Join Jason Pufahl, Steve Maresca, and Matt Fusaro on this episode of CyberSound, as they discuss what is SASE and if it’s important for all organizations to consider. Listen to get tips on how companies can ensure they have secure networks, regardless of the location of their staff.
Secure Access Service Edge
Listen to this episode on
[00:00:01.210] – Speaker 1
This is CyberSound, your simplified and fundamentals-focused source for all things cyber security with your hosts Jason Pufahl and Steven Maresca.
[00:00:12.350] – Jason Pufahl
Welcome to CyberSound. I’m your host Jason Pufahl, joined by Steve Maresca and Matt Fusaro as always. Hey guys.
[00:00:19.490] – Matt Fusaro
How are you?
[00:00:20.130] – Steve Maresca
[00:00:20.850] – Jason Pufahl
So today we get to talk about the Secure Access Service Edge, which is pronounced maybe SASE, SASE, or S-A-S-E. I don’t know if we’re 100 % sure what everybody’s referring to this as. But Matt, you’re the sassiest person here.
[00:00:40.080] – Matt Fusaro
Well, maybe on the podcast, but not in this company. That’s for sure.
[00:00:43.970] – Jason Pufahl
On the podcast, that’s fair though, I think. Give us a sense of what this is.
[00:00:48.500] – Matt Fusaro
Sure. So most people are calling it SASE at this point. Like Jason said, the acronym S-A-S-E, Secure Access Service Edge. What the heck does that mean? All right. So I’d say this is probably just yet another marketing effort to start vendor lock-in. What do you think, Steve?
[00:01:13.370] – Steve Maresca
I think it’s a usual Gartner and research org way of compartmentalizing the market into areas that make sense. That’s what this is ultimately. It’s as you might expect from orgs like that, about technologies you probably already know. That you’ve heard in passing if not used, it’s not unfamiliar. We’re talking about stuff like Zero Trust, Cloud Access Security Brokers, CASBs, [crosstalk 00:01:39] things of that variety.
[00:01:43.020] – Jason Pufahl
My main question initially is, because I think people probably are somewhat familiar with Zero Trust, is it just another name for Zero Trust or is there a fundamental difference to it?
[00:01:51.700] – Matt Fusaro
So there’s some big differences to it. Like Steven alluded to, Gartner is the one that came up with SASE and the whole space, and they define what a SASE solution is. Isn’t that interesting? To be a SASE solution, you need to be totally cloud based. There might be some site presence of what you would typically consider a firewall, but in this case, it’s really just a box that links you up to a provider.
[00:02:21.410] – Matt Fusaro
The provider could be quite a few from different people. You’re Palo Altos of the world, Fortinet, Cato is a huge one. Basically what they want to do is they want to take your traffic from your site, or from your home, and apply policy to it. That’s really the beginning and end of what that is if we want to push it down to a sense.
[00:02:46.670] – Jason Pufahl
To boil it down then, is it really this fundamental thing in technology to help protect a more remote workforce? Is that the intent here?
[00:02:55.130] – Steve Maresca
I think it’s an offshoot.
[00:02:57.460] – Jason Pufahl
[00:02:57.460] – Steve Maresca
But also not just remote workforce, infrastructure that’s distributed. It’s not necessarily on-premises, it’s SASE this, SASE that. Maybe some cloud providers mixed in Federated identities across multiple different platforms and across network boundaries. That’s a really key component of all of this.
[00:03:18.730] – Matt Fusaro
The network boundaries is the real issue most of the time. Your firewall sits in one place, your applications, your people, they don’t anymore. The big challenge is we’ve got people all over the place, branch offices, we need to apply policy. We don’t want to do it 11 times.
[00:03:36.450] – Matt Fusaro
We want to do it once and be able to have it apply to whoever is using it, wherever they are. So we want to make those rules and apply them, and distribute it globally.
[00:03:50.270] – Matt Fusaro
One of the things that makes this really challenging is a lot of people are still in the managed Internet space. This would be something that you’d have to watch out for if you are going to go down this path. If you’re dealing with AT&T or something like that, and you’ve managed MPLS, or any type of router at your edge where you don’t manage it, it will be difficult for you to roll into something like this. But the whole goal here really is that single pane to manage policy.
[00:04:20.910] – Jason Pufahl
So maybe not perfect for the small business relying on a Comcast, or a Spectrum, or something like that.
[00:04:27.920] – Matt Fusaro
The small business, I think you’re still going to get approached for these things. They’re really trying to grab market share with these full suite of solutions here. They want to own your VPN, they want to own your user traffic wherever they are. It behooves them to go out in even small businesses and say, hey, you could send all your traffic to us and either we’ll fully manage it or you’ve got one place to manage all of it. It may not make sense though.
[00:04:53.530] – Steve Maresca
Examples of smaller businesses that might still play in this space are those with multiple offices, no real central headquarters per se, but broadly shared infrastructure. So you have medical practice, you have 5-10 regional offices, and you tend to use the same applications, you use SD-WAN or something like that. Those are the related technologies that might be appropriate and facilitate the broader SASE sphere. It still hurts to say.
[00:05:19.790] – Jason Pufahl
Yeah, it’s a tough acronym, there’s no doubt. Zero Trust rolls off the tongue a little bit better.
[00:05:26.790] – Matt Fusaro
Zero Trust is built into the SASE. That’s a required component if you ask Gartner that Zero Trust has to be built into the solution. And the other thing too is they want it to be part of a total package. That’s where I start to disagree with how this is really being sold to you in a marketing sense.
[00:05:47.870] – Jason Pufahl
You’re saying because of the vendor lock-in issue?
[00:05:50.120] – Matt Fusaro
They really do want you to have a complete vendor lock-in or they claim it’s not SASE. There’s a lot of challenges there because now you’re talking about full upgrades sometimes, you’re ripping stuff out that you’ve already put some type of capital expenditure into, such as firewalls networking equipment.
[00:06:12.930] – Matt Fusaro
Types of firewalls that you put in the cloud, they want you to replace all that with vendor X, their stuff. You can absolutely accomplish all of these things in a roll your own type of solution. But again, it’s going to definitely depend on your team’s ability to do that.
[00:06:31.760] – Jason Pufahl
And more management, I’m sure.
[00:06:35.430] – Steve Maresca
Applications at the fringe that are business-critical but maybe older legacy, they fall out of the realm of SASE’s real goals, where they play well. Because maybe they don’t have really well-defined APIs. Maybe they don’t do well with web services.
[00:06:51.800] – Steve Maresca
If they’re like that, or if they require logging in with fat clients to some terminal services system, they’re out of this sphere. They can be made to work. It’s just the cost savings and complexity that are hypothetically being saved, end up being retained ultimately.
[00:07:12.730] – Matt Fusaro
That’s a good point. You’re always going to get sold that this is somehow going to save you money. Maybe, it’s going to depend on your complexity, how big you are, all that stuff. Why is it coming into light now? This type of model has been around for maybe a year and a half or so, the actual time it has been around, vendors that got on top of it like the Catos of the world, we’re pretty quick to put a whole solution together.
[00:07:40.960] – Matt Fusaro
But now we’re starting to see a lot of the firewall vendors come out with their own package to do this. They’re actually pushing people quite a bit into the cloud-managed firewall. So I think you’re going to start getting this pitched to you by either your MSP or when you go out to a vendor to get a firewall, they’re going to say, hey, we have this solution. Now go look at this shiny new thing. And that’s not to say that this model isn’t bad, this is new. I think this is a huge sales effort to put things together that you may have already been using or already exist, and just be aware.
[00:08:18.250] – Steve Maresca
Let’s say that an organization is ripe to move in this direction. There are some predecessor activities that are absolutely required in order to make good use of it. An excellent area of focus in my opinion is sound identity management, because in every aspect of the technologies involved under this umbrella are policies shifting from network defined to identity defined, role defined.
[00:08:44.060] – Steve Maresca
And if as an organization you have a 1,000 users and everyone has access to everything, you’re not ready to move towards something of this nature. Maybe in components, but you won’t realize the policy management capabilities until you’ve made some degree of effort to constrain scope from role based security.
[00:09:00.150] – Matt Fusaro
[00:09:02.360] – Jason Pufahl
What jumps out to me, and we talk about this all the time, which is making a fairly large security spend on maybe a technology that you’re not ready for. The more I listen, the more it occurs to me that maybe larger companies that already have a pretty well-defined security program, a lot of the technical controls in place, might be, would you say you’re right for this?
[00:09:27.970] – Jason Pufahl
But I feel like the majority of people that we speak with probably have other issues. Your identity statement is really what made me think of this. This place is where you’re spending time to improve, understanding what your user population is, how that population is managed, role based access to certain data. Those are really relevant activities that probably are more important than trying to roll something like this out. But I’m interested in your thoughts if you think that’s a reasonable statement.
[00:09:52.670] – Matt Fusaro
I think it’s going to depend on, again I’m going to go back to complexity on this one. If you’re not a complex organization, you could actually find some benefit out of doing this. Simplifying that last piece of networking and security together, that’s attractive. But if you’ve got a lot of custom applications or you can’t really move between the cloud, or your users being out of your building isn’t feasible for what you do, if you’re manufacturing, maybe this doesn’t work for you.
[00:10:24.490] – Steve Maresca
I’d say that the other side of the coin would be areas where it does make sense. If an organization has a lot of cloud services, they have a significant investment in Azure for AWS or Google Cloud, or all three. Frankly, dipping into the pond with firewall as service, with other technologies of that sort, they’re appropriate. Because you’re able to protect those resources in a dynamic way that may be in fact in concert with identities that are in Azure AD for example.
[00:10:57.080] – Steve Maresca
It might mean that you still have a boatload of work On-prem, but you can make the beginnings of a migration and then as technology permits, as your hardware-software cycles make it reasonable, then make some later shifts in a couple of years.
[00:11:14.720] – Matt Fusaro
That’s a good point too. The progression here doesn’t have to necessarily be all or nothing. They’re going to push you to do that because that’s the solution. A lot of these people that you talk to when you’re evaluating something like this, they’re told to push the solution. Remember that you can start to roll services into it. It doesn’t have to be an all-or-nothing thing.
[00:11:40.610] – Jason Pufahl
Simple enough. This is pretty atypical for us because it’s very technology-specific today. Anything that you haven’t covered that maybe you want to touch on here regarding this? Any vendors who really stand out in the space? You named I think three at least, Palo, Fortinet, Cato being ones that jumped out.
[00:12:03.420] – Matt Fusaro
Those are the ones I’m most familiar with at this point. I don’t personally have experience with either in this particular product space. We’ve used different things from each of them. This particular product, I haven’t.
[00:12:19.730] – Steve Maresca
I mean, I would say the main takeaway in my opinion is that, recognize that it’s out there. That it’s a technology suite or a vendor capability you should pay attention to, at least for planning new architectures, for making shifts. If you’re making contractions across offices, maybe that’s the thing that you might need at the moment to make better use of more limited resources.
[00:12:45.620] – Steve Maresca
Take a look at the Gartner Quadrant. They invented it, they’re worth following. They define vendors that have those capabilities. But everyone outside of that top right quadrant of their representation, maybe they’re still worth playing. You have investments in those other fringe vendors, they probably are trying to compete. Therefore, there are middle ground technologies that might make sense to deploy.
[00:13:12.180] – Jason Pufahl
Maybe my final question is, and you had alluded to this Matt a little bit which is, Often is looked at as a wholesale replacement of a lot of your networking equipment. Is there interoperability between vendors, or do you really need to have standardized products set from a specific vendor?
[00:13:31.050] – Matt Fusaro
Most of the time there isn’t much interoperability.
[00:13:35.450] – Jason Pufahl
So it’s not standards-based, necessarily?
[00:13:38.810] – Matt Fusaro
Yes and no. If you wanted to apply policy to everything, you’re going to have a really hard time, unless you build something custom on top of that. Or if you find another party that says, hey, we may not be classified as a SASE solution, but we can manage all these things and centralize your policy. I can’t think of one off the top of my head.
[00:14:02.770] – Matt Fusaro
The challenge you’re going to have is being able to pass those identities between a firewall, or a VPN connection and an application.They all have to talk to each other. That’s what this solution promises, is that you can do all of that, apply the policy once. And then based on those policies, the user can move around wherever that gets applied.You’re not worried about where the links are anymore. The services being used, is it being used in this fashion by this user? Ok, It’s either allowed or not.
[00:14:35.500] – Jason Pufahl
Okay. The key takeaway here probably is though, the way we work is changing. Our applications are in different locations, our infrastructure is in a variety of locations, we need to figure out how to secure this. This is one alternative, one option right now that people have. It certainly sounds like you’re both recommending at least people familiarize themselves with this and understand what the capabilities are, make some decisions about whether it’s right for them and frankly, when it might be right for them.
[00:15:05.060] – Matt Fusaro
And make sure you’re walking into it with a good understanding of your own network. You’re going to have to understand your identity system and your applications in order to even consider something like this. So if you’re not even prepared to do that, then SASE is not for you. Not yet at least. That’ll prioritize some things for you yeah.
[00:15:21.200] – Jason Pufahl
Fair enough. Well, I appreciate you guys chatting about this. Candidly, I’ve learned something about it here which is great. As always, if anybody wants to continue the conversation, feel free to reach out to us @Vancord LinkedIn, VancordSecurity at Twitter. We’re happy to have a conversation. We’re happy to direct you to folks who are real experts in this space if you feel like that’s an appropriate direction for you. And as always, we hope you got some value out of this podcast, and thanks for listening.
[00:15:51.530] – Speaker 1
Stay vigilant. Stay resilient. This has been CyberSound.