Cloud Security, Network Security, Security Program Controls/Technologies

How to determine SASE needs specific to your IT environment

Share

You've decided to switch to secure access service edge, or SASE, and move on from the old perimeter-based networking and security model. But before you make the leap, you'll need to figure out a few things about your own organization so that your SASE implementation can realize its full potential.

Here are 10 things you need to do before you begin shopping around for SASE solutions.

1. Thoroughly assess your IT needs and existing capabilities.

This includes examining your daily network workloads and which apps and functions your staff and customers use the most. How many branch offices do you have? How many workers are entirely remote?

"Every organization has a unique user base, and these users and their needs will determine the required configuration for SASE," wrote Eyal Webber Zvik, vice president of product marketing at Cato Networks, in a 2021 blog post. "If you don't know how your IT environment is used on a daily basis, it is much harder to secure it."

2. Determine exactly what you want from your SASE deployment.

How different that would be from what you have right now? Draw up a list of goals you want to meet by implementing SASE.

"A useful exercise [is] to compare your current state to your desired future state," wrote Mike Robles, senior director of product management at Lumen Technologies, in a 2021 blog post. "By identifying the gaps in your current network and security environment, you can begin to gauge the relative maturity of your technology stack and define which resources should be prioritized ahead of a SASE implementation."

3. Figure out which of the five core SASE components you truly need.

For example, a fully remote workforce might not need an SD-WAN, in which case you could pivot to a security service edge (SSE) solution. How about a firewall as a service (FWaaS), a secure web gateway (SWG), a cloud access security broker (CASB) or zero-trust network access (ZTNA)? How could each benefit you? How many technology gaps need to be filled?

"Some companies don't need [full] SASE," said Boaz Avigad, senior director of product marketing at Perimeter 81. "If you are a cloud-borne company, you have no use for SD-WAN. It's for companies that have both branch offices and people working from home."

4. See if some existing tools or technologies could be integrated into a SASE framework.

Could you save money by repurposing them, or would a rip-and-replace be better in the long run? Check which SASE vendors have APIs that can work with your existing tools.

"Unless you're a young company or a startup, you're going to have various security tools in your environment and you're going to try to integrate them in a way that makes sense and has less overhead," said Frank Kim, CISO-in-residence at YL Ventures and a SANS Institute fellow. "You don't want to create more overhead and have to dedicate engineering resources to it."

5. Seek input from your security, networking and cloud teams.

Ask them what they would want from SASE — and how ready they are to work together closely to manage a SASE deployment.

"You need strong cooperation between the cloud team, the network team and the security team," said Doug Saylors, partner and co-lead of cybersecurity at ISG. "The integration manager needs to build a team drawing from all three of those teams."

6. Make sure you have the full C-suite backing and budget.

Making the transition to SASE may be expensive at first, although you should see substantial savings over the long term. You'll also likely be shifting some of the burden from capital expenditures to operating expenditures. This isn't a strictly technological issue, but you won't get far without executive support.

"We've helped a couple of organizations go through SASE deployments," said Saylors, "and the labor costs typically declined between 25 and 35 percent for hybrid deployments and 35 to 45 percent for greenfield deployments."

7. Check to see whether there are regulatory or compliance rules that would affect your SASE deployment.

PCI/DSS, HIPAA, GDPR, CCPA or data-residency rules may demand retention of legacy assets or keeping some data out of the cloud. You should also prepare to reformulate your company's security policies to fit a SASE implementation.

"The priorities for a healthcare organization with HIPAA compliance concerns will likely be very different than that of a manufacturing firm in terms of data privacy," wrote Robles.

8. Make a long-term assessment plan for your SASE deployment.

Your management will want to see proof of success, so build in measurable KPIs so that you can track your progress.

"There's typically a labor-cost bubble as you go through implementation," said Saylors. "But if you look at 3-4-year ROI, the bubble costs are quickly overcome by run-rate savings, and that starts to happen after about eight months."

9. Consider taking the slow approach.

You can build out your SASE implementation one core component at a time. There's little harm in dropping things in piece by piece.

"Zero Trust Network Access (ZTNA) is an obvious starting point," wrote Robles. "[It] represents a better approach for securing a distributed workforce and can have an immediate impact on reducing security risks and known vulnerabilities."

10. Determine how many SASE vendors you are willing to work with.

Very few vendors can provide all the core SASE components, so you might need to take on two or three. If your IT staff is small or is not ready to manage a multi-provider SASE solution, consider using a managed-services provider (MSP).

"[SASE] can be built together from separate solutions, but generally, you want a single vendor to provide as much as possible," said Avigad. "The decision to move to SSE/SASE is driven by a company's goal to purchase it from one or two vendors."

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.
Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.