Pandemic-induced hybrid workplaces have forced companies to accelerate the digital transformations they had planned. This “new normal” is challenging the status quo of rigid IT practices and the underlying infrastructure because these hybrid workforces are increasingly distributed across a mix of home, office and mobile locations. Concurrently, applications are shifting to the cloud, accessed by mobile phone and other connected devices. This is forcing enterprise companies to evaluate solutions that can accommodate cloud application performance, pervasive security, network connection and ease of use. But managing and deploying on this laundry list of needs becomes even more difficult when one acknowledges IT departments are under-staffed and under-skilled, using limited bandwidth just to “keep the lights on” versus fully enabling digital transformation.
Since enterprise can’t fully enable their digital transformation if they’re not secure, I will focus here on security. The hybrid workplace has changed the security landscape rapidly with the introduction of new attack surfaces. Users and applications are no longer in the confined perimeters of the office, company-issued devices or fixed locations, which causes myriad security problems with regards to access control, availability, compliance, authorization, fraud mitigation, and visibility/observability.And because applications are anywhere and users are anywhere, we need to see a paradigm shift where security is everywhere and wherever it’s needed.
Secure service edge (SSE) insufficient for today’s hybrid workforce
The main problem with SSE is that it defeats the core premise of the integrated application-centric approach to serve applications anywhere to users anywhere. The cloud-based, work from anywhere model has raced past what was projected as the next big security need from even five years ago.
As it stands, SSE completely ignores/underestimates the complexity of traffic aggregation and management from multiple sources such as branch offices and remote/mobile users: as the traffic patterns change from users anywhere to apps anywhere, there is an exacerbated problem of bad user experience due to packet loss impacting most commonly used video and voice-based applications. Additionally, the rapidly changing WAN/5G accessibility--which does not guarantee application (and network) performance and availability - remains unaddressed.
A holistic approach to security requires multiple security enforcement points between users and the application. SSE does not solve for the practical security services insertion decisions that a customer needs their network to be architected for. For example, an egress firewall handles user and application access control, while certain types of traffic, such as http/https, are then forwarded to secure web gateways with another for domain name system (DNS)/email and so on. Then comes content filtering for data loss prevention (DLP), which needs to be done for all traffic and not just specific protocols. This decisionmaking and network architecture with fragmented solutions paired with a lack of skilled resources puts a tremendous burden that often leads to misconfiguration and exposures.
What’s more, SSE does not account for unique needs of application security for software-as-a-service (SAAS) vs. infrastructure-as-a-service (IaaS) or the public cloud. For example, when the traffic goes to SaaS applications, a cloud access security broker (CASB) is relevant but when the user is accessing IaaS or a public cloud, the biggest challenge customers have is compliance and data protection. The million-dollar question is how do you protect the workloads in a public cloud or IaaS if you don’t even know about their existence? Even if you know of the existence, how do you do traffic redirection via SSE and ensure acceptable performance and a good user experience? For instance, workloads in Amazon US-West will be very slow for users coming from EMEA or APAC unless you “replicate” same regionally inside each Amazon availability zone. This essentially doubles or triples the public cloud cost.
The reality is that SSE stretches the fixed-location-based, network-centric approach of point security solutions to now move the finite capabilities of their box into edge/cloud. It is not the modern application-first thinking today’s hybrid workforce needs, hence it’s really DOA.
SSE further fragments the accountability of ensuring security posture because any traffic that can directly go to the IaaS/public cloud OR on the intranet is a cesspool of attack traffic that does not even traverse the SSE. With these two attack surfaces wide open, what good is the security for a portion of traffic alone?
The fix
Enterprises in the past were conditioned to think in a very network-centric way that assumes a rigid and static, location-based approach with applications and workloads protected inside the confines of their own data center while users were typically in the offices.
With applications anywhere and users anywhere, the constructs of network-centric thinking of perimeter security have become irrelevant. More and more customers are transitioning from, “How do I solve WAN connectivity?” to asking, “How do I deliver applications securely with best user experience?”
Integrated networking and security with end-to-end (user to application) visibility and control is what is needed.
As customers embark on this journey from being network-centric to application-centric, they need fast and agile network provisioning to meet the speed of business while ensuring security and compliance. Ultimately, what customers seek is end-to-end observability of the entire user experience accessing the business applications.
Following the customer journey of digital transformation absolutely requires integrated networking, security and observability.
SASE was a promise to fulfill that vision by integrating SD-WAN and security. However, it fell short due to the technology dependencies across the organization’s boundaries from practical implementation, and management to end-to-end operationalizing of workflows. For instance, when the connectivity is provisioned by the networking team, does the security team have all necessary controls and audits for compliance? Does the application owner have a sign off from the networking team to confirm the availability as well as the security team? These answers are impossible to get from fragmented technological approaches.
One way to practically solve for the technology fragmentation problem and operationalizing across different organizations is to:
- Ensure security enforcement closest to the secured asset, aka the distributed data plane. In the case of user-generated traffic for outbound, this could be at the branch customer premise equipment (CPE) or as a client on the remote user laptop. For application inbound traffic, this would mean closer to the datacenter (DC) or x-cloud boundary.
- Ensure consistent security policies across all the enforcement points, aka the unified control plane. This is particularly important when it involves handling encrypted traffic and sensitive data analysis within to avoid multiple hops and encrypt/decrypt.
- Ensure role-based access controls and accountability, aka observability. Provide relevant data, alerts and access mechanisms for different teams in the organization to perform their roles for smooth operations and hand offs between the teams.
When evaluating solutions for the best application performance and security through the lens of not only today’s hybrid workforce, but tomorrow’s as well, think about the “life of a packet” all the way from the user to the application. Minimize handoffs across multiple vendor solutions and reduce misconfigurations due to those from last mile, middle mile to the far mile. In the current state of technology, a tightly integrated dual-vendor SASE solution may be a better fit for many enterprises. Make sure the solution you’re evaluating stitches the data plane between networking and security controls with security where needed. Make sure it supports fully automated onboarding of new sites, users, locations with preconfigured security. And finally, if evaluating a fully managed service, make sure that it supports visibility of ALL sites, CPEs and traffic patterns across all your networks.
