The Security Service Edge Journey

I cannot remember a time when IT evolved faster than it has over the last few years. There’s no better example than the rapid transformation that’s occurred over the course of the COVID-19 pandemic. Users, devices and data are everywhere, and “work from home” is the new norm. This ubiquity has tremendous benefits to employees and businesses, but it also resurfaced some questions about application security; more specifically, how we can ensure secure apps while leveraging traditional networks that are prone to break, are insecure and expensive to operate and maintain.

The startup world was the first to answer the call with a new model that simplified the delivery of modern applications. Dubbed SD-WAN, it became the hottest infrastructure product on the planet, but it did not address the issue of security. Teams were left with many questions: How do I insert your security stack into SD-WAN? Do I backhaul everything? Do I send traffic back to the data center, leverage a costly on-premises firewall, send it to a regional security stack or use a new technology called firewall-as-a-service?

These unanswered questions led us to secure access service edge (SASE) and the concept of distributing your network and security technology in localized POPs close to the branch or campus sites. Security and network would be cloud-delivered. SASE delivery covered SD-WAN, WAN optimization, QoS and more. At the same time, security included a grab bag of technologies, from zero-trust network access (ZTNA) and cloud access security broker (CASB) to secure web gateway (SWG) and more.  At the time, the concept sounded like it definitively answered the question of how to merge security and networking—until March 2020.

That’s when the pandemic sparked a once-in-a-lifetime workforce evolution. Employees left their desks and moved offices to their bedrooms, kitchen tables and garages. In a matter of days, technology was forced to pivot again as we entered a world of distributed applications and now a distributed workforce. Once again came the pivotal question, how do we deliver applications securely?

With users and applications now being distributed, a new model is required that focuses on the needs of this new distributed workforce, or what we call the hybrid workforce. While most businesses have dispersed workforces, they still struggle to reduce complexity and increase simplicity.

It’s a process that begins with four steps.

First: Embrace the reality that old legacy hardware-based solutions are a dead end. The approach may have worked when your workers were in the office with an on-premise data center. But we now live in a time of distributed applications and workforces where you need to move your networking and security to the cloud, and the services offered need to be delivered like a SaaS service.

Second: We need to simplify the network and focus on ease of access and speed to the internet. One hundred percent of home users’ traffic is destined for the internet. The numbers are similar at the branch or campus location. Don’t install complex solutions that have limited value. Focus on speed and ease of access.

Third: Leverage policy to program the network according to the needs of the business. The industry has spent far too long aligning networking and security with what is required for a business to succeed. It’s time to shift and think about your employees, who focus on getting the job done. They want their applications delivered with minimum hassle. Moving to a policy-based model will result in networking and security delivering a business outcome rather than a business blocker.

Fourth: Here, we address the elephant in the room—zero-trust networking. Based on all the high-profile cyberattacks in the news, you’d think we would be further along in implementing these approaches to security. The problem is, until recently, doing so was difficult. Consider the number of available methods. We have device trust-based ZTNA, sessions-based ZTNA and microsegmentation-based ZTNA, just to name a few. Next is the confusing marketing surrounding ZTNA. Nearly every security vendor is pitching their product as some sort of derivative of ZTNA. All that said, the zero-trust approach is the right choice. Now, businesses should look for solutions that connect users to the application. This is a 1:1 relationship. It should not see the other devices on the network.

So, where does this leave us? The answer is secure service edge (SSE). SSE builds on the zero-trust philosophy of never trust, always verify by moving beyond the concept of branch and campus and addressing the requirements of the modern workforce and what the CIO cares about most—delivering an application to a user on a 1-to-1 basis.

But SSE goes beyond ZTNA by layering on services like CASB, SWG and digital experience. It secures the user, the application, and their internet access by providing telemetry to ensure that IT and security understand how the user and the application are performing. It’s about removing the complexity and applying a modern approach to networking and security.

Where to Start

I recommend starting with what not to do—don’t give contractors or third parties access to applications by putting them on the network. That is a bad idea. With a legacy VPN, they get an IP address and, from there, can go wherever they want, whenever they want. It’s time to replace your legacy enterprise VPN with secure access for third parties that deliver them to the applications, not the network. This significantly reduces your risk as well as the level of complexity.

Next, implement enterprise-wide zero-trust, where you treat all users as if they are in internet cafes and deliver them just applications. This will significantly reduce complexity, the number of hardware assets and your budget while also freeing up resources that can be used for higher-priority projects.

Keep in mind that this is a multi-phased journey that involves not only your technology but people, process and those technology silos we all deal with daily. Because of that, it is going to take time.

To help ensure success, create a tiger team where network, security, operations and end-user compute teams make up the core. I also recommend including application teams as needed. In my experience, you will find that technology is the easy part; people will be the area you need to focus on and, before you know it, the company can fully embrace the new and secure remote world.