Crawl, walk and run with SASE adoption
Article by Bitglass regional sales director for ANZ Wayne Neich.
Customers and prospects constantly ask questions about secure access service edge (SASE) and how such a platform can address their modern security use cases. In particular, organisations wish to know how they should go about deploying a complete SASE platform.
They would do well to research the technology and seek the most comprehensive solution, one in which there is no shortage of functionality they can use to secure interactions between any devices, apps, web destinations, on-premises resources, and infrastructure.
So for many organisations, the question is, “Where do we start and how do we move towards deploying the whole platform?”
For organisations that would prefer to pace themselves and take a slower, more systematic approach to SASE adoption, a strategy of ‘crawl, walk, run’ is recommended. Start by addressing simple use cases through table-stakes technologies that will deliver quick and easy wins. From there, move on to address increasingly complex use cases through more advanced technologies.
Organisations should begin with basic, out-of-band CASB protections for data at rest, since these are simpler to deploy because they are not inline or real-time. This is accomplished through API integrations with applications like Office 365, Box, G Suite, Salesforce, and others.
In this way, businesses can scan for sensitive data patterns already existing in their cloud resources, find out if they are shared publicly, and identify documents at rest infected with malware.
At the same time, they should consider implementing discovery functionality for identifying unmanaged applications in use, as well as cloud security posture management (CSPM) for locating and remediating misconfigurations in IaaS platforms.
The benefit of this approach is that it delivers visibility over sensitive data in the cloud as well as unknown SaaS application usage, helping to form a more robust cloud security program and helping to shape policy with executive management.
With the initial out-of-band protections in place, companies can begin to roll out more advanced inline technologies. Specifically, they can utilise a selected CASB with specialised proxy deployment modes.
By proxying traffic, an organisation can solve more complex (and arguably more important) use cases. For example, scanning files at upload and download for real-time data and threat protection as users access cloud resources.
This can be accomplished agentlessly with the right technology — one that includes a reverse proxy. This is incredibly important for securing unmanaged devices (contractor endpoints, BYOD and more).
With both out-of-band and inline CASB functionality in place for securing data at access and at rest in the cloud, organisations can proceed to deploy the other components of a comprehensive SASE platform.
First, they should seek, implement and roll out an on-device smart edge secure web gateway (SWG), which can provide superior performance, scalability and security for the web and shadow IT.
Look for a device that comes complete with upload DLP controls for non-corporate SaaS applications. Then it will be possible to deploy zero trust network access (ZTNA), which includes real-time data and threat protection for true zero-trust security for on-premises resources.
By moving through such a process, organisations can deploy a fully-featured SASE platform and secure any interaction.