The increase in cloud and application adoption is driving changes in network topology that require state and local IT leaders to rethink their approach to security.
As government agencies shift to software- and infrastructure-as-a-service platforms, they are realizing they no longer have direct control of their applications, says Patrick Sullivan, CTO, security strategy for Akamai Technologies. That’s one reason why a security architecture known as secure access service edge (SASE) is gaining rapid adoption, according to Gartner, as a zero-trust solution at the application layer.
“In general, compute is moving away from solely being within a data center. It’s more of a hybrid- and multicloud norm. And at the same time, users are [coming from] much more diverse locations. Gone are the days where you could assume that all your corporate users are going to be within the four walls of an office building,” Sullivan explains.
CIOs and CISOs should be paying attention to SASE solutions that grant users access to applications — not the network — based on their identity, he says in a new podcast produced by StateScoop and underwritten by Akamai Technologies:
What SASE solutions do?
SASE solutions perform security inspection at the application layer wherever a user or device on-ramps onto the internet, says Sullivan.
“The model calls for an inspection to take place at the service edge. And access is granted on an application-by-application basis, and that access is indirect,” Sullivan explains. “The model would be to understand the identity of the employee, the student or the contractor based on their identity. But at no point are they on the network, and you assign trust based on where they are in that network topology.”
The benefits to adopting SASE?
SASE offers a great deal of agility in terms of where an end user can log in, says Sullivan, Additionally, SASE solutions align with the recommendations developed by the National Institute of Standards and Technologies for assigning trust to a user.
Another benefit of SASE solutions is their ability to decrypt traffic locally at the application layer to perform security inspections.
“So much of web traffic these days is encrypted over transport layer security (TLS). If you just have a network tap that doesn’t decrypt those sessions your likely to miss payloads,” says Sullivan. “It’s critical both with egress traffic and with ingress traffic that the security solution is able to safely decrypt TLS and understand what is happening at the application layer, not just the network tier.”
What agencies need to adopt SASE solutions?
Sullivan encourages leaders to think of SASE as a design philosophy that requires the organization to make incremental decisions.
One of the first things to look at is the protection of web applications — and secondly, the way organizations grant access to government applications.
SASE solutions grant access to applications, not networks, which limits lateral movement of a user. In this way, SASE solutions help organizations move closer to achieving zero-trust security.
“It’s traveling with an end-user and inspecting what type of requests they’re making and where the risk may be introduced along the way,” he says.
Patrick Sullivan has spent the past 14 years at Akamai, and another 10 years working in the communication sector, including four years at the Defense Information Systems Agency.
Listen to the podcast for the full conversation on SASE solutions. You can hear more coverage of “IT Security in Government” on our StateScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by StateScoop and underwritten by Akamai Technologies.