Cyber security is often considered the responsibility if the IT department. Nothing could be further from the truth. Although the IT team has certain responsibilities in deploying and maintaining security systems, the ultimate responsibility for maintaining a strong security culture lies with Senior Management.

Senior Management must first take on the responsibility of Security Governance.  This means managing security as a process, not unlike many other functions within the company. As such, the implementation and management of the process falls to others within the organization under the leadership of senior management.

In order accomplish proper security governance, organizations should form a Security Council consisting of departmental leaders from all aspects of the organization and led by senior management.

The functions of the Security Council include:

• Clearly identifying roles and responsibilities of council members

• Implementing and promoting a culture of security awareness and vigilance

• Adopting an appropriate security framework for the organization

• Performing a thorough risk assessment for the organization

• Determining a desired security "profile" for the organization

• Generating a gap analysis between the desired profile and the current state

• Developing and implementing a plan to address security gaps

• Developing and approving policies and procedures defining proper security practices

• Maintaining security though monthly meetings and regular audits

• Identifying new threats and adapting processes to address them

• Establishing a comprehensive Cyber Security Incident Response Policy

Each member of the council should have deep experience with the functions of their department and understand the sensitivity of the informational assets their department owns. For instance, the HR director should understand where employee records are stored and the ramifications if that information were subject to unauthorized access. The Finance director should understand the importance of the financial data they own and the impact of that data being compromised. The participation of department heads in the risk assessment process is crucial to the proper identification of information at risk.

Representatives of the IT department take feedback from the department heads and formulate plans to secure the data in accordance with adopted security framework. The IT department typically identifies and implements the tools necessary to monitor and manage the security of the organization's assets.

However, it is not the role of IT to drive a culture of security awareness. That must come from top. All employees must be made aware of the importance of security in the organization. This is accomplished through security awareness training and testing.  It is not enough to simply educate users on the dangers of phishing or malware. They must be tested regularly to make sure their radar stays sharp. Senior management, along with the security council must continuously audit the results of testing and take corrective action to deal with repeat offenders.

With senior leadership driving a strong security awareness culture, flanked by a strong security council organizations can protect themselves to a great degree.

I've said it before only to be proven wrong…but I believe the end of the pandemic phase of COVID-19 is near. We seem to be entering the endemic phase where we learn to live with COVID-19 long term. The same is true for some of the changes that Covid has foist upon us. Specifically, that of the hybrid remote worker. Gone are the days of the Monday through Friday office commute for many in the aftertimes. According to a recent Info-Tech Research poll, 79% percent of companies survey said they would maintain a mix of in-office and home office workers long term. For many employees this is a long-overdue and welcome shift.

However, organizations have been struggling to adapt their security systems to this new work model. The security footprint of the organization has grown exponentially to include the residences of many of their employees. The traditional method of granting access to the corporate network involved providing the employee a VPN connection. This provided the "tunnel" by which remote workers could access internal resources such as databases, files shares, and other applications. Security was provided at the edge of the corporate network. In recent years many organization implemented a "Next Generation" Firewall at the corporate edge as well. The NG Firewall converged many technologies such as Web-filtering, anti-malware, Data Loss Prevention (DLP), and SD-WAN into a single device. As the gatekeeper before most internal resources and end users this was an appropriate approach.

However, as more and more internal resources are moving to the cloud and the dramatic increase in remote work, enforcing security at the corporate edge begins to make less sense. Given that most traffic now travels directly to the cloud rather than via the corporate network it would make more sense to implement security at the edge of the cloud instead.

Enter the Secure Access Service Edge (SASE - pronounced "sassy") architecture.  SASE is a cloud service that combines several existing technologies to provide an integrated, highly comprehensive approach to both network architecture and security systems. In fact, SASE represents the convergence of several Network as a Service and Security as a Service technologies. In order for it to make sense to deploy SASE, an organization should have more that 50% of its resources based in the cloud.

It is important to understand that SASE is an architecture, not a single product or technology. SASE can include several networking technologies and many security technologies. For instance, SASE networking components can include SD-WAN, VPN, Bandwidth Aggregation, and various edge equipment. Security components commonly found in SASE implementation include Cloud Access Security Brokers, Firewall as a Service (FWaaS), secure web gateways, Zero-Trust Networking, remote browser isolation, single sign-on, Data Loss Prevention, and DNS filtering.

A SASE solution can be purchased as an all-in-one service from a single vendor or it can be assembled with several best-of-breed components. The simplest approach would be to source the package through a single vendor. Many major networking and security companies now offer a SASE solution including Cisco, Fortinet, VMWare, Palo Alto, and more. 

In a SASE-based model, end users gain access to corporate resources by first connecting to a SASE cloud service via Points-of-Presence (POP) to authenticate and be given access to resources. The assignment and redirection of cloud resources is handled by a Cloud Access Security Broker (CASB) in connection with a Single Sign-On(SSO) service. The user authenticates to the CASB and is provided access to those cloud resources that are authorized to the user. For example, Office 365 and Salesforce, but not Quickbooks on-line. Once the connection is established, additional security measures can be enforced such as endpoint interrogation, web-filtering, DLP, Remote browser isolation, etc. It is up to the organization to determine which services to enable. This is usually a balance of risk tolerance versus potential negative impact on the organization.

The technology can be deployed via an agent loaded on the endpoint or in an agentless manner. Most likely, larger organizations will choose a combination of the two as some use cases won’t support the agent based approach. The CASB can also be configured through APIs to broker access to services, however, this is an advanced approach and should only be done if a particular circumstance demands it.

Perhaps the biggest challenge to implementing the SASE model comes from one of its strengths. Because SASE incorporates both networking technologies and Security technologies in a converged architecture, the skills required to implement it properly often exist in separate teams. In larger organizations whose teams tend to operate separately and involves different mindsets. The SASE models forces those teams to work together to ensure the optimal implementation.

Finally, by deploying a SASE architecture, organizations:

• Extend the secure perimeter of the corporate "network" to the remote endpoint.

• Combine several "point solutions" into a single pane of glass

• Improve the control over remote worker experience

• Provide more granular control over access to cloud-based resources. Zero-Trust access can be applied

• Allow for inline inspection of network traffic to and from the remote endpoint. Prevents data loss

• Improve regulatory compliance where necessary

As we continue to put the pandemic behind us, we will need to embrace some the paradigm shift it has placed on the work environment. SASE will become a crucial part of the evolution of the distributed network.