The Secure Marriage Of Two Acronyms – SASE and CASB

By Steve Broadhead, Broadband-Testing.

Regardless of the number of potential – and actual – influencers in the world of IT, in reality Gartner, especially in the world of cyber security, has more impact than any other party.

A classic example is with respect to SASE (Secure Access Service Edge) – pronounced “sassy” – which Gartner introduced in 2019 as a blueprint for an intensified, integrated secure network platform based around a cloud service delivery mechanism. It had traditional security solution providers scrabbling around to try and reshape their offerings to match Gartner’s definition, while other companies – notably Cato Networks who we are featuring here – effectively were SASE vendors from the ground up. As a result of world events since its introduction, the case for a SASE-style security infrastructure has only got stronger and stronger. Witness what is happening with the world right now and where and when government-led cyber crime might enter the building.

Throughout these years, another Gartner concept, CASB (Cloud Access Security Broker) has been popularised as a means of providing a solution for security solutions designed to address the challenges created by shifting workloads to the cloud. Some have seen this as a solution in its own right – but it is not. At best, CASB could be described as a subset of what true SASE provides. What it hinges upon is the new potential wave of threats that are created when adding cloud-based networking to the IT infrastructure. Traditional security solutions were designed for On-premise/private deployments. So, storing applications and data in the cloud provides, not just a new potential back door option for attackers, but a whole wall of sliding patio doors and French windows to unlock (assuming you remembered to lock them all in the first place). So, logically, if you move to a hybrid environment, CASB provides the bridge for companies to adapt to those potential new threats from the cloud, while also reducing the in-house workload and inherent complexity that such a model brings with it.

While – as ever – definitions vary from vendor to vendor, there are some fundamental elements to a CASB solution generally identified as: threat protection, data security, compliance and visibility. In each case, it is designed to deal with the cloud element of said security component; for example, compliance becomes a whole different ball game when cloudy data sovereignty is added into the equation. And how do you see what is going on in the cloud with tools that were designed specifically to manage OnPrem/private network traffic? Basic data access mechanisms change, the attack surface increases… the cloud brings a whole new weather front of security storm forecasts to the IT table. In other words, CASB has validity. However, it is only a part of the total network solution and overall strategy. Speaking with Cato Networks recently about its recent incorporation of CASB into its increasingly mature SASE platform, it really starts to make sense. Here’s the point: you have a security infrastructure that is based on a portfolio of products that you have spent a lot of money and time on integrating (with partial success usually the best effort scenario here). And, in terms of money spent, we are talking CapEx, OpEx, training, re-training (when staff leave), rejigging that portfolio when some products are “end of lifed” or simply fall short (or the vendor disappears or is acquired by an unwanted 3rd party…). And that’s just securing what is within your control/remit. Add in the cloud and that brings in all the potential problems described earlier. So, you add in a CASB solution to handle these new problem areas and that leads to the next problem to resolve, namely, how do you get that CASB solution talking to your partially successful existing security portfolio investment?

A quick demo with Cato’s current platform showed just how you go about managing that hybrid scenario – bring it all together under one system, one management console and view everything as one. Yes, you can see the source of the data and apps, including the cloud, and you don’t have to swap between systems and consoles, spend days and months ingesting separate data feeds from a gazillion different syslogs using yet more expensive 3rd party products, by which time the network has been hacked several times anyway…

At this point we need to bring in a fourth security acronym – that of ZTNA or Zero Trust Network Access. Over the past few years, no term has been more overused – or debated – within IT security than zero trust. In theory, at least, it is kind of all or nothing, like a fundamental firewall – i.e., allow all or deny all. In the real user world, obviously that is somewhat overly-restrictive – kind of like babysitting toddlers, who have the ultimate “deny all” mechanism in the form of the word: “shan’t”. As with SASE and CASB, some vendors appear to be making more sense of ZTNA than others, and aforementioned Cato Networks’ SASE solution has fallen on its secure sword in this instance too, in the form of what it defines as “device context”. This new addition to its SASE offering is straightforward and logical and a natural panacea to blind zero trust, in that it sees that every user is different and has a different associated risk profile. This, thereby allows SecOps to set policies that factor in a user's full context for data and application access (the zero-trust element) and additionally – and this is the clever bit – the actual capabilities within an application.

The first thing to point out here is that user devices are often seen as the easiest “back doors” to enter in a cyber-attack scenario. After all, why would a non-techy user even want to understand the mechanics of cyber security, let alone implement some kind of defence mechanism? Not only does it impact on their day-to-day workings but also on their lunch break, unless they use that time to read to – as yet - unpublished “Back Door Device Access For Dummies”? However, it is both the obvious point to secure from a ZTNA perspective and the point at which application access needs to be properly defined and controlled. Access based purely on user ID is a 90s concept – has no one heard of identity spoofing; or device spoofing? Or – and this is a classic – devices that are not configured to IT defined standards. Hello back door…

This refocusing on what is effectively risk-based application access control is a far more realistic approach to locking down network access. After all, if we don’t allow for flexibility within a modern IT infrastructure, in order to maximise the access and application opportunities that now exist, then we might as well simply revert to the old-school mainframe methodology. Secure? Yes. Limited? Very. Cato’s view is that defined policies will allow companies to embrace the full user context, so adding control not simply to application access, but what capabilities and features within those applications can further be accessed. This is where the vendor in question is clearly taking a forward step. In general, policy control in networking has been around – and largely ignored – for decades, but taking it to intra-application level makes a lot more sense than the basic allow-deny strategy. And, naturally, the concept extends to wherever those users wander – internal, Internet, cloud…

So, how does it work in practice? What Cato is doing is embedding continuous device context assessment throughout its software stack, meaning it will continuously assess the posture of a user’s device, including automatically taking remedial action if that device becomes non-compliant. As part of this overall assessment, the platform already analyses the fundamentals such as identity, the network, data and related activity, so it’s a broad and adaptable solution, not a stuck in time one-trick pony. It means that the user controls are not tied to a specific device; for example, when using their own device, they might have very different permissions than if they are using a company-provided endpoint device – think smart phones as an example. This adds extra flexibility to the work from office/anywhere and/or home scenario too, especially since it also covers geo-location. So, if the user is trying to access the network from an untrusted location, it can simply block access. From a productivity perspective, it means that the secure versus allowing the user to do their job conundrum is being addressed in two ways: from a ZTNA perspective it means a user can be restricted to specific, trusted resources. But, looking from a broader perspective, such as CASB, the ability to use device context at an application level, means that they can be working from anywhere, on any application located anywhere, and the controls still apply. And it’s totally scalable. Put simply, it’s a security solution for the modern world.

By Richard Melick, Director, Product Marketing for Endpoint Security at Zimperium.
By James Hunnybourne, Cloud Solutions Director, Ultima
By Chris Vaughan, Area VP and Technical Account Management, EMEA at Tanium
By Zachary Malone, Systems Engineering Manager at Palo Alto Networks.
By Dominic Trott, UK product manager, Orange Cyberdefense
By Tim Wallen, Regional Director UK&I at Logpoint
By John Smith, Founder, and CTO at LiveAction.
By Gal Singer, Security Researcher at Aqua Security