Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/31/2021
10:00 AM
Jay Barbour
Jay Barbour
Commentary
50%
50%

3 SASE Misconceptions to Consider

SASE is all the rage, promising things IT leaders have long dreamed about, but a purist approach may create consequences.

Secure Access Service Edge (SASE) has been a hot topic since Gartner defined it as a new category of offerings combining wireless area network (WAN) capabilities with network security functions. Everyone agrees SASE makes sense conceptually, but when it comes to turning idealistic frameworks into realistic IT approaches, misconceptions abound. Here's where SASE principles can be taken too far and where IT buyers may get a bit too starry-eyed. 

Related Content:

SASE 101: Why All the Buzz?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

Misconception #1: SASE Mandates Zero Daisy Chains
Gartner's 2019 Hype Cycle for Enterprise Networking included this warning statement about virtual machine service chains (also known as daisy chains) that can sometimes lead people astray:

"Software architecture and implementation matters. Be wary of vendors that propose to deliver services by linking a large number of features via [virtual machine] service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability, and high latency."

Solution architecture is important, and yes, you want to minimize the number of daisy chains to reduce complexity. However, it doesn't mean you cannot have any daisy chains in your solution. In fact, dictating zero daisy chains can have consequences — not for performance, but for security. 

SASE consolidates a wide array of security technologies into one service, yet each of those technologies is a standalone segment today — with its own industry leaders and laggards. Any buyer who dictates "no daisy chains" is trusting that one single SASE provider can (all by itself) build the best technologies across a constellation of capabilities that is only growing larger. Being beholden to one company is not pragmatic given that the occasional daisy chain greatly increases the ability to unite best-of-breed technologies under one service provider's umbrella. Here are a few more reasons why daisy chains are needed: 

  • No single vendor, particularly a startup, can effectively deliver on all areas of SASE security with a level of product maturity, mastery, and best practices that businesses need and expect in today's landscape of relentless attackers. SASE capabilities should be proven on the harsh cyber battlefield, and most startups don't survive.

  • Any incremental complexity stemming from a strategically placed daisy chain or two should be managed by the provider and should not impact the customer. If a SASE platform performs above expectations, then why should the number of daisy chains matter?

  • "No daisy chains" implies technology acquisitions and large market consolidation, meaning a small number of very large SASE providers may have too much market power, stifling innovation and raising prices. That's not always good for IT buyers.

Misconception #2: You Must Take an All-Cloud Approach With SASE
SASE revolves around the cloud and is undoubtedly about speed and agility achieved through cloud-deployed security. But SASE doesn't mean the cloud is the only way to go and you should ignore everything else. Instead, IT leaders must take a more practical position, using the best technology given the situation and problem. For example, on-premises next-gen firewall appliances are usually still the best option for large offices where performance and total cost of ownership are the key goals. If your SASE approach is cloud-first but not cloud-only, make sure your solution follows suit. 

Credit: momius via Adobe Stock
Credit: momius via Adobe Stock

Misconception #3: SASE Will Solve All Your Security Problems
Don't assume SASE is a total solution. SASE covers a lot of ground, but it does not cover all the technologies a company needs to secure a remote-work and multicloud environment. For example, cloud workload protection (CWP) and endpoint detection and response (EDR) are critical in securing user and cloud computing environments but are not part of the SASE framework. Although EDR is a primary technology for addressing ransomware, a skyrocketing threat vector, it is excluded from SASE because it does not require network traffic inspection to function. Rather, it's an agent-based solution that monitors operating system activity and integrity.

Moreover, SASE addresses only the technology components of an effective security program, leaving out the experts required for 24/7 security monitoring and mature incident response. Without a dedicated team of security analysts, security technologies are ineffective — whether they are included in SASE or not. Professional skills are necessary to investigate threats and stop them before major damage is done.

Purity vs. Pragmatism
SASE is all the rage, promising the ideologies that IT leaders have dreamed about for years, but taking a purist approach may have consequences. Hardline expectations around daisy chains and the cloud should be softened in favor of maximizing security excellence and business outcomes. Likewise, SASE solutions need to be compared against the broader security and network strategy, seeing where it adds value and where it may still fall short. By taking a pragmatic approach, companies can make ideologies tangible, achieving agility and productivity with ready-made security.

Jay brings more than 20 years of security experience to Masergy as Director of Security Product Management. He is responsible for the product vision of Masergy's managed security services and leads the product team on execution. Previously, Jay was Director of Security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.