CSO Perspectives (Pro) 3.6.23
Ep 101 | 3.6.23

SASE and SSE: This is the way, a Rick the toolman episode.



Rick Howard: You're listening to the theme song to one of my favorite science fiction TV shows of late, "The Mandalorian," that currently runs on the Disney+ streaming service, because I'm going to talk to you about what I think is a radical and most promising security architecture in the near future. 


Emily Swallow: (As Armorer) This is the way. 

Unidentified Actors: (As characters) This is the way. 

Pedro Pascal: (As The Mandalorian) This is the way. 

Rick Howard: The very first podcast I did when I joined the CyberWire back in 2020 was on the subject of secure access service edge, or SASE. I was in love with the idea, and I still am. I fundamentally believe that some version of SASE, maybe its little sister called secure service edge, or SSE, will be the security architecture of choice by most security professionals within the next five years or so. In my fantasy world, I would love to see a managed SaaS-delivered security service that uses the SSE design combined with XDR technology, extended detection and response, API-driven, to deliver first-principle security services a la carte, like zero trust, intrusion kill chain prevention, resilience and risk forecasting. The service would be a la carte because not everybody needs to deploy all of the first-principle strategies, just the ones that will have the most impact in reducing the probability of material impact that they can afford. This is the way. 


Pedro Pascal: (As The Mandalorian) This is the way. 

Rick Howard: So strap in. This is going to be another Rick the Toolman episode. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. Perimeter defense was the first real security architecture that we all used back in the early 1990s. 

Steve Winterfeld: Rick, nobody cares about history. Just stop. 

Rick Howard: That was Steve Winterfeld, the Akamai Advisory CISO and the Al Borland to my Tim the Toolman. And yes, Steve, the only reason I do the history stuff anymore is to annoy you. And all I can say is, mission accomplished. 


Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: As the internet was just getting started for the masses back in the 1990s, security professionals would build a giant electronic fence around their digital assets located in their office buildings and data centers. We would place a barrier between the internet and the interior with special purpose routers and, eventually, firewalls. If you were an employee, you worked on the inside of the firewall. We tried to keep the bad guys on the outside. The problem that immediately emerged was that, even back then, there were employees, contractors and partners that needed access to the interior from the outside. And, of course, our internal employees needed access to the internet. So we poked holes through the firewall to allow everybody access. And you can see where this is going. Those holes in the electronic fence were also potential avenues for bad guys to leverage. 


Tim Allen: (As Tim Taylor) Oh, no. 

Rick Howard: To watch those potential attack avenues then and maybe even block bad guys from using them, we needed more specialized tools. We for sure needed endpoint protection. Back then it was just called antivirus. But we also needed network protection like intrusion-detection systems. As the years went by, the number of tools we needed to watch those potential attack avenues started to grow. And by the early 2000s, perimeter defense had morphed into something we call defense in depth, coined in the 1990s by Fred Cohen. The security stack represented all the tools lined up behind the firewall. And the idea was that if the firewall didn't stop the bad guy, then the next tool in line in the security stack would. If that one didn't work, then the next one would. The number of tools you had in the security stack depended on how big your organization's security budget was. If you were an international organization deployed in multiple cities around the world, you built internal networks that didn't touch the internet. You leased high-speed and expensive T1 and T3 communications lines that connected everything inside the electronic fence. Instead of going straight to the internet from your building in Paris, you tromboned all that network traffic back to the closest security stack, let's say, New York City, and then it went to the internet. 

Rick Howard: Even when the cloud exploded after Amazon rolled out AWS in 2006 and other big cloud providers like Google and Microsoft matched the service with their own versions, security architects still clung to the defense-in-depth idea without ever considering or maybe noticing that with the advent of cloud-delivered services, the entire game had changed. The security stack became more abstract. It wasn't a single stack deployed back at headquarters anymore. It was now a collection of specialized security stacks deployed on all the data islands - you know, office buildings, data centers, laptops and mobile phones and cloud services. We thought managing all of this was hard back in the 1990s when we only had one security stack. But by the 2010s, complexity was king, and security professionals started to demand that their vendors give them the means to orchestrate everything in some automated manner. 

Rick Howard: But some savvy practitioners realized that the cloud-delivered service model wasn't just another required collection of technical debt and complexity that we all had to manage. Instead, if we approach this the right way, we could leverage it to reduce the complexity not just in the cloud but for every data island where we stored our workloads and data. And with a little forward thinking, we could automate most of the technical debt away. That's where SASE and SSE come in. 

Rick Howard: After the break, I'll talk about the current state of the SASE and SSE commercial offerings and why many security practitioners are confused about the significance of this new security architecture. Come right back. 

Rick Howard: While all of this complexity was emerging, one piece of good news that came out was the fact that connecting to the internet became cheap and reliable. For most cases, you didn't need expensive communications lines anymore. Broadband connections were probably good enough. The question became, how can we eliminate the expense of T1 and T3 lines by using cheap internet connections at local sites without having to trombone network traffic back to a centralized security stack? 

Rick Howard: SASE was the first model that emerged, and it has three parts. First, a SASE vendor deploys multiple security stacks around the world. For their customers wherever they are in the world, their first network hop from their computer is through the SASE vendor security stack. If Ken, sitting in a Los Angeles data center, needs to connect to ChatGPT, let's say, his bits and bytes travel encrypted from his laptop through the data center's router to the SASE vendor's security stack in California, where they are decrypted, inspected with whatever tools are in the stack and then forwarded on to the ChatGPT server. Barbie, sitting in her office in Paris, does the same thing, only she connects to the SASE vendor in France using her cheap broadband connection. 

Rick Howard: Second, to make the network routing decisions more efficient, the SASE vendor connects to the customer's SD-WAN infrastructure. SD-WAN is a networking meta layer that calculates the most efficient routes from the customer's networks. Finally, number three, to reduce network latency even further, every SASE point of presence, or PoP, around the world establishes a peering connection within their PoP to a global telecommunications provider like AT&T or Google. 

Rick Howard: Most large telecommunications hubs provide service and space to multiple customers. It's probable that a SASE vendor and an AT&T hub could occupy the same building. Instead of a SASE vendor building an internet backbone network that is in the same league with AT&T - an expensive adventure - they instead contract with AT&T to run a fiber line from their security stack down the hall in the same building to connect to the AT&T backbone. When that's done, the SASE vendor's network traffic now rides on the much faster AT&T network. 


Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: Gartner coined the term SASE in 2019 and outlined the essential security tools required for a SASE security stack and also describe the SD-WAN component and the required peering requirement. The bargain between the SASE vendor and the customer is that the vendor manages the complexity. Their engineers keep the blinky lights working and turn the cranks to keep everything maintained, just like a standard cloud provider. The only thing that the customer has to manage is the policy that governs the tools. If Ken needs to move Barbie into another workgroup with different access permissions because she got promoted, he manages that zero-trust configuration change through the SASE vendor's service interface, but the vendor keeps all the systems running. 

Rick Howard: I fell in love with this architecture for two reasons. The first is that it completely flips the maintenance burden from the customer to the vendor. I don't have to manage all of that complexity within my perimeter anymore. And in the old days, like the 1990s through the 2000s, the IT and the InfoSec teams managed all of the internal network and security stack infrastructure. Think hardware deployed all over the place. In my last CSO job, we had internal IT people on a plane flying around the world on a constant loop, checking, maintaining and replacing hardware wherever we had our offices. What a headache. 

Steve Winterfeld: Well, Rick, you actually got that one right. 

Rick Howard: That's starting to age out in many places today. But most of us will still have a hardware management task in the near future. Second, this is the perfect solution for small- to medium-sized organizations. I call them SMOs. Historically, SMOs have not been able to afford the cost to purchase and to maintain anything close to a modern security stack. IT and InfoSec budgets barely cover keeping the lights on for these small organizations. The idea of firewalls, XDR solutions and identity and access management systems, just to name three, have always been out of reach. 

Rick Howard: If the SASE vendor can make the service cheap enough by offering some economies of scale, it might be possible to bring more organizations under a secure umbrella. And for what it's worth, for government networks - pick your own nationality - a subsidized, and I mean cheap or free here, nationally sponsored opt-in certified - like FedRAMP in the US - SASE service could bring many SMOs with few resources, like cities, counties, states and national government entities that routinely fail their security audits, under a similar security umbrella. It should be opt-in because we don't want to mandate security at a national level. That's too cumbersome. We want the local officials to have authority for the security of their organizations. But if a national government made the service so cheap that it was a no-brainer for local officials to adopt, then that's a win for both parties. SMOs get security, and they manage the policy with their own entity, and the national government gets visibility. I'm just saying. 

Rick Howard: It's been about three years since Gartner published the initial paper. And what we've come to realize is that between then and now, most of us don't have an SD-WAN infrastructure, especially if you're an SMO. We don't really need that part. If you have one, great. You should definitely use a SASE vendor. But the rest of us - we don't want to pay for it. In February of 2022, Gartner released another paper defining Security Service Edge or SSE - essentially SASE without the SD-WAN. Unfortunately, just like any new and exciting idea, the SASE SSE models have just started their journey on the Gartner hype cycle. Right now they both have crested the peak of inflated expectations and are now descending into the trough of disillusionment. 

Rick Howard: That's just the way of our industry. We all get excited about a new idea initially and then later get disillusioned with it when we realize how hard it is to deploy or that the available services don't quite meet expectations yet. It isn't until much later that the idea matures into something useful. Sometimes they don't. Sometimes new ideas never make it out of the marketing hype stage. And we never see a useful product. But with the SASE-SSE case, I want this to succeed because for all the reasons I've already mentioned in this show. Out of all the new ideas that have popped up in this last decade, this one, to me, feels like it has legs. And I'm not alone either. Gartner predicts that the SASE-SSE marketplace will mature within five to 10 years. I think that it will happen a bit sooner than that because many of the well-established security vendors already have products on the market. But because the idea is so new, some security professionals are a bit confused about what it is or what significance it has. Some think that SASE and SSE are simply security orchestration solutions, which they are, of course. It's a different flavor from using one of the big firewall companies as an orchestration platform that offers many security services. All of those services come from one vendor. A SASE vendor is distinctive in that it can put whatever security tools it wants from multiple vendors in the security stack. And although that's interesting, it's not the most impactful feature. And some practitioners think that because some vendors deliver standalone security services through SAS applications, that makes them a SASE or SSE service. I was talking to Dr. Rebecca Wynn about this. She is the global chief security strategist and CISO for the Click Solutions Group. And she hosts her own excellent podcast called the "Soulful CXO Podcast." Here's what she had to say. 

Rebecca Wynn: And so even though it can be interchangeable, it gets kind of confusing. So what I see is, like, we're using a mix. We use CrowdStrike on the endpoints. And we use a CASB - Netskope in our case. So that would be - you know, could be considered SSE. But since we use AWS, Google and Microsoft clouds and those architectures, VMs and security pools, it would be an SASE model. 

Rick Howard: I understand her confusion. But unless the security vendor is orchestrating all of the customer security tools and pairing with one of the big internet backbone providers, it doesn't really fit the Gartner-defined architecture. Remember that SASE and SSE represent something completely different, a security architecture where it will be easy to swap in and swap out security services as requirements change. Today, you might subscribe to an identity service that supports your zero trust strategy. Tomorrow, you could easily add an information-sharing service that supports your intrusion kill chain strategy, all with the convenience of using your credit card and pushing a few software buttons. Back in the day, back in my day, adding that new capability might have taken months to years to plan and execute. 

Etay Maor: Hi. My name is Etay Maor. I'm the senior director of security strategy at Cato Networks. 

Rick Howard: Etay is a regular visitor here at the CyberWire Hash Table and one of the smartest security practitioners that I know. And by the way, he shares my enthusiasm for PC gaming, so he gets bonus points for that. He also works for a SASE vendor called Cato, so take what he says for what it's worth on this subject. But I totally agree with him here. 

Etay Maor: And that's something that a SASE solution offers, you know, the ability, the flexibility to allow you to say, oh, I have more users - no problem. Or I need more throughput - no problem. It's just a definition in the application rather than buying a box. Same thing goes for security features, right? Oh, I need DLP. No, you don't need to install a new box. You just tick, you know, the feature in the application and you have DLP. So I think the big interest in SASE and SSE is the fact that it's so flexible, that it is so easy to manage as opposed to trying to, you know, patch and manage and correlate multiple devices from multiple vendors in multiple locations. You have it all in one centralized location under, you know, one pane of glass, which is really easy to use. 

Rick Howard: My advice to all security professionals is to keep an eye on this SASE-SSE space. If you have the resources, consider using a SASE or SSE vendor to secure a small part of your network as a pilot. Start nudging SASE and SSE vendors to provide security first-principle tools for all the strategies that you're trying to implement. I'm doing that now with the N2K architecture. I'm seeking a SASE vendor that can offer a software-defined perimeter - or SDP - with identity and access management features, plus a basic XDR - extended detection and response service - that is cheap enough for a startup to afford. I haven't found it yet, but I'm hopeful. This is the way. 


Pedro Pascal: (As The Mandalorian) This is the way. 

Rick Howard: And that's a wrap. Next week, we'll be talking about the CIO-CISO relationship. And as you can imagine, practically all of our Hash Table experts have an opinion about that. So you don't want to miss that show. Before we go, I have a few reminders. I mentioned last week that we're publishing a book based on the "CSO Perspectives" podcast, all of the first principle shows from the past three years. It's called "Cybersecurity First Principles: A Reboot of Strategy and Tactics." And we're rolling it out in time for the big RSA Conference shindig in April of this year. You can pre-order your copy now at Amazon. The link is in the show notes. Or you can just go to the Amazon webpage and search for the title. You can't miss it. And if you're traveling to the great state of California for the conference this year, I'll be signing copies. I'm scheduled to be at the conference bookstore located in Moscone South at 3:30, Pacific Time, on Wednesday, 26 April. I would love to see you there. And I'm giving a presentation just before the book signing with my pal Todd Inskeep called The Emperor Has No Clothes: The Current State of the CISO. So it's all Rick the tool man all the time on Wednesday afternoon at the RSA Conference. I apologize in advance for that inconvenience. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.