Security needs to go where users, data and applications go.
That’s the simple premise behind a new security model called Secure Access Service Edge (SASE). SASE is gaining interest across government because it provides a way to improve both the performance and security of IT services as more and more users, data and applications reside outside the traditional network perimeter.
That shift, largely driven by the adoption of cloud- and mobile-based solutions, is expected to be accelerated by the large-scale move to remote work, in which nearly everyone has been working outside the perimeter.
In remote work, “users and data are not inside the castle anymore, so why is the focus on protecting the physical network?” said Jose Padin, Director of Sales Engineering, U.S. Public Sector, at Zscaler, a provider of cloud security.
Padin and John MacKinnon, Global Telecommunications Partner Development Manager, Worldwide Public Sector, at AWS, spoke at GovLoop’s recent Briefing Center on Transforming Government Security for a Cloud-Smart World.
Here are some takeaways from their conversation.
Why a New Model Is Needed
A traditional castle-and-moat model takes a hub-and-spokes approach to managing remote users and resources, in which the castle is the hub, and remote users and cloud-based data and applications are the spokes.
If a remote user needs to access cloud-based data, the network traffic from the one spoke (the remote user) must go back to the hub (the data center), where the security controls reside, and out again to the other spoke (the cloud-based data), and vice versa. As the number of spokes increases, so does the volume of traffic, which translates into network management headache for the data center and poor performance for end-users.
With SASE, the security controls reside in the cloud in close proximity to the end-users, which means that network traffic can flow from one spoke to another without going back to the hub, cutting down on the volume of traffic and reducing network latency.
The hub-and-spoke approach made sense when users working at the edge had limited compute capacity, but that is no longer the case, said MacKinnon. “If I have greater capacity in my house, why do I have to go back to the data center?” he said.
The SASE-Zero Trust Connection
SASE reflects a larger trend toward focusing on security at the data and application levels. The traditional castle-and-moat model assumes that anyone within the castle is trustworthy and should have access to resources within the castle.
But that has proven to be a faulty assumption: Malicious actors have become proficient at stealing end-users’ network credentials, making it possible to get inside a perimeter and moving from one system to another without being detected.
With SASE, no one is given blanket access to resources within the perimeter. If a malicious actor manages to steal someone’s credentials, “the only things that they are going to get access to are the one or two apps [the user has] access to, not the entire network,” MacKinnon said.
Zero trust architecture, which is another hot topic in government, takes a similar approach. To learn more about zero trust architecture, check out the first session of the Briefing Center.
The Future of SASE
At this point, many people in government are still on a learning curve with SASE. A poll taken during the session found that just 8% of respondents said they were “very familiar” with SASE. Another 32% had heard of it but were not super familiar and 20% said they wanted to learn more. Forty percent said they had never heard of it.
But Padin expects SASE to continue to gain traction for the simple reason that it addresses a pressing need. “We want people to understand that SASE isn’t just a marketing term – it is more of a term to define what is already happening,” he said. “Secure access is happening at the edge, so we need services at the edge.”
This online training was brought to you by: