Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/31/2021
10:00 AM
Jay Barbour
Jay Barbour
Commentary
50%
50%

3 SASE Misconceptions to Consider

SASE is all the rage, promising things IT leaders have long dreamed about, but a purist approach may create consequences.

Secure Access Service Edge (SASE) has been a hot topic since Gartner defined it as a new category of offerings combining wireless area network (WAN) capabilities with network security functions. Everyone agrees SASE makes sense conceptually, but when it comes to turning idealistic frameworks into realistic IT approaches, misconceptions abound. Here's where SASE principles can be taken too far and where IT buyers may get a bit too starry-eyed. 

Related Content:

SASE 101: Why All the Buzz?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

Misconception #1: SASE Mandates Zero Daisy Chains
Gartner's 2019 Hype Cycle for Enterprise Networking included this warning statement about virtual machine service chains (also known as daisy chains) that can sometimes lead people astray:

"Software architecture and implementation matters. Be wary of vendors that propose to deliver services by linking a large number of features via [virtual machine] service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability, and high latency."

Solution architecture is important, and yes, you want to minimize the number of daisy chains to reduce complexity. However, it doesn't mean you cannot have any daisy chains in your solution. In fact, dictating zero daisy chains can have consequences — not for performance, but for security. 

SASE consolidates a wide array of security technologies into one service, yet each of those technologies is a standalone segment today — with its own industry leaders and laggards. Any buyer who dictates "no daisy chains" is trusting that one single SASE provider can (all by itself) build the best technologies across a constellation of capabilities that is only growing larger. Being beholden to one company is not pragmatic given that the occasional daisy chain greatly increases the ability to unite best-of-breed technologies under one service provider's umbrella. Here are a few more reasons why daisy chains are needed: 

  • No single vendor, particularly a startup, can effectively deliver on all areas of SASE security with a level of product maturity, mastery, and best practices that businesses need and expect in today's landscape of relentless attackers. SASE capabilities should be proven on the harsh cyber battlefield, and most startups don't survive.

  • Any incremental complexity stemming from a strategically placed daisy chain or two should be managed by the provider and should not impact the customer. If a SASE platform performs above expectations, then why should the number of daisy chains matter?

  • "No daisy chains" implies technology acquisitions and large market consolidation, meaning a small number of very large SASE providers may have too much market power, stifling innovation and raising prices. That's not always good for IT buyers.

Misconception #2: You Must Take an All-Cloud Approach With SASE
SASE revolves around the cloud and is undoubtedly about speed and agility achieved through cloud-deployed security. But SASE doesn't mean the cloud is the only way to go and you should ignore everything else. Instead, IT leaders must take a more practical position, using the best technology given the situation and problem. For example, on-premises next-gen firewall appliances are usually still the best option for large offices where performance and total cost of ownership are the key goals. If your SASE approach is cloud-first but not cloud-only, make sure your solution follows suit. 

Credit: momius via Adobe Stock
Credit: momius via Adobe Stock

Misconception #3: SASE Will Solve All Your Security Problems
Don't assume SASE is a total solution. SASE covers a lot of ground, but it does not cover all the technologies a company needs to secure a remote-work and multicloud environment. For example, cloud workload protection (CWP) and endpoint detection and response (EDR) are critical in securing user and cloud computing environments but are not part of the SASE framework. Although EDR is a primary technology for addressing ransomware, a skyrocketing threat vector, it is excluded from SASE because it does not require network traffic inspection to function. Rather, it's an agent-based solution that monitors operating system activity and integrity.

Moreover, SASE addresses only the technology components of an effective security program, leaving out the experts required for 24/7 security monitoring and mature incident response. Without a dedicated team of security analysts, security technologies are ineffective — whether they are included in SASE or not. Professional skills are necessary to investigate threats and stop them before major damage is done.

Purity vs. Pragmatism
SASE is all the rage, promising the ideologies that IT leaders have dreamed about for years, but taking a purist approach may have consequences. Hardline expectations around daisy chains and the cloud should be softened in favor of maximizing security excellence and business outcomes. Likewise, SASE solutions need to be compared against the broader security and network strategy, seeing where it adds value and where it may still fall short. By taking a pragmatic approach, companies can make ideologies tangible, achieving agility and productivity with ready-made security.

Jay brings more than 20 years of security experience to Masergy as Director of Security Product Management. He is responsible for the product vision of Masergy's managed security services and leads the product team on execution. Previously, Jay was Director of Security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37759
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2021-37760
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.