Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/27/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security's Inevitable Shift to the Edge

As the edge becomes the place for DDoS mitigation, Web app security, and other controls, SASE is the management platform to handle them all.

In 2019, Gartner released a paper defining the Secure Access Service Edge as the framework that most enterprises will implement. SASE offers an elegant solution to many challenges faced by CISOs today, including maintaining security posture during rapid digital transformations, shifts in locations of workers, migrating toward a zero-trust architecture, and protecting the business while more processes shift into DevSecOps.

Long before the term SASE was coined, security controls began to shift to perform inspection closer to end users. More than a decade ago, we witnessed the migration of security for customer-facing apps out of the enterprise data center to the edge to move security inspection closer to users, rather than forcing traffic to travel to the fixed location where security appliances were deployed. Today the edge is the predominant location for distributed denial-of-service (DDoS) mitigation, Web application security, and related controls for public-facing applications. This migration offers lessons as organizations now shift workforce security to the edge.

Related Content:

SASE 101: Why All the Buzz?

How Data Breaches Affect the Enterprise

Comparing Different AI Approaches to Email Security

SASE architecture and the shifts it forecasts make perfect sense as we now see similar trends, such as the migration of applications away from the corporate data center and the migration of users away from the corporate office, taking place in workforce application consumption patterns. These forces mirror those that moved Web-focused security inspection away from hardware appliances or bolt-ons to load balancers in the corporate data center transitioning to the same point in modern security architecture, the edge.

Migration of Applications
Many security architects are initially attracted to the SASE model as it helps them apply security controls at the optimal location in their rapidly changing architecture. That optimal location is the edge of the Internet, which will be close to any infrastructure-as-a-service (IaaS) or co-location facility that the business uses today or in the future. The edge deployment model provides agility for hybrid multicloud organizations and is well suited to changes to IaaS vendor or new locations from mergers and acquisitions.

The flexibility of deploying security inspection at the edge means that, regardless of shifts in the location of compute, security inspection can be performed at a local edge node. This provides for optimized routing of traffic and avoids what Gartner describes as the unnecessary "tromboning of traffic to inspection engines entombed in enterprise data centers." Furthermore, since multicloud is the predominant architecture, deploying security at a homogeneous edge makes more sense than trying to engineer consistent controls using heterogeneous capabilities available at various cloud security providers (CSPs).

Another driver for SASE is the migration of users outside of the traditional corporate offices. There has been a slow trend over recent years to enable remote workers, road warriors, as well as remote contractors. 2020 saw that slow trend move into hyperdrive with near total abandonment of corporate offices by employees mandated to work at home. This moved employees far from security appliances deployed in the corporate office or enterprise data center; however, regardless of where employees are located, the nearest edge point-of-presence (POP) is never far away. By migrating to the edge, security controls can be efficiently deployed very close to the end user.

What Is the Edge?
With SASE, Gartner introduced the ideal point in an architecture to deploy security inspection via an integrated set of tools. The edge is architected much differently from the cloud, as most CSPs have only a couple of dozen POPs. To lock in the maximum performance, agility, and scalability gains, an edge platform should have hundreds or even thousands of POPs deployed across many geographies and inside many Internet service providers.  

Furthermore, the edge platform should achieve high levels of uptime. The edge represents the exposed attack surface for DDoS; the NIST Zero Trust Architecture guide encourages organizations to evaluate resilience to DDoS as part of their design.  This provides an opportunity to shift to a proactive, robust posture in the face of DDoS, where attacks are not only mitigated but the platform learns from each attack and is better prepared for the next.

An edge platform really should be built with an open architecture permitting configs and dashboards via a portal. Edge platforms should also support DevSecOps workflows by extending bidirectional APIs between the SASE platform and other DevSecOps tools to drive config changes and communicate interesting events to a SIEM or ChatOps tool.

This edge migration has not only provided security benefits but also addressed the network transformations described in SASE. An edge deployment eliminates the traditional tradeoff between security and performance by improving the performance of the application at the same time attacks are repelled. This topology presents the rare scenario in security where you can have your cake and eat it too. Excellent application performance is critical to driving productive use of corporate applications; corporate users not only compare the user experience of enterprise apps to other enterprise apps, but they compare corporate apps to the user experience of browsing a social networking site, a search engine, or a lightning-fast commerce application.

Edge architectures have traditionally been built using proxy-based approaches. This makes them well suited for many of the use cases called out in SASE. Zero-trust network access is often the first workforce component to be addressed on the journey to a SASE architecture. An edge-based, identity-aware proxy is a very efficient way to transition to a zero-trust approach for accessing corporate applications. Additionally, functions like edge-based secure Web gateways benefit from the proxy-based approach seen in edge deployments. Since SASE moves much of the inspection up to the application layer, decryption of TLS will be required. Fortunately, existing edge architectures have a robust KMI infrastructure that allows for safe decryption and re-encryption of traffic once it has been inspected.  

The security industry continues to shift toward edge models, and Gartner's forecasts for SASE adoption will only accelerate this trend. 2020 has presented a number of challenges for IT and security teams, but the technology decisions made by many organizations during these difficult times have resulted in solid progress toward adoption of a SASE model. Those investments will pay dividends for years to come. 

In his 15 years at Akamai, Patrick Sullivan has held a number of leadership positions including leading the Enterprise Security Architect team. Sullivan and his team work with customers when they come under attack and designs security architectures to protect them from ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...