Is SASE the Solution for Third-Party Risk?

What Is SASE?

Secure access service edge (SASE) is a network security architecture that helps securely connect systems, endpoints, and users to services and applications from any location worldwide. It is a service you can access from the cloud and manage centrally. 

SASE is a framework, not a specific technology. It works by combining several cloud-native security technologies, including: 

• Secure web gateways (SWGs)
• Cloud access security brokers (CASBs)
• Zero trust network access (ZTNA)
• Firewall as a service (FWaaS)
• Wide area network (WAN) 

SASE is not to be confused with security service edge (SSE), a subset of SASE that focuses primarily on security services required in a SASE cloud platform.

What Problems Does SASE Address?

The global workforce is becoming increasingly remote. More and more companies are taking a hybrid approach, transitioning employees to full- or part-time remote work. The average enterprise today uses dozens, if not hundreds, of SaaS applications every day, and needs to grant remote access to administrative and operational resources such as file-sharing systems. 

The traditional approach to remote access used a virtual private network (VPN) to tunnel user connections through to a single location over an encrypted channel. This made it possible to centrally apply and enforce permissions and policies.

However, this approach creates network bottlenecks and hurts the user experience. The organization must invest in technology that can manage and inspect traffic, and even then, VPN does not provide granular network access controls, allowing users unfettered access to entire networks.

Part of the solution was the introduction of secure web gateway (SWG) and firewall as a service (FWaaS) providers. These cloud-based services deploy inspection engines at distributed points of present (PoP), and work with SaaS providers to secure their cloud environments using cloud access service brokers (CASBs). But this still doesn’t solve the problem of connection to the corporate network. Organizations still have a local network, in addition to cloud-based resources, and this piece of the remote access puzzle was left unresolved.

SASE addresses this missing piece. It is designed with the end user in mind and adopts the zero trust approach. SASE lets users connect to any resource, whether in the cloud or on-premises. It first verifies their identity and checks that the user’s device has minimal security hygiene. Trusted users can connect only to the specific resource they want to access, and nothing else. This is usually achieved by zero trust network access technology (ZTNA), which relies on micro-segmentation. 

Unlike traditional VPN solutions that centralize security inspections, the SASE approach distributes these inspections across different regions to increase the efficiency of network resources. This helps reduce the complexity of managing these components as separate point solutions. SASE provides a centralized set of cloud-based tools that increase visibility and control. These tools can be fully orchestrated in the cloud, with policies instantly enforced at the edge of the network.

Minimizing Third-Party Risk With a Zero Trust and SASE

Third-party risk management involves addressing security risks originating from a trusted source outside an organization. This definition is broad, but there are several notable sources of third party risk:

• Third-party applications — all organizations use applications developed by a third party. Organizations usually trust these applications because they come from a reputable developer or trusted software company. However, third-party software often contains vulnerabilities, and if the developer’s system is compromised, a trusted application can become an attack vector for malicious actors.
• Trusted external users — many organizations allow external partners, vendors, or suppliers to access their protected systems and environments. However, a compromised third-party user account can serve as a launching pad for attacks, allowing malicious actors to gain authorized access to internal networks.
• Open-source code — most organizations use applications that incorporate third-party software components and dependencies. Open-source libraries and code often contain backdoors allowing attackers to exploit the applications. If an organization lacks visibility into its open-source dependencies, unknown vulnerabilities could present an opportunity for attack.

In each of these cases, the organization implicitly trusts a third party to ensure security. If an attacker exploits this trust, it can undermine the organization’s security. An organization’s reliance on an outdated security strategy may result in many of the worst impacts of third-party risk. 

For example, many organizations use a legacy security perimeter model to defend their networks from the outside. This approach involves deploying security mechanisms on the network boundary to identify and block threats before penetrating the protected network and systems.

The perimeter-based security model assumes that security threats come from outside the network—however, this is not always true. By focusing exclusively on external threats, organizations often overlook the threats that have already infiltrated their network. Third-party apps and users often present an additional security challenge and potential blind spots for security solutions that defend external access points.

Managing third-party risk requires an understanding that even a trusted system or entity can pose a risk to the organization. In short, organizations must not implicitly trust anyone or anything. This assumption forms the basis of zero trust, a security approach that minimizes a security incident’s likelihood and potential damage. 

It is relatively straightforward to adopt a zero trust security strategy, although enforcing it can sometimes be more challenging. Enforcing zero trust requires implementing consistent access controls throughout the organization’s entire infrastructure.

Organizations should enforce zero trust at the network level to secure east-west and north-south traffic. A secure access service edge (SASE) offers both capabilities:

• East-west traffic flows — SASE establishes an enterprise WAN, integrating a complete security stack into every point of presence (PoP). It enables east-west traffic inspection by the SASE PoPs and applies access controls based on a zero trust model.
• North-south traffic flows — SASE establishes a software-defined perimeter (SDP) or zero trust network access (ZTNA), enforcing zero trust-based access controls for all requests to an internal resource or application that originates from an external user. It restricts external access to corporate applications to prevent the exploitation of hidden vulnerabilities.

Conclusion

Third-party risk management is often a complex undertaking. Zero trust security implementation is a key aspect of minimizing third-party risk. In addition to zero trust, using appropriate tooling like SASE can help secure an organization’s IT infrastructure from threats posed by third-party access.