10

SASE Security

Security can be an elusive concept. To secure a product or service, every part of that product or service must be secure. If any gap in your security exists, it will be exploited, defeating the value that necessitated its purchase. Any organization that gains a poor reputation for security will suffer repercussions that are primarily financial but may extend to legal issues due to follow-on effects. . Effective security provides its own reward in preempting negative consequences to an organization.

SASE provides the opportunity to integrate all security services into a cohesive, interoperating system that is based on a ZTF. In addition to security integration across multiple branded services, SASE is integrated into an organization’s entire application, service, and product catalog.

Each software product developer leverages security vertically. In SASE sessions, these vertical solutions must integrate horizontally to form pervasive security, which is necessary for a solution to provide complete security.

In this chapter, we will explain SASE security at a high level, understand the detailed security services in SASE, learn how an SASE session is secured, learn initial options for automating security in SASE, and explain SASE security.

We will cover the following main topics in this chapter:

• Secure Overview – explain SASE security at a high level
• Secure Details – understand the detailed security services in SASE
• Secure Session – learn how the SASE Session is secured
• Secure Automation – learn initial options for automating security in SASE
• Secure Summary – explain SASE security

Secure Overview

The reason that SASE was coined was due to repeated attempts by large organizations to ensure effective security through diverse product portfolios. SASE is the intersection of secure SD-WAN, application security, cloud security, network security, remote access security, data security, and identity security. Secure Access Service Edge provides a framework approach to many different security solutions on the market. Effective security starts with a layered approach, such as a castle, wall, and moat. A ZTF allows a completely blocked resource to become available, as each layer of security is unlocked by meeting each policy requirement for access at that layer.

For the DevOps team, SASE starts with a Cloud Access Security Broker (CASB), Web Application Firewall (WAF), or Secure Web Gateway (SWG). Often, the application development team acquires these solutions outside of procurement processes as part of a cloud platform marketplace offering. Many times, the purchase is tactical and may not work with an organization’s overall approach to security, but it allows a project to be completed on time.

For the network infrastructure team, SASE starts with SD-WAN as a replacement for routed solutions which may have a combination of encapsulation that may or may not be secure. Often, the SD-WAN project is treated as a router replacement project that adds little in the way of effective security or network performance. The SD-WAN products on the market often have the key functions needed to be an effective part of a secure communications strategy but bear little resemblance to the previous 30 years of networking solutions. SD-WAN is a key technology to include in a comprehensive SASE Service.

For the security team, SASE starts with next-generation firewall services, and the Intrusion Prevention System (IPS) is a key ingredient for both edge and perimeter security. Often, the SWG, CASB, and WAF are managed by DevOps and are outside of a typical security team’s operating model. Application-focused security products inconsistently send logs to the Security Information and Event Management (SIEM) and a Security Operations Center (SOC) for analysis. Seldom are the many SASE Services functions branded, managed, or provided by the same organization. This inconsistency in the operations model prevents effective security.

For the systems team, SASE starts with IAM, which is seldom consistent across devices, applications, services, systems, physical access, and resources. Each organization needs a single source of truth for identity. Integration into legacy systems is challenging but not insurmountable. Once a single identity model is established, it should be considered a universal verification of the who or what, allowing security policy to operate with a ZTF.

SASE is the demarcation point where the differently skilled teams within all organizations need to collapse in one DevSecOps team. This is a call to merge multiple vertical skills into a collective SASE team. For many years, C-level executives have tried to drive business value from their technology teams. Specialization within the technology teams have caused a division of responsibility, effectively working against ideas of ownership. In every organization, security is a required function for every employee to maintain the financial viability of the overall organization. Human safety is almost always considered paramount in the working environment; however, safety does not exist without security. For both the organization’s personnel and its financial well-being, effective security is a requirement that must be the responsibility of every employee, contractor, vendor, and partner. If security is everyone’s responsibility, then every IT resource has an elevated responsibility to act as part of the security team.

Effective DevSecOps requires effective training. Effective training is not simply a delegation to a third party online or a pre-recorded training. A third-party organization should be used to audit, validate, and certify that individuals and an organization are meeting stated requirements. The responsibility for effective training, however, cannot be delegated. The act of delegation disregards training as a priority and effectively devalues any investment in it.

Effective training requires all levels of an organization to actively participate in focused training that meets the needs of all learning styles. Organizational training must speak to learners who are either visual, auditory, hands-on, or reading and writing-based. Many IT personnel learn best through interactive lab exercises, while other parts of the organization may learn better through pictures, graphs, or charts. Formal academic programs often deliver lecture-based education, which works for some learners. Through writing notes, the value of the lecture may be increased, producing greater retention. Both formal and informal education require significant reading. Each organization has a mixture of learners, and ensuring all learning styles are addressed at each training session may cause frustration and, at the same time, allow each learner to harvest what they need from the session.

Effective leadership in active and visible participation demonstrates value for the outcome of the training. An organization tends to value what its leaders spend their focused time on. Dedicated time by a leader on security training actively reduces organization liabilities. Leadership by example is one of the most cost-effective investments all organizations can make. No amount of financial investment can mitigate the impact of an organization that perceives its leaders as not having time or consideration for security. Perception matters.

In summary, SASE exists for the purpose of secure communications. Today, the market consumes SASE based on role, which increases wastage while reducing security. Effective security requires the integration of all security products or services utilized by an organization with a common IAM. Effective security requires ownership, which requires leadership by example through effective training and visible practices.

In the next section, we will understand the detailed security services in SASE.

Secure Details

Currently, security functions as part of an SASE Service may include any or all the following functions; however, the list at no point in time should be considered exhaustive, as with every product development cycle, more functions will be developed.

The MEF Forum’s SASE Services Definition (MEF W117) lists the following security functions, with definitions found in the draft standard:

• Middle Box Function (MBF)
• IP, Port, and Protocol Filtering (IPPF)
• DNS Protocol Filtering (DPF)
• Domain Name Filtering (DNF)
• URL Filtering (URLF)
• Malware Detection and Removal (MD+R)
• Intrusion Prevention System (IPS)
• Secure DNS Proxy (SDNSP)
• IP Proxy (IP-P)
• Data Leakage Prevention (DLP)
• Browser Isolation (BI)

Each function participates in security SASE Services as modular components that can be leveraged by policy for singular and multiple benefits. The number-one priority in SASE is ensuring that a solution is secure. Security can be achieved in a different way by each manufacturer or developer. Each function can be stacked or omitted as needed to cause the desired outcome.

“A middlebox is defined as any intermediary device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and destination host.”

– B. Carpenter. RFC 3234. Middleboxes: Taxonomy and Issues

In summary, the way to achieve prescriptive, secure performance from secure communication solutions is to break services into molecular functions and then trigger each function by policy within an integrated solution.

In the next section, we will learn how an SASE session is secured.

Secure Session

SASE sessions are the core function of an SASE Service. The session is initiated when a user, device, service, or application tries to initiate communications with another user, device, service, or application. The initiator of the session is the subject of the session. The resource being accessed on the remote end is the target. The subject must meet all policy requirements from the ZTF to initiate any communications. The session must be secure to be allowed by policy as an SASE session. Any session that violates the policy must be terminated immediately without waiting for a timeout period.

Each session has a definite starting point and ending point that is managed by an SASE Service. Each session is subject to context, whereby if the context changes, the session must be terminated. Each session is subject to quality requirements, where adverse quality conditions may be considered a potential active threat to security. Each session must be monitored for both security and performance. Each session is defined by a set of SASE specifications that are elements that may be considered and leveraged by policy. Each session must present stateful data to the monitoring system for consideration. Each session is unique and must be treated as such.

All sessions exist as allowed by policy, and if no policy for allowance exists, the session is never established.

Application Flow Specification (AFS) was defined by MEF 70.1 to identify the fields and values for classification within a session to be used by policy. The state values within a session allow you to monitor for state changes that may be used by policy to affect an outcome. Session forwarding policies allow traffic to flow through routed or SD-WAN services.

In conclusion, unlike policy-based routing or stateful firewall policies, an SASE session operates based on policy that is dynamic based on the input it receives from attributes, specifications, context, performance, and an increasing set of data to allow for unknown or unanticipated conditions.

In the next section, we will learn about the initial options for automating security in SASE.

Secure Automation

Initial automation of SASE Services can be visualized as AIOps, but the groundwork for the automation must be laid in the form of modular components that may be observed, triggered, operated, and acted upon by the AIOps solution.

A least prescriptive design must be performed, whereby policy is based on loose requirements through small, simple policies. The small simple policies are initially parallel and can be organized hierarchically, from the greatest common denominator to the least common denominator. Each policy should have the ability to stand alone as a module for the AIOps solution to trigger as needed. An Intrusion Detection System (IDS) detects security threats. An Intrusion Prevention System (IPS) triggers predetermined reactions to individual threats. AIOps operates on the same principle but cannot be effective with prescriptive reactions to threats. Instead of prescription, a library or catalog of small, singular actions must be created to provide the AIOps system the ability to trigger an action as required, however small it is. The system must be allowed to compound singular actions into sets of serial or parallel actions. After developing the catalog, the system must be tested to allow it to learn naturally, and any undesired effect should be erased and retrained.

The tools of the trade to prepare for automation are orchestration, workflow management, monitoring, telemetry, policy, service management, permissions, testing, training, and an AIOps system.

To summarize, AIOp allows you to automate interaction with a working, secure communications solution to maintain security in real time. Effective automation follows a least-prescriptive design, as the prescriptive approach creates unintended consequences.

In the next section, we will explain SASE security.

Secure Summary

Included in SASE are many security products as well as SD-WAN, which forms the base for the edge extension of the cloud. Depending on the perspective of the team responsible for procuring, designing, implementing, and operating an SASE Service, the initial services may vary. For effective security, all services must be integrated to allow cross-service validation to maintain an even approach to security and mitigating issues that would have increased the threat level.

Key services in a SASE framework include SD-WAN, a firewall, CASB, a ZTF, and SWG. Additional services such as IAM with Multi-Factor Authentication (MFA) are added out of necessity and must be integrated for effective security. All SASE Services must be integrated to ensure minimum security levels are maintained. All SASE Services must be monitored for both performance and security. Monitoring and telemetry are key inputs for AIOps to interact as needed to ensure policy enforcement.

In conclusion, SASE is security, and without SASE, either significant software development or manual configuration, validation, and intervention are required to ensure security.

Summary

The potential of the future requires diligence in the present to maintain the potential for that future. Without that diligence, the future remains in a state of decline that may disappear at some point. Any science-fiction writer portraying their vision of the future offers hope in the present to change the unintended future into something more intentional. The hope is that our efforts in the present can prevent a future that we do not want.

The viability of any organization in the future is directly connected to its diligence in the present. Security is a key contributor to future success or failure. Each organization must exercise diligence in the present to create the future that they desire. Effective security provides a basis on which to build that future.

In the next chapter, SASE Services, examples of many of the services available for SASE integration are discussed, with topics that include: Services Overview, Services Core, Services Options, Services Expanse, and Services Summary.