Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

// // //
5/31/2021
10:00 AM
Jay Barbour
Jay Barbour
Commentary

3 SASE Misconceptions to Consider

SASE is all the rage, promising things IT leaders have long dreamed about, but a purist approach may create consequences.

Secure Access Service Edge (SASE) has been a hot topic since Gartner defined it as a new category of offerings combining wireless area network (WAN) capabilities with network security functions. Everyone agrees SASE makes sense conceptually, but when it comes to turning idealistic frameworks into realistic IT approaches, misconceptions abound. Here's where SASE principles can be taken too far and where IT buyers may get a bit too starry-eyed. 

Related Content:

SASE 101: Why All the Buzz?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

Misconception #1: SASE Mandates Zero Daisy Chains
Gartner's 2019 Hype Cycle for Enterprise Networking included this warning statement about virtual machine service chains (also known as daisy chains) that can sometimes lead people astray:

"Software architecture and implementation matters. Be wary of vendors that propose to deliver services by linking a large number of features via [virtual machine] service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability, and high latency."

Solution architecture is important, and yes, you want to minimize the number of daisy chains to reduce complexity. However, it doesn't mean you cannot have any daisy chains in your solution. In fact, dictating zero daisy chains can have consequences — not for performance, but for security. 

SASE consolidates a wide array of security technologies into one service, yet each of those technologies is a standalone segment today — with its own industry leaders and laggards. Any buyer who dictates "no daisy chains" is trusting that one single SASE provider can (all by itself) build the best technologies across a constellation of capabilities that is only growing larger. Being beholden to one company is not pragmatic given that the occasional daisy chain greatly increases the ability to unite best-of-breed technologies under one service provider's umbrella. Here are a few more reasons why daisy chains are needed: 

  • No single vendor, particularly a startup, can effectively deliver on all areas of SASE security with a level of product maturity, mastery, and best practices that businesses need and expect in today's landscape of relentless attackers. SASE capabilities should be proven on the harsh cyber battlefield, and most startups don't survive.

  • Any incremental complexity stemming from a strategically placed daisy chain or two should be managed by the provider and should not impact the customer. If a SASE platform performs above expectations, then why should the number of daisy chains matter?

  • "No daisy chains" implies technology acquisitions and large market consolidation, meaning a small number of very large SASE providers may have too much market power, stifling innovation and raising prices. That's not always good for IT buyers.

Misconception #2: You Must Take an All-Cloud Approach With SASE
SASE revolves around the cloud and is undoubtedly about speed and agility achieved through cloud-deployed security. But SASE doesn't mean the cloud is the only way to go and you should ignore everything else. Instead, IT leaders must take a more practical position, using the best technology given the situation and problem. For example, on-premises next-gen firewall appliances are usually still the best option for large offices where performance and total cost of ownership are the key goals. If your SASE approach is cloud-first but not cloud-only, make sure your solution follows suit. 

Credit: momius via Adobe Stock
Credit: momius via Adobe Stock

Misconception #3: SASE Will Solve All Your Security Problems
Don't assume SASE is a total solution. SASE covers a lot of ground, but it does not cover all the technologies a company needs to secure a remote-work and multicloud environment. For example, cloud workload protection (CWP) and endpoint detection and response (EDR) are critical in securing user and cloud computing environments but are not part of the SASE framework. Although EDR is a primary technology for addressing ransomware, a skyrocketing threat vector, it is excluded from SASE because it does not require network traffic inspection to function. Rather, it's an agent-based solution that monitors operating system activity and integrity.

Moreover, SASE addresses only the technology components of an effective security program, leaving out the experts required for 24/7 security monitoring and mature incident response. Without a dedicated team of security analysts, security technologies are ineffective — whether they are included in SASE or not. Professional skills are necessary to investigate threats and stop them before major damage is done.

Purity vs. Pragmatism
SASE is all the rage, promising the ideologies that IT leaders have dreamed about for years, but taking a purist approach may have consequences. Hardline expectations around daisy chains and the cloud should be softened in favor of maximizing security excellence and business outcomes. Likewise, SASE solutions need to be compared against the broader security and network strategy, seeing where it adds value and where it may still fall short. By taking a pragmatic approach, companies can make ideologies tangible, achieving agility and productivity with ready-made security.

Jay brings more than 20 years of security experience to Masergy as Director of Security Product Management. He is responsible for the product vision of Masergy's managed security services and leads the product team on execution. Previously, Jay was Director of Security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file