Server hallway in the blue sky-1

SASE Vendor Selection Criteria

IT and security professionals are challenged with the responsibility to ensure consistent cybersecurity on any interaction that may occur between various users, devices, applications, on-premises resources, the web, and IT infrastructure.

Fortunately, secure access service edge (SASE) offerings provide consistent, comprehensive cloud security for any interaction, delivering protections across a variety of interrelated use cases.
 
The below use cases outline how real-world organizations leverage SASE platforms to address their security needs, as well as the key considerations that should impact your selection criteria for SASE vendors.

Securing BYOD

Bring your own device (BYOD) is a system by which employees perform their work duties from personal endpoints. This requires thorough security, but traditional agent-based tools are poorly suited for the job. Security teams often find it difficult to have access to personal devices, and many don’t even have visibility into all of the personal endpoints that are being used for work purposes. Additionally, users are often concerned about agents on personal devices giving IT full visibility into their personal apps and data.

SASE platforms deliver BYOD security through multi-mode cloud access security brokers (CASBs) that provide agentless deployment options. As they forgo agents and leverage reverse proxies instead, these cloud-based rollouts monitor access to only managed IT resources like corporate SaaS and IaaS instances. This means that they give real-time visibility and control over enterprise data on personal devices without monitoring users’ personal information.

SASE platforms deliver data protection capabilities like data loss prevention (DLP) and cloud encryption, as well as threat protection against malware and malicious and careless insiders. They also provide visibility through comprehensive logging of all user, file, and app activity, and perform identity and access management functionality like single sign-on (SSO), multi-factor authentication (MFA), and contextual access control. 

Real-World Example
Travis, an HR contractor, has his managed laptop break one day while he is traveling. Unable to get an immediate replacement from IT, and needing access to Office 365 to perform his work duties, Travis begins to use his personal iPhone. Because the company he works for uses a SASE platform with agentless CASB functionality, he merely logs into Office 365 via SSO on his iPhone and is granted access. The CASB then agentlessly applies real-time policies to protect sensitive data; for example, by denying access to highly sensitive folders in OneDrive or by encrypting or watermarking downloaded files.
 
With an alternative tool like mobile device management (MDM), Travis’ IT department would have to access his device and install an agent before he could use it for work purposes (not to mention that privacy concerns would likely make Travis hesitant to allow this on his personal iPhone).

Securing the Web and Shadow IT

While the web is an indispensable asset for any organization, it can also disrupt a firm’s productivity, leak sensitive data, and enable malware infections. Secure web gateways (SWGs), a core component of SASE platforms, are designed to address these needs. SWGs can control access to websites and unmanaged applications by category (gambling, sports, streaming, pornography, malware, phishing, and countless others) and destination trustworthiness. Additionally, uploads of sensitive data to the web can be prevented by automated policies. In other words, these tools block threats, stop leakage, and enhance productivity.

Organizations must consider solutions’ architectures when evaluating the SWG components of SASE platforms. Hardware appliance SWGs are costly to buy and maintain, require VPN for off-premises access, and have fixed capacities that make scaling highly difficult. Cloud proxy SWGs don’t require appliances, but do require a latency-inducing network hop to the proxy. Additionally, as all traffic is decrypted and inspected at the proxy, including users’ personal traffic, user privacy is not respected. On-device SWGs that locally perform decryption and inspection are ideal. This approach circumvents the need for appliances, network hops, and VPNs. This ensures security, performance, and scalability. As only security events are logged and uploaded to the cloud, user privacy is respected, as well.

 

 

 

 

Real-World Example

Consider Jacob, a marketer who is prone to clicking links that he receives via email without any consideration for who the sender is. One day, he receives a message from a convincingly spoofed email account that appears to be a coworker; it contains a link to a spoofed website that is designed to steal his corporate credentials and infect him with malware.

Although Jacob does click the link, his employer has an on-device SWG in place that automatically prevents him from reaching his destination; the URL is identified as malicious and an appropriate policy (block) is triggered. Jacob’s employer previously used an appliance-based SWG, but found that its fixed capacity created scalability and performance issues that disrupted user productivity as the company grew. With an on-device SWG installed directly on Jacob’s endpoint, his employer was able to achieve web security while maintaining a streamlined user experience that didn’t impede his productivity or privacy.

 

 

 

Protecting Access to On-Premises Apps

On-premises applications house large amounts of organizations’ most sensitive data. Historically, access to these resources was controlled by requiring employees to use VPN (virtual private network) in order to establish secure tunnels to the network; however, this approach relies upon costly appliances, is not scalable, introduces latency into the user experience, and gives employees unfettered access to everything on the network, violating the core principles of zero trust security.

Zero trust network access (ZTNA) is another critical aspect of SASE. SASE platforms with ZTNA are designed to extend true, zero-trust secure access to specific on-premises resources (rather than open access to the entire network). Ideally, these solutions forgo the use of private data centers and hardware appliances, and are deployed in the public cloud for scalability and performance. Additionally, they should offer an agentless deployment option for browser apps (which is particularly helpful where personal device access challenges the use of endpoint installations), as well as an agent-based option for controlling thick client apps like SSH and remote desktops. Once a leading SASE platform is deployed, it can then enforce real-time data and threat protection policies in order to defend sensitive or regulated information, block uploads of malware, and extend contextual access to key apps, files, and folders.

 

 

 

 

Real-World Example

While working from home, Samantha, a product manager for a technology company, realizes that she needs access to her employer’s on-premises instance of Jira from her personal laptop. With agentless ZTNA in place, she authenticates via single sign-on and accesses the app. She is able to view most of the app’s contents, but a preset policy prevents her from seeing mission-critical information remotely on her personal device. Additionally, when she attempts to download highly sensitive files, she is only given read-only access in a browser window that requires additional authentication. This kind of granular data protection is not available with VPN. Additionally, as VPN appliances have fixed capacities and lack the infinite power of the cloud, they are incapable of scaling with organizations as they grow or as more users move off premises. This means that VPN customers have to reactively purchase and install better or additional appliances as they scale, creating an expensive bottleneck.

Defending Against Malware

Threats like malware are the scourge of the modern enterprise. In recent years, worldwide infestations of ransomware like WannaCry and Petya brought countless organizations to their knees. Security teams need advanced threat protection (ATP) solutions in place for every attack vector that could be targeted by malware. Given the realities of cloud, BYOD, and remote work, ATP is no longer just for the perimeter or the endpoint. As SASE platforms ensure consistent security for any interaction in the cloud, in the web, and in on- premises resources, they are the ideal tools for comprehensive ATP. They take a three-pronged approach to blocking malware with CASB, SWG, and ZTNA functionality, and typically leverage integrations with specialized AV providers like CrowdStrike, Bitdefender, and Cylance in order to identify zero-day threats.

SASE platforms prevent malware from spreading across organizations’ managed SaaS, IaaS, and on premises applications. They block threats in real time as they are uploaded to applications or downloaded to devices, and remediate threats already at rest by crawling apps’ contents. Some SASEs can do this agentlessly, meaning that they can defend against malware even on personal devices. In order to address another key link in the attack chain, SASE is also designed to block threats on the web. If users attempt to click on malicious URLs that would take them to websites designed to infect their devices with malware, then access to said websites will be blocked. Additionally, if a user attempts to download an infected file from an otherwise trustworthy website, then the file can be scanned in transit and the download can be blocked automatically. 

 

 

 

 

Real-World Example

Christina works in finance for a large pharmaceutical firm. Her organization uses a variety of cloud and web applications, spanning Office 365, Slack, and G Suite. One morning, she works from home on her personal laptop which, unbeknownst to her, is infected with malware. When she attempts to share an infected file with a coworker via Slack, her employer’s SASE platform agentlessly blocks the upload to the app and explains that the file contained malware. Later that day while working from her managed laptop, she receives a spoofed email from what appears to be IT, stating that her Office 365 credentials have expired. Without thinking, she clicks on the URL in the email to reset her password.

Fortunately, her employer’s fully featured SASE includes an on-device SWG that prevents her from accessing the malicious web destination which would have infected her with malware. In a world with personal devices, infinite threats, and dynamic remote workforces, organizations need agentless security for BYOD as well as on-device SWG functionality that forgoes the use of VPNs and appliances.

cloud solutions brief image

Bitglass SASE

Want to read about Bitglass' leading security solutions?

Click the button below to learn about the Bitglass SASE platform

Learn More