The role of SASE in securing the modern workforce [Q&A]
Digital transformation combined with a shift to more remote working has presented considerable challenges for enterprises when it comes to securing their systems.
One of the technologies being increasingly used to enable remote access is Secure Access Services Edge (SASE). We spoke to Anurag Kahol, CTO and co-founder of cloud security company Bitglass to find out more about SASE and how it can help businesses deliver their transformation projects.
BN: How have the security needs of modern organizations changed, especially with rapid shifts to remote work amid COVID-19?
AK: The security demands of organizations today are changing. While digital transformation and cloud adoption improve flexibility, productivity, and employee mobility, these benefits must be balanced with proper security controls. As data moves off-premises and beyond the reach of traditional tools like firewalls, enterprises must determine how to secure it. Unfortunately, solutions that require private data centers and on-premises appliances cannot support this evolving demand.
The proliferation of cloud computing, the use of mobile devices (personal and corporate), and the growth of remote work require a security platform delivered for and from the cloud. Such a platform must enable secure access to web and cloud services, block rampant threats like malware, prohibit data leakage, and enable adherence to compliance frameworks.
BN: What is SASE, and why is it important for securing today's modern workforce?
AK: Secure access services edge (SASE), pronounced 'sassy,' refers to a comprehensive cloud security platform that is designed to enable digital transformation. SASE integrates cloud access security broker (CASB), zero trust network access (ZTNA), and secure web gateway (SWG) technologies into a flexible platform designed to defend data wherever it goes.
While cloud, BYOD, and SASE were on the rise before COVID-19, the pandemic spurred organizations across the globe to quickly shift to remote work, creating a greater sense of urgency for security on any interaction, anywhere. SASE platforms allow enterprises to extend consistent security to all enterprise resources from a single control point. This enables the corporate security team to configure policies that secure Software-as-a-Service (SaaS) apps, control access to malicious web destinations, and prevent leakage in on-premises resources without the need for virtual private networks (VPNs). In other words, SASE replaces multiple disjointed point products, delivers significant cost savings, and provides the comprehensive security needed for a remote workforce in a cloud-first world.
BN: How exactly does SASE work?
AK: Bitglass' SASE is built on a unique architectural fabric with four layers:
1. Global Core Data Centers are located in regional hubs proximate to population centers worldwide. Each Global Core Data Center carries redundant load balancers, proxy dataplanes, configuration databases for policy enforcement, elastic search indices for analytics, storage for log accumulation, databases for storing encrypted payload data for structured field encryption, etc.
Each regional hub is multi-homed across multiple data centers for redundancy. Configuration databases sync automatically across all Global Core Data Centers to ensure globally replicated policies. Global Core Data Centers are built on the Bitglass Polyscale Architecture so that each component clones itself when its load exceeds a preset threshold.
2. Local Edge Data Centers are located across metropolitan areas to reduce latency. As an example, in South America, Bitglass Local Edge Data Centers are currently located in Buenos Aires, Argentina; Bogota, Colombia; Santiago, Chile and Sao Paulo, Brazil. Local Edge Data Centers use the Anycast routing protocol to ensure user traffic is routed to the nearest Local Edge Data Center at all times.
3. Content delivery network (CDN) caches store static assets close to the end user to improve performance. Assets are subject to automated version control hashing to ensure they are always up to date.
4. The Bitglass SmartEdge endpoint agent is a complete network proxy combining CASB and Secure Web Gateway functionality. The SmartEdge agent decrypts all network traffic, inspects the traffic to enforce URL filtering, data loss prevention (DLP) and threat protection. The agent also accumulates full access logs and transmits them in compressed form to Global Core Data Centers for indexing in the Analytics engines. The SmartEdge endpoint agent uses patent-pending Trapdoor Proxy to ensure that if the private key on a device is compromised, it cannot be used to spoof any other device in the same organization.
The SmartEdge agent can also profile the endpoint to check for security posture including elements such as system version, software installations, registry entries etc to enforce Zero Trust access to managed applications. Since the SmartEdge agent is on the endpoint, there is no latency impact to the user experience. Furthermore, the user’s privacy is preserved since secure sockets layer (SSL) inspection is performed locally on the endpoint rather than in the cloud.
BN: How does the architecture of SmartEdge SWG differ from legacy SWG solutions?
AK: SWGs have been available for years from legacy network security vendors. These legacy solutions offer a combination of simple, traffic-forwarding endpoint agents and on-premises appliances to inspect traffic for users in the office or on the go. These solutions were originally designed primarily with on-premises environments in mind. However, the move to the public cloud and a significant uptick in remote work have rendered these solutions obsolete.
Bitglass' SmartEdge SWG is the world’s first on-device option for web security. An advanced, SmartEdge agent on the device performs the decryption and inspection locally, applying security policies that prevent leakage and halt malware in real time. This approach circumvents the need for VPNs, appliances, and latency-inducing network hops, ensuring better performance and scalability than competing, legacy tools.
BN: How can SASE maximize performance and uptime for customers?
AK: From the beginning, Bitglass was designed as a cloud security platform that can adapt to any scenario and secure any interaction. We're fully committed to developing the world's most advanced security technology, and are convinced that performance and uptime are a critical component of that endeavor. Security that doesn't perform is of little value.
Our platform is deployed in the public cloud on a Polyscale Architecture. With this architecture, each component is stateless, multi-tenant and can handle any application. When the load rises in a component -- exceeding 50 percent over a five-minute interval, as an illustration -- the component clones itself. For example, when a large customer has an offsite, the remote data center grows toward the load profile of that customer automatically. As mentioned previously, our SASE fabric is designed to maximize performance anywhere in the world. Customers even report faster load times through our proxy than they do when connecting directly to applications like Office 365. Since 2014 we have maintained an uptime of 99.99 percent.