Latest from Network Reliability/Testing & Assurance/Cybersecurity/Safety
The Emperor’s New Clothes
Uncovering SASE, SSE and NaaS Realities
The purpose of this article is to separate the marketing hype of recent network solutions from new approaches that empower enterprises rather than their suppliers.
Let’s begin by applauding Gartner’s attempt to “bang the heads of the network and security people together” in their SASE (Secure Access Service Edge) blog in 2019—curiously, since removed. By the following year it was diluted to SSE (Secure Service Edge) removing the SD-WAN element given supplier resistance. The ideas were summarized with words like “including” and “such as” for the components. Undaunted, the networking, Cloud, and security providers and following analysts fell and continue to fall in love with the opportunity for useful and profitable “complete solutions.” I counted more than 40 a year ago and the numbers, like the market predictions, continue to grow.
Given the momentum of analysts to define a measurable “solution,” it seems necessary to agree on what the terms actually mean. It’s tricky since each supplier defines them differently depending upon what they think is important, can deliver, or what customers request, etc. The challenge is to unscramble that which meets your organizational requirements and provides the best economic value. There's no intention to make any of the following investigation wrong or right.
SASE Consists of Network and Security Elements:
SD-WAN (Software Defined Wide Area Network): A network approach that provides application-layer connectivity “overlaying” transport of data, APIs, etc., to remote host systems (typically Cloud applications in containers).
Next-Gen Firewalls: Strangely named as “Next Gen,” these consist of firewall processes at enforcement points, as opposed to a box in a data center. With functions becoming blurred by web, and application software, firewalls may be relegated to the history books.
SSE Components Included in SASE:
CASB (Cloud Access Security Broker): Broker is an unusual networking term, but it is effectively a Policy Enforcement Point. Depending on function, CASB ensures that user’s identity is authenticated, that the policy for the user to take the requested action is permitted at that time and for it to be blocked and reported if and when it is out of policy. All good Zero Trust best practices.
SWG (Secure Web Gateway): More blurred functions but while firewalls have generally protected users from network layer attacks, SWGs defend user-generated web traffic. Web application firewalls that protect web-based applications are also in this mix.
ZTNA (Zero Trust Network Access): This last one is perhaps misnamed as it has come to mean trusted access to remote (Cloud-based) applications as a VPN replacement or enhancement which is typically device or network to remote network or system. ZTNA is a much stronger approach than a “Secure VPN” as even the Cybersecurity and Infrastructure Security Agency found out when theirs was compromised. With ZTNA, the user gains access only to the applications and data they are authorized to access. ZTAA might have been a better name. The National Institute of Standards and Technology’s attempt at defining ZTNA as “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications” is an example of the difficulty of attempting a definition of terms that are without formal basis.
In summary, the many interpretations of SSE have become popular as a stepping-stone to a full secure network implementation. SASE is more popular with vendors who added security to their existing network functions.
It's necessary to agree on what the terms actually mean. It’s tricky since each supplier defines them depending upon what they think is important, can deliver, or what customers request.
Reality Check
As you wade through the acronym soup, it would be easy to think that you are looking at the “emperor’s new clothes” or an illusion that all SASE or SSE offerings are the same or contain the same elements with a wide variety of additions. They do not. However, all is not lost. The above was important groundwork for guidance on how to choose vendors, integrators, or managed service providers.
The Guidance
Don’t be persuaded that you need one market solution v. another. Instead, get past the product names to look at and pay for the networking, automation, and security functions you actually need and understand how they are implemented. Those network functions might include consolidated automation of event notification. Security functions might include secure DNS, remote browser interfaces, protection against APTs and lateral movement, and Cloud microsegmentation bundled in with the offering. Verifying the security of the software supplier’s products, services, and organization is critically important.
SASE Service
For service providers, it has become important to deliver the SASE networking and security functions as a cohesive service that can bring together the wide variety of implementations. This is an actual, formally defined service (MEF 117)1. Despite the lack of formal definition, work is also under way to certify SASE and SSE offerings.
Now let’s look at how a new iteration of Network as a Service (NaaS) might change this picture. It takes the enterprise’s perspective of the services they wish to receive to match their business requirements.
Network as a Service 2024: Key Differentiators
- A Cloud-enabled, model allowing use of network services without owning, building, or maintaining their own infrastructure.
- NaaS allows users high performance access to any application anywhere from any location.
- Its consumption-based billing via on-demand portals or APIs avoids lock-in.
- NaaS brings responsiveness to business dynamics, irrespective of the underlying technology.
- Further, it allows users to select from Platform or Infrastructure as a Service or Managed Services.
- Aligned with Zero Trust Principles, it enables proper verified delegation of all security functions reducing the cost and expertise needed by the enterprise.
The creation of the new NaaS concept is beginning to take shape, the above being the work of the ONUG.net NaaS Project. If it sounds like enterprise nirvana, it’s not without its advantages for suppliers, its dynamics, and challenges. For service providers it has the promise of a collaborative solution that adds value to Cloud providers. It draws on the pedigree of collaboration and advantages for multi-national enterprises that have created massive marketplaces in the past.
The Big Question
Will suppliers and service providers actually collaborate to provide the NaaS solution enterprises want or will they continue to focus on their proprietary solutions for SSE and NaaS?
Final Word
The recommended path is step-by-step SSE implementation and then migrate to NaaS solutions as they become available. More on all of this can be found on https://cybyr.com/networks.
REFERENCE
1. MEF 117, https://www.mef.net/wp-content/uploads/MEF-117.pdf
Mark Fishburn | Provider of Strategic Network, Cybersecurity and Marketing Services
Mark Fishburn | Provider of Strategic Network, Cybersecurity and Marketing Services.
Mark is CEO of cybyr.com and has five decades of experience in software, networking, and security. He is a member of ONUG, MEF and CSA network and security working Groups, CISA contributor and publisher of the Holistic Cybersecurity book: Hey Who Left The Back Door Open? For more information, or to give feedback, email [email protected] or follow him on LinkedIn.