Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Security's Inevitable Shift to the Edge

As the edge becomes the place for DDoS mitigation, Web app security, and other controls, SASE is the management platform to handle them all.

In 2019, Gartner released a paper defining the Secure Access Service Edge as the framework that most enterprises will implement. SASE offers an elegant solution to many challenges faced by CISOs today, including maintaining security posture during rapid digital transformations, shifts in locations of workers, migrating toward a zero-trust architecture, and protecting the business while more processes shift into DevSecOps.

Long before the term SASE was coined, security controls began to shift to perform inspection closer to end users. More than a decade ago, we witnessed the migration of security for customer-facing apps out of the enterprise data center to the edge to move security inspection closer to users, rather than forcing traffic to travel to the fixed location where security appliances were deployed. Today the edge is the predominant location for distributed denial-of-service (DDoS) mitigation, Web application security, and related controls for public-facing applications. This migration offers lessons as organizations now shift workforce security to the edge.

Related Content:

SASE 101: Why All the Buzz?

How Data Breaches Affect the Enterprise

Comparing Different AI Approaches to Email Security

SASE architecture and the shifts it forecasts make perfect sense as we now see similar trends, such as the migration of applications away from the corporate data center and the migration of users away from the corporate office, taking place in workforce application consumption patterns. These forces mirror those that moved Web-focused security inspection away from hardware appliances or bolt-ons to load balancers in the corporate data center transitioning to the same point in modern security architecture, the edge.

Migration of Applications
Many security architects are initially attracted to the SASE model as it helps them apply security controls at the optimal location in their rapidly changing architecture. That optimal location is the edge of the Internet, which will be close to any infrastructure-as-a-service (IaaS) or co-location facility that the business uses today or in the future. The edge deployment model provides agility for hybrid multicloud organizations and is well suited to changes to IaaS vendor or new locations from mergers and acquisitions.

The flexibility of deploying security inspection at the edge means that, regardless of shifts in the location of compute, security inspection can be performed at a local edge node. This provides for optimized routing of traffic and avoids what Gartner describes as the unnecessary "tromboning of traffic to inspection engines entombed in enterprise data centers." Furthermore, since multicloud is the predominant architecture, deploying security at a homogeneous edge makes more sense than trying to engineer consistent controls using heterogeneous capabilities available at various cloud security providers (CSPs).

Another driver for SASE is the migration of users outside of the traditional corporate offices. There has been a slow trend over recent years to enable remote workers, road warriors, as well as remote contractors. 2020 saw that slow trend move into hyperdrive with near total abandonment of corporate offices by employees mandated to work at home. This moved employees far from security appliances deployed in the corporate office or enterprise data center; however, regardless of where employees are located, the nearest edge point-of-presence (POP) is never far away. By migrating to the edge, security controls can be efficiently deployed very close to the end user.

What Is the Edge?
With SASE, Gartner introduced the ideal point in an architecture to deploy security inspection via an integrated set of tools. The edge is architected much differently from the cloud, as most CSPs have only a couple of dozen POPs. To lock in the maximum performance, agility, and scalability gains, an edge platform should have hundreds or even thousands of POPs deployed across many geographies and inside many Internet service providers.  

Furthermore, the edge platform should achieve high levels of uptime. The edge represents the exposed attack surface for DDoS; the NIST Zero Trust Architecture guide encourages organizations to evaluate resilience to DDoS as part of their design.  This provides an opportunity to shift to a proactive, robust posture in the face of DDoS, where attacks are not only mitigated but the platform learns from each attack and is better prepared for the next.

An edge platform really should be built with an open architecture permitting configs and dashboards via a portal. Edge platforms should also support DevSecOps workflows by extending bidirectional APIs between the SASE platform and other DevSecOps tools to drive config changes and communicate interesting events to a SIEM or ChatOps tool.

This edge migration has not only provided security benefits but also addressed the network transformations described in SASE. An edge deployment eliminates the traditional tradeoff between security and performance by improving the performance of the application at the same time attacks are repelled. This topology presents the rare scenario in security where you can have your cake and eat it too. Excellent application performance is critical to driving productive use of corporate applications; corporate users not only compare the user experience of enterprise apps to other enterprise apps, but they compare corporate apps to the user experience of browsing a social networking site, a search engine, or a lightning-fast commerce application.

Edge architectures have traditionally been built using proxy-based approaches. This makes them well suited for many of the use cases called out in SASE. Zero-trust network access is often the first workforce component to be addressed on the journey to a SASE architecture. An edge-based, identity-aware proxy is a very efficient way to transition to a zero-trust approach for accessing corporate applications. Additionally, functions like edge-based secure Web gateways benefit from the proxy-based approach seen in edge deployments. Since SASE moves much of the inspection up to the application layer, decryption of TLS will be required. Fortunately, existing edge architectures have a robust KMI infrastructure that allows for safe decryption and re-encryption of traffic once it has been inspected.  

The security industry continues to shift toward edge models, and Gartner's forecasts for SASE adoption will only accelerate this trend. 2020 has presented a number of challenges for IT and security teams, but the technology decisions made by many organizations during these difficult times have resulted in solid progress toward adoption of a SASE model. Those investments will pay dividends for years to come. 

In his 15 years at Akamai, Patrick Sullivan has held a number of leadership positions including leading the Enterprise Security Architect team. Sullivan and his team work with customers when they come under attack and designs security architectures to protect them from ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177