The SASE Journey: A Head of IT Talks Shop

This blog was originally published by Lookout here.

Written by Steve Banda, Senior Manager, Security Solutions, Lookout.

Organizations that are adopting a permanent hybrid or remote-first work environment can use a Secure Access Services Edge (SASE) platform to implement cybersecurity that is not tied to the physical office spaces where employees used to work.

SASE is a security framework defined by Gartner that has been adopted by many organizations to enable intelligent Zero-Trust access from anywhere without hindering productivity.

To give you insight into how you can get started with SASE, I sat down with our director of IT systems engineering, Joel Perkins. He heads our IT department and has over a decade of experience.

Steve Banda: Obviously, the IT space is always evolving alongside emerging technologies. What changed for your team during the COVID-19 pandemic? What are some of the new challenges IT departments around the world are now faced with?

Joel Perkins: Lookout, just like many other organizations, went remote during the pandemic. Employees are no longer working behind office firewalls. They’re working on laptops, tablets and smartphones from anywhere. This means, instead of securing nine office locations, I have over 600 locations in the form of homes or co-working spaces.

But even before the pandemic, corporate data was already leaving on-premises data centers as part of digital transformation initiatives. Increasingly organizations are moving operations to software-as-a-service (SaaS) applications like Google Drive and Salesforce, or Infrastructure as a Service (IaaS) such as AWS, Azure or Google Cloud Platform. As a result, a typical company might have hundreds of apps in different locations and configurations, which makes securing access and protecting data much more complex. The pandemic accelerated this transformation as well as the adoption of SASE.

Where does SASE come into play to address these new challenges?

SASE gives my team insights in a single place. While we had a lot of the information already, it was spread across different apps. My team either had to manually retrieve the information or have it piped somewhere — both processes were labor intensive.

With an integrated platform, it is easy to implement consistent security policies. In the past, this was not possible because of the multiple products used and human error could easily create inconsistencies. With insights and policies in one place, we can systematically take action.

Drawing from your experience onboarding SASE, what should other heads of IT expect?

Deploying SASE is a journey for any IT team. It’s not something that happens overnight.

We have already witnessed the huge advantage of an integrated SASE platform with the ability to enforce consistent security policies throughout the migration of a private app to the SaaS version. Security policies that have been defined for Zero Trust Network Access (ZTNA) to provide private connectivity to private apps, can be easily implemented with the CASB securing connectivity to the SaaS version.

“Journey” is a good way to put it. The SASE architectural model uses identity and context to deliver secure Zero-Trust access to apps and data by converging different network and security tools into a unified platform. What can customers do to get started?

There are multiple ways of getting started with SASE. One way is to start with cloud apps. With employees able to access these apps from anywhere, it means you have less visibility from traditional perimeter security controls.

For most organizations, the SASE journey will likely start with apps that are most important to them — whether they are SaaS or private apps. These are usually the big productivity platforms like Google Workspace and Microsoft Office 365, or apps with business critical or personally identifiable information such as customer relationship management tools like Salesforce, or HR solutions like Workday.

Once these apps are onboard, you will have immediate visibility into the data and activities associated with them. I would say this is the first step — before touching the controls — is to assess what you have.

So once you get visibility into critical apps, then what?

Once your critical apps are set up and you’re getting visibility into the activities and data within them, you can then start implementing policies.

The beauty of a single platform is that everything is in one place. I can build a single policy and apply it to multiple apps without needing to recreate it for each app. As I onboard a new SaaS app with CASB, or cloud-enable a private app with ZTNA, I can easily apply existing policies.

What does that SASE journey look like in the long term? How can organizations take advantage of SASE?

Over time, you would likely protect all of your apps with SASE and begin to implement dynamic and precise policy enforcement.

Having all of these insights into endpoints, users, apps and data, you can start creating and fine tuning policies that enable employees to access what they need while still safeguarding highly sensitive data. You might start out writing policies that limit data access to only managed devices. But down the road, you could confidently implement a bring-your-own-device (BYOD) program where you have full control over the data accessed by personal devices.

Zero Trust has been the focus of most organizations to empower remote access without sacrificing security. But the issue is that most attempts at achieving Zero Trust are a patchwork of disparate products connected to virtual private networks (VPN), with binary access controls based on limited visibility. Not only is this on-off access a poor experience for end users, VPNs also give whoever is connected access to all the apps and data on the entire internal network. This means an attacker who compromises an account can easily move laterally.

The key to a modern Zero-Trust deployment is to align the fluctuating risk levels of your users and endpoints with the sensitivity level of the data they seek to access.

For example, you may want to give unmanaged device access to certain sensitive data, but making it read only, preventing employees from downloading or sharing it. Whereas if the employee is using a corporate-issued device and is connecting from their usual location, they are given more freedom to access data and apps.