Youattest Logo

SASE: And Why Identity Controls are Key to a Secure Deployment

What is SASE?

Initially introduced by Gartner, SASE is a framework that combines software-defined wide area networking (SD-WAN) elements with various network security capabilities such as firewalls, secure web gateways (SWGs), cloud access security brokers (CASBs) and Zero Trust access controls — and delivers them as a managed cloud service.

One of the ley offered with SASE is identity-driven access management, compared to traditional network-based controls and services.

Image #1: Identity is key to all of the security aspects to SASE.

As defined by Gartner, the SASE category consists of four main characteristics:

  • Identity-driven: User and resource identity, not simply an IP address.
  • Cloud-native architecture: The SASE architecture leverages key cloud capabilities, including elasticity, adaptability, self-healing, and self-maintenance..
  • Supports all edges: SASE creates one network for all company resources—data centers, branch offices, cloud resources, and mobile users. 
  • Globally distributed: To ensure the full networking and security capabilities are available everywhere the SASE cloud must be globally distributed. 

SASE and Identity:

SASE expands the definition of identity.

SASE approaches access management differently than standard IAM solutions.   It expands  what constitutes an identity in the first place. It accepts traditional IAM principles such as –  users, groups and role assignments, but all edge locations and distributed WAN branches and network origins are also considered identities. In a cloud-focused enterprise, secure access decisions should be centered around the identity of the entity at the source of the connection.  

How SASE Expanded Identity Model Improves Security:

The SASE model looks to significantly improve upon the classic access strategies that focus on only network information.. Traditional network control focus on legacy device identification information such as IP and MAC address – but may have less impotence in an environment with mostly SaaS applications.   SASE focuses on identities (roles, permissions, etc)  and can include contextual information such as sessions origination (location, time, source) and other factors. 

Once authenticated and authorized to access resources, a SASE service can then act as a VPN-like broker. The SASE model protects the entire entity session, regardless of where it connects to and originates from – providing true cloud-orientated security.

How Access Controls like YouAttest increase the SASE Security Posture

As stated, SASE hopes to enforce POLICES based on identity.   As borrowed from the best IAM practices, identity should NEVER be individually enforced into apps and other resources.  The standard best practices method is to place identities in roles (usually quantified as IDAAS groups).  

Then these roles are granted access according to groups they are assigned to.   

This makes the access control (for apps, devices, SWGs, CASBs, ZTNW, etc) maintainable and scalable.

But here where the friction comes?  IAM is dynamic.  Users change, manages change, environments change.   Is the information and grouping in the data stores the SASE wishes to utilize (AD, Azure AD, Okta, JumpCloud) accurate?   Are the roles grouped by updated information?

Mostly not.   In fact Palo Alto unit 42 says 99% of roles are overly permissive for clud resources.

This is where enterprises need YouAttest.

What Does YouAttest Bring to a SASE Solution:

YouAttest allows an enterprise, from a single identity (or risk) manager to conduct a user access reviews.   YouAttest is completely in line with the best practices spelled out in   NIST SP 800-53 v5, PR.AC-1 which calls for the attestation of roles.

YouAttest cloud-base offering auto-delegates out to eht group manages so they can:

  • Certify
  • Revoke
  • Or Re-delegate the certify/revoke process
Image #2: YouAttest group audits help attest to the rights and privileges of users in a SASE environment.

In 100% GUI-driven process group/role managers are send messages (email or slack) to simply manage/certify their role.   The process is has been showed to save 80-90% of the time associated with the review and increase accuracy by 60%.

Summary:

This kind of access review compliance is almost impossible to achieve with manual spreadsheets, which is why it’s also important that you automate this function. The goal is to achieve continuous identity awareness and control – only capable through an automated tool like YouAttest.

YouAttest becomes the key identity control for the SASE system ensuring identity integrity in the roles being enforced by the SASE systems.  

Contact us today to learn more about how YouAttest can help secure your identities and create a secure SASE deployment.

Facebook
Twitter
LinkedIn

More
articles