The New Network Security Debate – Best of Breed, Portfolio, or Platform
Explore SASE strategies, understand the nuances, and make informed decisions.
John Spiegel, director of strategy at Axis Security, breaks down three strategies to secure enterprise-distributed digital world environments, including distributed defense in depth, single vendor portfolio, and single vendor platform.
In 2024, a new debate is beginning to brew. It’s about how to move forward to secure our digital future. In the past, the concept of defense in depth reigned. The strategy was to pick the top security and network tools, align them on the field, and attempt to interlock each with your tooling. Firewall to IDS (Intrusion Detection System) to Endpoint to OS (Operating System) Firewall to AV (Antivirus), to name a few. Then, feed the telemetry back to a SEIM ( security information management) or XDR (Extended detection and response) system to provide signal intelligence and wait to uncover the bad actor in your sector. This approach worked well when the businesses’ crown jewels were in a private data center. The field of play was the home court, which had certain advantages. The hacker must maneuver a unique and frequently bespoke landscape. That world no longer exists. Applications and the workforce have moved outside the physical walls of the corporation. Instead of physical redoubts of business data, we live in a world of digital data islands in a massive, interconnected ocean. How do we defend something that can live everywhere?
The three strategies to secure the enterprise-distributed digital world are –
- Distributed Defense in Depth
- Single Vendor Portfolio
- Single Vendor Platform
Let’s break them down.
Distributed Defense in Depth
The first, distributed defense in depth, is a play on the prior version used in the 2000 – 2015 timeframe. The traditional in-depth defense relied heavily on the enterprise.
NGFW (Next-Generation Firewall) and distributed in-depth defense pivots to the endpoint as the central focus. As devices have become more distributed due to hybrid work and the rise of the contractor-based workforce, agents are now the growing center of gravity on security. While a valid approach to the changes in IT, the challenge here is agent bloat. Each new solution to secure the growing volume of devices requires another agent. This approach consumes more significant amounts of resources on the device, not to mention the overhead on the IT team to manage all these solutions and the high costs. Another concern is IoT devices, which will not accept an agent. Per IoT Analytics, these are growing at 16% to 16.7B in 2023. How does this approach secure these increasingly vulnerable sets of IT systems? Back to the firewall?
The following two are similar. The difference is in the path they took to arrive at the destination.
Consolidation of network and security is driving a framework called Secure Access Security Edge (SASE). The concept here is to bring together what were previously network and security point products such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Software Defined WAN (SDWAN), and firewalling under a single vendor umbrella. There are two approaches to getting there.
Single Vendor Portfolio
The Portfolio combines a set of dissimilarly designed products where the vendor does a series of integrations. Generally, traditional “big box” vendors adopt this approach in the marketplace. They will start in one place, maybe firewalling or a web proxy, and then make a series of acquisitions of either startups or mature companies to fill out its SASE portfolio. The benefits of this approach for the customer are that vendors are responsible for the integration of the growing portfolio of the technology stacks, there is a reduced vendor landscape to manage, and overall costs are lower due to economies of scale. The downside is you accept the technical debt each acquired part has built up over time.
An example is when the vendor needs to add a new “technology,” maybe digital experience monitoring, acquired from a startup. The result with the portfolio solution is that the customer must learn a new UI and wait until the full integration takes place, maybe 12 months, to take full advantage of the solution. It is also possible the integration is poorly done because the vendor is looking to ship the product quickly to gain their return on investment.
Another impact of this approach is it increases the complexity of rolling out new features. If your solution is an amalgamation of separate products, say a firewall plus a SWG plus a remote access solution, adding a new encryption method to meet the requirements for a quantum computing world can be a challenge as the vendor may need to rework all the products in the portfolio individually. Each product will need to be adjusted separately. The impact on the customer will be that the feature will not be delivered in a timely manner, as well as the amount of complexity (technical debt) to make the feature generally available. Note that most solutions in the SASE space are portfolio-based when you look at the vendor landscape.
Single Vendor Platform
The platform is a new construct in this space, and for the most part, it comes out of the startup sector. The idea is not to repurpose past products but to re-imagine them. Start with a foundation, Zero Trust Network Access (ZTNA), and then build out the technology products like SWG or CASB as features on top of a strong base. With this approach, the problem statement, let’s call it SASE, is defined and, as a result, can be built on modern, Cloud native architecture—microservices vs the inflexible monolithic solutions of the past. The result is much like the structure of a bridge; each feature interlocks with another to increase the overall resilience and capacity of the platform. The benefits of the platform approach are the same as the portfolio but better.
We need to add a new feature, quantum encryption based on Kyber; the challenge is straightforward: build a new micro-service and add it to the platform. Need to integrate an SD-WAN solution? Don’t extend virtualized instances to your PoP(point-of-presence); code it again. The benefits of this approach include the same as the portfolio but extend beyond and without the risk of accumulated technical debt via acquisitions! They include unified management, a single data lake, high acuity, and lower operation costs. Additionally, as the code base is the same across the platform, the time to market for new features and fixes is quick.
See More: SASE Turbocharge: TAG Heuer Porsche Formula E’s Victory Lap – Spiceworks
Essential Questions for Security Vendor Selection
Alright, let’s put this into action. Say you are in a highly regulated industry. You are beginning the journey to SASE and reviewing the various space vendors. What are the questions to ask to conduct your due diligence?
- First, review the suite of products in the vendor’s offering. Ask how tightly they are integrated. Ask if there is a single data lake. Ask about the administrative UI. Is it truly one or several UIs wrapped together? Next, and critically, ask about the policy engine. Can you create security policies for crucial services such as ZTNA, CASB, and DLP (Data Loss Prevention) in one line, or do you need to set policies in several locations?
- Next, ask about release cycles. Are they frequent or once or twice a year? Another critical question concerns how they deploy the points of presence or PoPs. Do they include all services, or are their PoPs dedicated to separate services (ZTNA vs SWG)?
- The last item critical to regulated industries is to ask the vendor to provide reporting. Is it centralized? Is it coming from one source?
When reviewing your security strategy for 2024, consider what type of solution you are looking to transition to. Make sure to do your due diligence on each vendor’s offering. Is it defense in depth, portfolio, or an integrated, cloud-native platform? Ask the difficult questions and dive in deep before purchasing as described above. If a portfolio is your selection, understand the technical debt and limitations of the vendor’s solution. If platform, understand the solution’s maturity and examine the roadmap in detail.
Best wishes on your journey!
How will your security strategy evolve in 2024? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON NETWORK SECURITY
