Network security shifted sharply the moment cloud services began to be widely accepted by organizations. Why this shift happened was understandable: company data was no longer ensconced behind the armored network perimeters.
Michael Ferguson, the Asia Pacific CTO at cloud security experts Netskope, equates the change with our own changing needs. “Historically, when we created computers, we needed to access our incoming applications and our data. And then we had more computers, and we ended up going ‘well, I need to store all that data somewhere.’ So, we created file servers and application servers, that all of those other computers could connect to, to process the data.”
Hence the modern business network was born, which needed its own protective architecture. “And that was great. That’s how businesses operate,” said Ferguson. “We in security went, ‘that’s really important, we need to protect the information, because it’s our data. It’s what makes us competitive against other companies and provides value to our customers.’ So, we provide the security controls, we create the network, we’ve created this armor around these computers.”
But that began to change as more and more devices began to connect to the network from beyond the perimeter, driven by mobile devices and an increasingly distributed workforce. And it really shifted into overdrive during the pandemic, when users were consistently working from remote locations, often with an unsecured personal device.
In a way, the explosion of cloud tools and the coining of Secure Access Service Edge (SASE) by Gartner in 2019 to define cloud-based security architecture, was prescient of the post-pandemic threat landscape that organizations face today. The network security perimeter as it used to be known is evaporating, and more applications and data are being stored or managed off-site, in third-party cloud providers.
“The problem was the things I needed, were now in someone else’s castle. And there were lots of castles,” explained Ferguson, indicating the variety of service providers that organizations now had to rely on to store and manage data and applications. “So what SASE is trying to deliver is the connective tissue between a distributed set of users in and out the network moving around, and that distributed set of applications that are all built differently and have different controls and services.”
SASE brings together networking and security under a cloud-delivered umbrella, protecting the entire ecosystem be it data, users or applications by taking the focus off the traditional network and providing more drilled-down security scrutiny between the endpoint and the app or service.
CTO Ferguson says that Netskope’s advanced SASE platform is a “convergence of the network” because it connects users with the applications and data. It also performs the crucial security role, ensuring that the right users have the right levels of access to the right types of data as and when that clearance is needed – no matter where that data (or users or applications, for that matter) resides.
And that’s not all Netskope’s platform does, from the IT team’s perspective: the advanced SASE will provide data protection, preventing malware threats from coming in. “I’m [also] going to look at behavioral analytics and see what weird things people are doing,” Ferguson added. “And then I’m also connecting my users to my private applications inside the network, when I’m out as well, so removing the need for VPN solutions too.”
The ‘Edge’ in SASE refers to the boundary of the cloud environment that the user is trying to access with proper authentication, regardless of physical location. “When [the user or the device] connects to the internet, it immediately connects to the SASE. And that’s the edge, it’s one access point and then it provides all the security controls and connects me to my applications, or wherever they might be. And those applications, as we say, might be sitting inside of my data center, still.”
Ferguson outlines how in the past, IT practitioners would have to go and purchase individual legacy solutions that would allow visibility and control of a particular type of traffic or session. Be it web proxies, VPN solutions, firewalls for port blocking, or email scanners, IT guys would have to procure it and spend money configuring it. “They would spend time doing policies and reporting on each one. And the problem is they don’t all have the same capabilities, especially when it comes to protecting my data. So, you’d be duplicating policies and still getting gaps because they weren’t all the same. And more importantly, perhaps, none of them were talking to each other.”
In an era where software and tools can come from a smorgasbord of different providers, interoperable visibility is a key tenet of the Netskope SASE architecture. “And that means sending all that traffic, all those different streams of communication – the web proxies, the cloud firewalls, remote browser, […] VPN stuff, proxies – to a single point, giving me centralized inspection and visibility on that traffic.”
Ferguson believes that visibility is the best starting point for an IT specialist to deliver a zero-trust policy framework, because it provides context. “That’s all zero trust is, in every session, every time I go to connect to an application and some data, I want to see whether the data is sensitive or not. I want to know if the user is a valid user. At that point of time, I want to see that the device is patched and up to date and secured with other points and components.”
Such flexibility and adaptability are so suitable not just for managing ever-evolving security concerns, but truly showcases how SASE is the security framework of the future. Its cloud-native architecture scales as per the needs of the users and devices in the organization.
“Whether it’s transportation, energy services, anything Internet of Things, we’re also going through the SASE at some point, so it’s all ever-changing,” Ferguson noted.
Ferguson emphasized how any pure cloud-based operation could benefit from SASE, along with organizations with one or two applications still sitting on the network. “That’s also very advantageous because they want simplification and consistent visibility. They don’t want a VPN solution that splits the traffic into the network, when what they want is to access that old payroll app. And then for the rest of it, it’s out in the cloud. They want simplification.”
Building a SASE security framework on top of legacy security also plays to its strengths, according to Ferguson, as the organization can continue to leverage existing investments but eventually, can start adding on different capabilities in the SASE platform.
“And the great thing with the Netskope tool is [it’s] primarily deployed via a single client that just sends traffic to the Netskope cloud. So, if you’re a customer and you go, ‘I just need to connect to my private applications for now.’ Okay, we’ll do private applications, not sending traffic to the Netskope cloud, and will connect you to your various networks to provide access to those specific applications.”
But as more complex needs arise, such as deploying a web proxy? “All you have to do is now click the button in the cloud, and it starts sending web traffic through to the Netskope cloud or CASB, you want to send code application traffic, just a click of the button to send that traffic through – the client is already installed.”
Ferguson says cloud environments are critical business services for housing data, and that as Netskope CTO he feels responsible if the data is misused or falls into the wrong hands. The business requirement must always come first – ahead of catchy, ever-changing terms like SASE. How would he sum it up? “Fast connectivity, secure connectivity, ubiquitously.”