Security Service Delivered From Cloud Edge

As cloud adoption grows and organizations prepare themselves for “back to office” operating models, security teams face a challenge to secure users, applications, and data everywhere. In 2021, we saw SASE as a trending topic with “secure remote workforce”, “data protection”, and “secure cloud apps” as the top 3 use cases. Most customers with on-prem/hardware web gateway solutions chose to migrate to a cloud-delivered SASE solution in 2021. In 2022, we expect the trend to continue, and focus will shift from traditional proxy solutions to a holistic, next-generation secure web gateway (SWG + CASB + DLP) thus, driving the idea of Security Service Edge.

Security Service Edge = SASE – Access (WAN Edge)

Gartner recently released its inaugural MQ around a new security trend called SSE — Security Service Edge. SSE unifies functionalities like Secure Web Gateway (SWG), Cloud Access Security Broker (CASB) – Inline and API, Zero Trust Network Access (ZTNA), Cloud Data leak prevention (DLP), Firewall as a Service, Cloud Security Posture Management (CSPM), and Remote Browse Isolation solution (RBI).

In addition to the above, SSE emphasizes on implementing Zero Trust architecture across the organization. Based on the Zero Trust principle of least-privileged access, it provides comprehensive security using context-based identity and policy enforcement.

Adopting SSE is not like adopting a point product, instead it’s more of a maturity journey. As all these services move to the cloud, it is important to define a maturity model and the steps of adoption. Let’s understand how an organization can take a structured approach to redefine its perimeter.

Maturity model to redefine your security perimeter

1. Move to Next Gen SWG – Proxy, CASB, FWaaS
   While starting the adoption, make sure that the SSE partner covers all the basic web security requirements. In addition, it is important to also ensure visibility and control in SaaS environments to secure against threats from shadow IT. A combination of SWG, CASB, and FWaaS can deliver these functionalities.
2. ‘Follow the data’ in real-time
   Data should be protected irrespective of its location. Thus, it’s important to control data usage either by official or personal devices, from data moving to cloud apps, as well as data moving between cloud apps (app to app). An integrated approach of Next-Gen SWG with data protection can ensure data compliance in real-time.
3. Manage security posture and data in the cloud – SaaS, IaaS, PaaS
   How can I ensure that my SaaS environments and public clouds are configured correctly, and data-at-rest has the same security controls as data-in-motion? The answer comes from technologies like SaaS security posture management and cloud security posture management. These technologies, when delivered with real-time controls, provide a powerful mechanism to have holistic visibility and control.
4. Implement Zero Trust when browsing the web or accessing private apps
   Rather than trusting security controls, it’s important to achieve a state of continuous adaptive trust where every session is inspected with contextual analysis and risk-based informed policy actions are implemented. It’s a gradual process, however, for a jump start, Zero Trust Network Access (ZTNA) Access (ZTNA) can replace VPNs to access private apps and Remote Browser Isolation (RBI) to access ‘uncategorized’ web traffic. Later, this should be clubbed with technologies like IdAM (Identity Access Management), EDR and Microsegmentation to create a holistic Zero Trust Architecture.
5. Implement dynamic decision making with risk-based policies
   Once SWG, CASB, FWaaS, DLP, CSPM, SSPM, ZTNA, and RBI are consolidated and unified, there is a wealth of user information that can be utilized to deliver advanced analytics and anomaly detection in real-time. Hence, the next step is to assess user and application risks based on UEBA (User and entity behavior analytics) and implement risk-based policies for dynamic decision making.
6. Integrate SSE with the wider ecosystem
   The ultimate idea is to break the silos. With SSE, all the above steps are delivered by a unified solution- one console and one agent, however, it is also important to integrate with the wider security ecosystem. So, make sure to integrate your email security, IdAM, EDR, SIEM, SD-WAN solutions with the SSE platform to ensure threat exchange and real-time response capabilities.
7. Choose the correct partner – global solution, regional compliance, local capabilities
   Users at the office, home, coffee shop, or wherever they are roaming across the globe should get the same security service and network performance. Thus, while adopting SSE it is important to choose a vendor with a globally distributed and high performance infrastructure. However, adopting SSE shouldn’t impact the network performance or result in non-compliance with local regulations. Thus, it is recommended to choose a partner that can deliver the following-

a. Minimal impact on performance – Easier said than done.A local SSE offering should set up its infrastructure with local ISPs by deploying local PoPs. A local PoP that is as close as possible to the customer, is the only way to reduce latency. Also, the SSE offering should locally peer with application providers for quick accessibility to applications. Both these pointers require local investments from the SSE vendor. Hence, select a vendor who chooses to invest in your region.

b. Ability to deliver SSE as a managed service – It’s SaaS but with **conditions.
Although SSE is delivered as a SaaS service, a lot of vendors put restrictions around visibility, professional services, support, etc. In such instances, a local managed service partner with SSE offerings helps in creating a true service proposition where infrastructure and operations are truly delivered as a managed service.

As a thought leader in cybersecurity, Help AG has already created first-ever locally hosted SSE service offering – Cyber Edge X. The service is powered by a multi-vendor ecosystem, designed to serve varied customer requirements. As it is hosted within in-country Etisalat Datacenters, it promises to deliver the fastest reachability to the SSE platforms with the best-in-class managed service options available.