Security’s Inevitable Shift to the Edge

0 Comments

As the edge becomes the place for DDoS mitigation, Web app security, and other controls, SASE is the management platform to handle them all.

In 2019, Gartner released a paper defining the Secure Access Service Edge as the framework that most enterprises will implement. SASE offers an elegant solution to many challenges faced by CISOs today, including maintaining security posture during rapid digital transformations, shifts in locations of workers, migrating toward a zero-trust architecture, and protecting the business while more processes shift into DevSecOps.

Long before the term SASE was coined, security controls began to shift to perform inspection closer to end users. More than a decade ago, we witnessed the migration of security for customer-facing apps out of the enterprise data center to the edge to move security inspection closer to users, rather than forcing traffic to travel to the fixed location where security appliances were deployed. Today the edge is the predominant location for distributed denial-of-service (DDoS) mitigation, Web application security, and related controls for public-facing applications. This migration offers lessons as organizations now shift workforce security to the edge.

SASE architecture and the shifts it forecasts make perfect sense as we now see similar trends, such as the migration of applications away from the corporate data center and the migration of users away from the corporate office, taking place in workforce application consumption patterns. These forces mirror those that moved Web-focused security inspection away from hardware appliances or bolt-ons to load balancers in the corporate data center transitioning to the same point in modern security architecture, the edge.

Migration of Applications
Many security architects are initially attracted to the SASE model as it helps them apply security controls at the optimal location in their rapidly changing architecture. That optimal location is the edge of the Internet, which will be close to any infrastructure-as-a-service (IaaS) or co-location facility that the business uses today or in the future. The edge deployment model provides agility for hybrid multicloud organizations and is well suited to changes to IaaS vendor or new locations from mergers and acquisitions.

The flexibility of deploying security inspection at the edge means that, regardless of shifts in the location of compute, security inspection can be performed at a local edge node. This provides for optimized routing of traffic and avoids what Gartner describes as the unnecessary “tromboning of traffic to inspection engines entombed in enterprise data centers.” Furthermore, since multi-cloud is the predominant architecture, deploying security at a homogenous edge makes more sense than trying to engineer consistent controls using heterogenous capabilities available at various cloud security providers (CSPs).

Another driver for SASE is the migration of users outside of the traditional corporate offices. There has been a slow trend over recent years to enable remote workers, road warriors, as well as remote contractors. 2020 saw that slow trend move into hyperdrive with near total abandonment of corporate offices by employees mandated to work at home. This moved employees far from security appliances deployed in the corporate office or enterprise data center; however, regardless of where employees are located, the nearest edge point-of-presence (POP) is never far away. By migrating to the edge, security controls can be efficiently deployed very close to the end user.

What is the Edge?
With SASE, Gartner introduced the ideal point in an architecture to deploy security inspection via an integrated set of tools. The edge is architected much differently from the cloud, as most CSPs have only a couple of dozen POPs. To lock in the maximum performance, agility, and scalability gains, an edge platform should have hundreds or even thousands of POPs deployed across many geographies and inside many Internet service providers.  

Furthermore, the edge platform should achieve high levels of uptime. The edge represents the exposed attack surface for DDoS; the NIST Zero Trust Architecture guide encourages organizations to evaluate resilience to DDoS as part of their design.  This provides an opportunity to shift to a proactive, robust posture in the face of DDoS, where attacks are not only mitigated but the platform learns from each attack and is better prepared for the next.

An edge platform really should be built with an open architecture permitting configs and dashboards via a portal. Edge platforms should also support DevSecOps workflows by extending bidirectional APIs between the SASE platform and other DevSecOps tools to drive config changes and communicate interesting events to a SIEM or ChatOps tool.

This edge migration has not only provided security benefits but also addressed the network transformations described in SASE. An edge deployment eliminates the traditional tradeoff between security and performance by improving the performance of the application at the same time attacks are repelled. This topology presents the rare scenario in security where you can have your cake and eat it too. Excellent application performance is critical to driving productive use of corporate applications; corporate users not only compare the user experience of enterprise apps to other enterprise apps, but they compare corporate apps to the user experience of browsing a social networking site, a search engine, or a lightning-fast commerce application.

Edge architectures have traditionally been built using proxy-based approaches. This makes them well suited for many of the use cases called out in SASE. Zero-trust network access is often the first workforce component to be addressed on the journey to a SASE architecture. An edge-based, identity-aware proxy is a very efficient way to transition to a zero-trust approach for accessing corporate applications. Additionally, functions like edge-based secure Web gateways benefit from the proxy-based approach seen in edge deployments. Since SASE moves much of the inspection up to the application layer, decryption of TLS will be required. Fortunately, existing edge architectures have a robust KMI infrastructure that allows for safe decryption and re-encryption of traffic once it has been inspected.  

The security industry continues to shift towards edge models, and Gartner’s forecasts for SASE adoption will only accelerate this trend. 2020 has presented a number of challenges for IT and security teams, but the technology decisions made by many organizations during these difficult times have resulted in solid progress towards adoption of a SASE model. Those investments will pay dividends for years to come. 

In his 15 years at Akamai, Patrick Sullivan has held a number of leadership positions including leading the Enterprise Security Architect team. Sullivan and his team work with customers when they come under attack and designs security architectures to protect them from … View Full Bio

Recommended Reading:

More Insights