By Bahaa Hudairi, Regional Sales Director – META, Lookout
When we talk of the region’s security challenges, we often flag the cloud as the single greatest obstacle to a safe digital estate. Indeed, security vendors have been only too willing to roll out solutions to secure cloud services. But while we conference and opine on the mass cloud migration of the past two years, and its implications for CISOs and SOCs, we are overlooking many organizations that simply did not have the option to uproot their whole infrastructures and place them in a third-party data center.
Branch-oriented businesses such as banks and retailers often use software-defined wide area networks (SD-WANs) to centralize their network management and policy enforcement across locations. But if an organization’s security hub is on-premises at, say, HQ, then network traffic must be redirected for policies to be applied, leading to a degradation in performance for end users of cloud applications.
Security leaders need a solution that will cover legacy on-premises tools and cloud services, as a SD-WAN on its own isn’t enough. SD-WAN systems are essentially routing services, but as more data and applications move to the cloud, additional functions are required to keep traffic secure. Band-Aid solutions like firewalls still require routing traffic to a central policy-management location for examination, leading to poor latency for the users of applications, whether they be customers, employees, or business partners. The answer is to reject the add-ons approach and integrate SD-WAN with a security services edge (SSE) solution to create a true secure access service edge (SASE) ecosystem.
The path to integration
An SSE platform assimilates a range of cloud-native security tools (CASB, SWG, ZTNA) and can integrate with SD-WAN to provide security support to legacy structures. The capabilities that SSE brings to security teams range from native traffic sensitivity to features such as data loss prevention (DLP), user and entity behavior analytics (UEBA), and enterprise digital rights management (EDRM). All of these functions are of great use to an SD-WAN-connected branch office.
When SD-WAN and SSE get together, organizations have granular control over every aspect of their hybrid infrastructure, including cloud-native and on-premises apps, making it much easier to satisfy regulators and convince customers that their data is safe.
The ideal platform
So, what does the ideal SSE platform look like? First, let us establish what it is not. SSE is not a mere soup of technologies that can cut cost and complexity. It is a holistic, strategy-based ecosystem that can be designed to suit an organization’s unique needs, reduce risk and secure data. As per the zeitgeist, zero trust access is preferable, but to implement it requires the right visibility and controls that allow decisions to be made in real time, regardless of the locations of the endpoint, user, app, and data in question.
A converged SSE platform offers straightforward, unified policy enforcement. That means SSE technologies are integrated into a single solution that allows security teams to write policies just once and replicate their enforcement across the entire infrastructure, from the endpoints, private apps and email clients in branches and in employees’ homes, to the SaaS apps in any cloud the organization may be using.
SSE also goes further in data protection. The ideal platform will be capable of comprehensive data loss prevention (DLP) that is sensitive to the many types of data the organization stores. The platform will also be able to enforce policies wherever it is deployed. Such functions will include the automatic watermarking or redaction of sensitive data within documents. With SSE, data is also subject to encryption at the moment of download, through enterprise digital rights management (EDRM).
Armed for the hunt
An SSE platform also puts threat hunters back in control of their complex domains. Platforms are able to detect and respond to all the threats that keep CISOs awake at night, including ransomware. SSE setups are able to sniff out a threat residing on an endpoint or roaming the infrastructure through lateral movement. Armed with this visibility, security teams can take timely action to prevent incoming threats from doing harm to digital assets.
Some of the world’s most notorious cyber-incidents have started with an errant click. Users can often be the weakest link in the security chain. But errant clicks generally install malware and not all threats involve malware. Data leaks often occur when insiders either make errors or act nefariously. In addition, users’ entire identities can be compromised in phishing, spear-phishing and smishing attacks. An SSE platform with native user and entity behavior analytics (UEBA) can help enormously in sifting out missteps and misuse.
The visibility and control that SOCs gain through SSE and SD-WAN integration allows security policies to be enforced across all business units and sites controlled by the enterprise. The integrated suite can stand against unauthorized access by way of its cloud access security broker (CASB) capabilities, which join with UEBA and DLP policies to ensure only the right people get near sensitive data residing in the cloud.
Safe at last
An SSE-SD-WAN combo will allow security professionals to take control of every aspect of their cloud apps, covering data, usage, compliance, threat prevention, and access to sanctioned cloud apps and their shadow-IT counterparts.
These capabilities go beyond the security features of existing SD-WAN services and put security personnel back in control of what matters most. DLP, CASB, UEBA, and EDRM grant deep insight into users, their behaviors, and the applications and resources they access, allowing the protection of data without any dent to productivity. Apart, SSE and SD-WAN are powerful functions, but unite them and SOCs become masters of their hybrid ecosystems.
