Interview with Nathan Howe on SASE
Cybersecurity Magazine: Nathan, we want to talk about SASE, a new term that was coined by Gartner late 2019. As I understand it, it’s covering multiple other acronyms, such as CASB (cloud access security broker). What makes SASE different from, for example a CASB?
To be honest, cloud access security broker is part of the SASE discussion. SASE is not one piece of software, or one piece of hardware, it’s a way of working. It’s a convergence of multiple different technologies that are turned on at different times depending on the traffic that it’s passed through. In short, SASE is not something that is a destination, it’s not something that is a source, it’s actually the path between the user and the destination, it’s the pass through, if you want to use that terminology.
SASE is a combination of different security and network controls that we’ve had over the years, like SD-WAN to take just one example. SD-WAN will still play a part in SASE, because we still have to get traffic from the users, or locations, to the enforcement policies as they pass through. Now, SD-WAN could actually do the enforcement as part of the SASE, but it’s still part of the overall concept of SASE. It’s a route, it’s a network direction, but it’s also a policy control. The same goes for zero trust, which is not a one-off conversation, it actually is considered part of SASE.
So, those things play in convergence for SASE. It’s a big collection of all those controls and paths in one control framework.
It’s actually cool. First of all, however, I must say that I really don’t like the acronym. S-A-S-E is cool, but saying ‘sassy’, it’s an English thing, it’s like a 1920’s thing. It’s a word that hasn’t been used in a long time. The actual acronym makes a lot of sense, and I think it says it all on the last word; it’s the edge.
It’s a pass-through point. The edge is the point, it’s not the perimeter, it’s the edge, and it’s passing through from point A to point B, but it’s being applied on the path through from point A to point B.
The difference with SASE and the different controls – like network and security controls – is that rather than doing controls in a one-off way, what we’re seeing now is rather than pass everything through one central place, we’re saying if this identity of the user is trying to access this application, what controls do we want to apply. And we’re being selective about what we apply, rather than sending it through the entirety of the security chain.
Cybersecurity Magazine: In a SASE scenario, how would you handle unknown applications, for example, if I were to access my NAS (Network attached storage) server running at home?
Well, when accessing a NAS you know the access path, from source to destination. The question is then, what are the controls you want to apply to it? If somebody else tries to access your NAS do you want to allow them or not? And I think it’s not just the control based upon identities and username and password and whatever else, but perhaps you do want to maybe allow your friend to access your NAS, but you want to put perhaps data loss prevention in place, so he’s not stealing your files. These are the things you can be selective about with SASE.
Now, for apps that are unknown, we’ll never know what every app that has existed will be, we have no idea, it will always change. The way in which we at Zscaler see is best described with the 80/20 rule. You can put 80% of your effort in controlling those things, but then the last 20%, you may not know right away. But as your users start consuming those services you’ll be able to see that traffic flow and actually make decisions. If your friend tried to access the NAS it would block because he’s not allowed. But maybe we actually want to enable it and maybe we do it through a browser isolation, or we put it through CASB, or we do a zero trust. Depending on the risk model that each company has, we can apply different controls on the way through. At Zscaler we actually have a function which deals with unknown services, or unknown applications, and the company has the decision to perform different controls on the unknowns. They can block, they can alert, or we can isolate. These are all the different functions that can be applied as part of the SASE. But coming back up to a higher level, SASE is about understanding what controls you want to apply and when, depending on the identity of the user, and identity of the application.
Cybersecurity Magazine: Going back to the unknown, is there some sort of artificial intelligence which takes some decisions away from the user; suggesting or even applying certain policies directly?
In the generic SASE environment, there is a conversation about identifying these services, and I think that’s something that each individual company who applies SASE will do. Within Zscaler specifically, we do have a number of ways to identify unknown apps. First, our customers share information with us. The same way we share our security research with our customers, they share with us their security research. During those processes we actually identify new apps, new URLs. Also, we acquired a machine learning organisation to give us additional insight. Obviously there’s only certain things you can do as humans, you need to automate as much as possible. We leverage that visibility with really cool algorithms that our wonderful colleagues at the machine learning group have built to help us understand that and enrich that.
To give you an example: 10 years ago Microsoft Outlook ran on one machine with one IP address and had ports 25 and port 110 open for SMTP and POP. Today, Microsoft Outlook is 25 IP addresses on ten different devices with multiple SQL databases, web interfaces, and all these different things. Now, is Outlook all of those apps together as one, or do you divide it up individually?
What we are doing is to give you the ability to decide that’s one app, and you can decide to include them as one, or you can decide to handle them individually. As we move further and further into the technology age we don’t have the ability to be 100% sure anymore, because people build things with different pieces.
Taking Outlook as the example, you could even ensure some of the privacy concerns which are prevalent in the EU. In other words, you could define e-mail as one app defined in Outlook, and the calendar part that is shared across the whole organisation is another app, with different privacy concerns and hence with different controls.
That shows the value of SASE, that based upon who’s accessing what application, you apply different controls. Which is very much the overall framework of what we’ve been doing for a very long time. SASE just helps categorizing it really nicely, and helps create a very standardised way of communicating this to the outside world.