How to manage a dynamic perimeter that can change from day to day.

The definition of “normality” has been in a state of flux since the beginning of Covid-19. The global pandemic that began in 2020 was followed by lasting supply chain shortages and disruption, and then a major war abroad.

As a result, the modern workforce has expanded beyond the main office or the branch office virtually overnight. The concept of a security perimeter became almost unrecognizable in a short amount of time, making physical location irrelevant, and requiring an identity-based approach to secure increasingly fragmented corporate resources and personnel. A dynamic perimeter has emerged that can change from day to day and project to project. This hybrid work environment has added complexity to securing connectivity from the main office, remote locations, and roaming users to modern multi-cloud resources.

Complexity has increased risk, as traditional, on-premises security capabilities are inadequate for securing access to a highly distributed workforce. Relying on legacy technologies like VPNs hit some very real limitations. Backhauling all traffic from remote offices and roaming users, back to a centralized security stack (as VPNs did) has proven to be costly and prone to performance bottlenecks. To empower more flexible business operations, with users working virtually anywhere and accessing diverse array of resources, organizations require a different approach to protecting against cyberthreats.

Traditional network security strategies, while proficient in identifying and blocking threats and controlling access to on-premises locations, are unable to effectively scale across these hybrid environments. This scenario has given rise to a service-based delivery model. Security Service Edge (SSE) is a cloud-delivered security approach which is designed to deliver a complete network security stack that is location agnostic and well suited to address the complexities of the increasingly fragmented network perimeter.

Additionally, SSE offers many integration synergies that allow for stronger security efficacy than a collection of best-of-breed/a-la-carte technologies which typically function independently or with fewer integrations between products. Secure Access Service Edge (SASE) further integrates SD-WAN capabilities into the SSE and consolidates new capabilities into an integrated network infrastructure and protection platform. This integration has the added benefit of providing complete visibility over network traffic to the security tools and enhancing their overall functionality.

However, not all SSE/SASE platforms are created equal; there exists a range of integrations and consolidation that yield functional differences. Levels of integration can typically be broken out into three categories:

  • In-house bundling is often a middle road that consists of products and services which were either recent purchases or existing products which have varying levels of integration with the security platform. These may or may not utilize the same agent and interface and do generally benefit from sharing a single control plane to some extent.
  •   Partnerships with other security vendors’ products may have limited benefit because they rarely exhibit the level of integration that is present with in-house products that are designed to work together. Partnerships can be through an API or closer integration but rarely use the same agent or interface and may only share limited telemetry with the security platform.
  •  Fully integrated products are the gold standard for SASE/SSE and consist of products and services which have become features for the portfolio. These products may or may not exist as stand-alone and share a common code base, agent, and interface.

These concepts can blend and blur. End customers may have difficultly discerning what level of integration exists and the value it delivers based on marketing materials, spec-sheets, and lists of functionality checkboxes. Single vendor SSE/SASE exists for this reason, ensuring that all functionality and features come from a single vendor, with the greatest degree of integration possible. All core aspects of a SSE/SASE security stack should be fully integrated, while an optional component — such as endpoint security or remote browser isolation (RBI) — can be bundled or can be third-party integrations points. A fully integrated SSE/SASE security stack benefits the end user in many ways, including:

  • Maximizes shared features and telemetry not capable from stand-alone products
  • Delivers greater security efficacy than partnered products and in-house bundling
  • Simplifies deployment and management through the consolidation of agents and interfaces
  • Achieves significant ROI improvements over multiple stand-alone products

Additionally, further consolidation of interfaces and management capabilities through integration with on-premises security and hardware, enhances the single-vendor SSE/SASE story. While hybrid work has expanded the perimeter, main offices and datacenters will still require on-premises security capabilities for some use cases, and most businesses have significant investment in their on-premises security infrastructure.

The concept of single-vendor SSE/SASE is expanding to mirror the hybrid environments they were designed to secure. When fully integrated, on-premises security and SSE/SASE enable consistent security coverage throughout the entire enterprise ecosystem, while simplifying management for security personnel.

Click here to learn more about Cisco’s solutions.