strategy is fundamental to an organization’s strategy. Selecting the right SASE vendor to partner with can mean the difference between operational success and struggling to keep all of the essential elements working together.

In theory, all SASE solutions would provide secure access to the cloud for users anywhere. However, not all SASE solutions are equal in scalability, security, and orchestration—which translates to increased overhead in implemented technologies and the IT staff needed to establish an integrated system.

Top Four Security Requirements of a SASE Solution

To avoid these and similar challenges, organizations should insist on these four security requirements before adopting any SASE solution:

  • SASE security must function as part of an integrated security platform

SASE solutions are designed to deliver secure, cloud-based connectivity, but very few enterprise networks are cloud exclusive. While more than 93% of enterprises have a multi-cloud strategy, the vast majority also still have physical networks and are likely to well into the future. Protection of the data center and other on-premises resources are needed, as well as deployment policies and orchestration of a unified security strategy that uses the same security products and services applied elsewhere, including those that come with SASE. As a result, most SASE-only vendors have limited abilities when addressing security issues holistically as they only solve for cloud access security. Organizations must prioritize SASE services that are integrated with, or can be deployed as a seamless extension of, the extended network, including wide-area network (WAN) security. The resulting unified security framework will lower total cost of ownership (TCO) and improve the net utility of SASE.

  • SASE security must feature enterprise-grade security

Effective functionality and performance of its security elements are a must when assessing any SASE service. The right SASE selection can provide the needed security at scale to meet your enterprise demand. Consider what the SASE solution can offer your enterprise, if its Firewall-as-a-Service (FWaaS) solution can support both stateful and proxy protocols or SSL inspection at application speeds. Or if it provides a full suite of tested and validated solutions, rather than forcing customers to settle for off-brand technologies. Considering these capabilities and offerings will help assure that your SASE selection is the right one.

A truly secure SASE solution should include the following stack of security capabilities and tools:

  • Firewall-as-a-Service (FWaaS). Any SASE solution should include a next-generation firewall (NGFW) that:
    • Delivers high-performance secure sockets layer (SSL) inspection and advanced threat detection techniques via the cloud
    • Establishes and maintains secure connections for distributed users
    • Analyzes inbound and outbound traffic without impact on user experience
  • Domain Name System (DNS). DNS identifies and isolates malicious domains to prevent malicious threats from entering the network.
  • Intrusion Prevention System (IPS). IPS should be used to actively monitor the network, looking for malicious activities attempting to exploit known vulnerabilities.
  • Data Loss Prevention (DLP). DLP functionality is needed to prevent end-users from moving key information outside the network to ensure that the network and data are both secure.
  • Secure Web Gateway (SWG). An SWG solution secures web access against both internal and external risks. It also needs to be able to automatically block threats, even those embedded in encrypted traffic—including TLS 1.3—with high-performance SSL inspection.
  • Zero-Trust Network Access (ZTNA) and Virtual Private Network (VPN). Enterprise-grade security should be added on top of VPN and extend ZTNA to remote users. This allows the SASE solution to inherently integrate with preexisting VPN solutions and extend zero-trust application access to remote off-network users.
  • Sandboxing. Whether sandboxing is executed in the cloud or on an appliance, it provides crucial protection, especially against previously unknown threats.
 
  • SASE security should leverage third-party validated research and services

In addition to a unified security framework, a SASE service needs to be fueled by the most current and advanced threat research. Any SASE vendor being considered should have a track record of advanced security research and innovation, not just networking experience. This helps ensure that not only is the security being deployed and consumed through their SASE solution world-class but that it is also being continuously updated to counter the latest threat techniques and technologies.

From threat intelligence to protection, SASE security vendors that offer Technology-as-a-Service (TaaS) naturally need to provide reliable solution maintenance and upgrades for their SASE services and capabilities. In addition to that, any serious TaaS offering also needs to include advanced threat detection against both known and zero-day threats. An organization embarking on their SASE journey should verify that potential vendors are invested in threat research and the continuous improvement of their SASE security offering.

  • SASE security should be a part of a holistic security strategy

Every SASE solution relies on security to be a foundational, fundamental function that incorporates elements that can operate as an enterprise-grade solution. Things like third-party testing and validation, and a history of delivering world-class security solutions, are ways to guarantee those results. Elements that can interoperate as part of a seamlessly integrated security strategy are essential, both as part of a unified SASE solution and as part of a single, holistic security fabric designed to span the entire distributed network.

Learn more about how SASE is the future of security and networking. From SD-WAN, ZTNA, CASB, and NGFW, the Fortinet platform provides complete readiness for embracing SASE.