Halloween is here! I usually keep my costume choices a secret until the last minute.  But this year, the choice is easy.  A single vendor SASE Unicorn. Yeah, the “muggles” won’t get it but hey, everyone loves to party with a colorful unicorn!!!

If you are unfamiliar with single vendor SASE, here is what it is. Per Gartner, SASE is a converged network and security service which is delivered as a service. It “enables zero trust access based on the identity of the user, device or entity, combined with real-time context (such as device security posture) to enforce and govern security and compliance policies. Single-vendor SASE offerings should have a common management plane and data lake across all capabilities”. Whew. That is a lot. Let’s break that down a bit.  

SASE Detailed View

The market is converging to address the “original sin” in networking. That’s a lack of security. We need to move beyond the firewall as the means of securing the data center, the branch, and the employee as new applications and employees exist in every nook and cranny of this planet.  Zero trust network solutions are the path forward. SASE creates a system of adaptive trust, embeds it within the network, the endpoint, and then manages it by policy via a common framework. Simplifying this further, it’s software-defined networking with security which now covers not just the network devices but the endpoints too. Leverage identity and device posture checks via northbound APIs and presto, SASE!

Now we’ve established the why and what, let’s get into what the landscape of solutions is currently. They currently come in two form factors. Platform and portfolio. Platform first. A fundamental rule of SASE is this, don’t impact the user experience. By this, I am referring to the number of security treatments a packet or flow will encounter on its journey from the employee to the application and back. The more treatments, the more latency. The ultimate unicorn solution will be based on a “single pass” scanning for security. Platform-based solutions with a unified network and security fabric will be able to provide this or get close to it. Unfortunately, these solutions don’t exist today. Rather, the solutions on the market today are based on portfolios. Either they started off as an SDWAN solution or as a point solution (CASB, private access, or similar). Then vendors either purchased components as part of an acquisition (most common) or combined products already in their portfolio and rebranded them to fill out their “unified SASE” portfolio. Result, non-optimal architecture with tradeoffs meaning the key rule of SASE, the user experience, is broken. Additionally, these solutions can be challenging to manage as the administration UI feels like a federation of products.  

If this is the case, will the unicorn ever appear? My bet is yes and will likely come in two formats. The first form of the unicorn will be based on an SDWAN style solution. It will leverage hardware-based devices in the branch, campus …. and then wait for it… the data center. It will also incorporate the endpoint in the form of an agent for the remote worker. These points of presence will create a distributed fabric feeding back to a common management plane. Functions will be distributed but also resilient.  Much like in SDWAN, if the distributed network and security fabric loses contact with the central management hub, the solution will continue to operate within a cached state. The solution will be full L7 aware and feedback to identity as well as device state repositories. The advantage is the solution can be built into common network hardware like routers, switches, and even APs. The downside is complexity. This is a lot to manage, maintain and keep synchronized.  

The second SASE unicorn will be fully software-based. Rather than a distributed fabric leveraging hardware and software agents, this solution will be broker based with a distributed number of points of presence (PoP). The PoPs will reside either in the “Cloud” or take the form of a “private edge PoP” located in an enterprise data center or branch office. Resiliency is provided thru multiple PoPs in multiple Clouds (AWS, Azure, and so on) as well as the private edge. The advantages are simplification from a management solution, scalability as well as fast innovation since this solution is delivered “as a service”.  The downside is you need to consider how to manage the underlay, meaning the base network to pass data back and forth.

Which unicorn will we see first? My bet is on the fully software-based solution. Hardware is hard.  Software is much easier to build and innovate on. Recommendations? Right now, if someone says they have a “unified SASE solution” take it with a grain of salt. It’s likely a horse with a horn glued on it. The best advice I can give you is this. What problem are you looking to solve? If reducing the cost of your WAN and optimizing access from the branch to SaaS solutions, start with SDWAN. If your issue is enabling the hybrid workforce, look into the Security Service Edge (SSE). For this, SDWAN is not the answer. All that said, for whatever problem is your priority, make sure to ask your vendors about integrations between SDWAN and SASE. Unified SASE is not here yet, but can start to make some early steps in your journey to uncover the unicorn.

The post The Single Vendor SASE Unicorn Halloween Costume appeared first on Axis Security.

You know where it is on Friday night, with your apps and data on your servers, not cruising the internet or making out on someone’s BYOD. It seems safe since it forces web access through the ‘house’ security stack and requires an ID check at the front door. It can be exclusively available  only to users on your network via VPN, SD-WAN, or local network connection.  

A VDI is nice to the old folks – offering legacy app support for older operating systems that you keep getting told “can’t upgrade – it’s too expensive” (but you still have to secure it.) VDI looks like a cheaper “per date” expense for those looking to spend less on laptops. VDI also looks like a convenient way to date partners and contractors with laptops you don’t manage. But in the big picture, costs are not cheap.

Comparing VDIs with Zero Trust Network Access solutions

So let’s compare typical remote access scenarios (including VDI) with Zero Trust Network Access (such as with Axis Security), when you’re looking for a fulfilling secure access relationship that doesn’t empty your wallet.

1. Using a VDI solution for remote application access can cost $1,200 per person per year. This cost varies depending on if you use a VPN, if you still need that WAN, or if you offer web access with a gateway. And remember, if you use a portal to the web, you need your full perimeter security stack to protect your organization. 
2. Using company-owned laptops with agents, VPN, and a WAN for remote access can cost $1k per laptop. This option offers the least visibility, control, and certainly isn’t zero trust.
3. If you skip VDI and go for something like AWS AppStream to remotely access applications, you might spend $500 per user/year. This assumes AppStream even covers your use cases.
4. Alternatively Zero Trust Network Access (ZTNA) such as the Axis Security Application Access Cloud costs under $150/user/year. Plus you get better visibility, granular control, and end-to-end zero trust connectivity with security for your apps. That’s a much more affordable and secure long-term relationship.

VDI can be “high maintenance”, requiring a lot of setup and accessories when, in the end, all most IT architects want it for is secure access. Also, VDI doesn’t give you zero trust. There’s a lot more to a Zero Trust architecture model than what you get from standard VDI access – which doesn’t answer more than one use case in a good Secure Access Service Edge (SASE) solution.

The best secure access solution for remote access

Axis Security App Access Cloud is a comforting voice of reason all the time, providing continuous authorization, and monitoring of any user accessing any app in any location. Beyond that initial knock on the door and the obligatory authentication before letting the kids out on their date, Axis Security monitors and governs the entire access session like a high-class chaperon. The App Access Cloud looks out for the youngsters by tracking activity and providing application behavior during each session to make sure that no one is behaving oddly or aggressively in a way that’s out of character.  And if they do, it cuts them off.

And lest we drift into creepy Big Brother territory, that just means Axis monitors each user session in context based on adaptive policies which can change as the risk changes. This includes the ability to revoke or change access permissions if the session runs past the end of business hours. It also includes context-based limitations on copy and paste, print, or downloads based on attributes such as the user device — checking device security posture and hygiene – that’s a touch of data loss/leak prevention.

VDI doesn’t walk you home, although it may integrate with your directory or IdP there’s no end-to-end zero trust connectivity.  VDI’s rely on public internet-facing portals or VPNs for connectivity, with weak encryption and IP or DNS Leaks. These have been specifically targeted with a year+ of Remote employees. (Pondering the NordVPN hack, the Cisco VPN Zero-Day, Pulse Connect Secure, and all those RCE attacks on web facing applications.)

And if things ever go really wrong, the Axis Security App Access Cloud is there for you when your security team needs a step-by-step log of activity for incident investigations – or hey, for future capacity planning in the event that the relationship brings more kids into the picture later on.

The post What to Consider Before Using VDIs for Secure Access appeared first on Axis Security.