Reframe your SASE ambition towards SASE 2.0

SASE is an organizational mindset shift that enables people to be your new perimeter, it is not a technology product. SASE unites networking and network security, offering secure access to all users from everywhere, to maximize the value and utility of cloud-native ecosystems. It is a discipline that needs continuous monitoring, detection, and response driven by constantly evolving threat intelligence.

At Orange Cyberdefense, we’re seeing more businesses adopt the SASE framework from a security use case perspective, focusing on business needs, rather than for its connectivity capabilities. This trend is driven by the evolving security landscape and increased cyberthreats that businesses are facing, particularly ransomware, which is causing them to consolidate with a single point solutions into SSE.

Consequently Boards, C-suite leaders and business owners must now own the SASE agenda, the SASE strategy and should influence the operating model and technology investment decisions. It can no longer be delegated to infrastructure stakeholders as SASE is a business imperative, a persistent enabler across your entire organization. 

• Can you elaborate on the platform play? What is it?

The market trend towards SSE convergence and vendor consolidation has already started. Gartner’s Apr’23 survey suggests 85% of organizations are seeking to procure SWG, ZTNA or CASB offerings from a converged solution by 2026.
It is needed as Gartner indicate that 43% of enterprises today leverage 10 or more vendor OEM security components.

Convergence and vendor consolidation will deliver savings, reduce operational complexity and address vendor silo gaps in the attack surface. However this is only part of the story.

Looking more broadly and strategically beyond SSE scope (SWG, ZTAN, CASB), the SASE agenda will drive convergence across networks and SSE.
Vendors such as PaloAlto, Zscaler and Netskope are already positioning their platform offerings to differentiate across the entire SASE scope onto their platform.

Realistically, we believe it is unlikely the majority of large enterprise will suddenly adopt a single vendor target state. Pragmatically 2-3 vendors are likely to dominate the SASE end state with their platforms. We see this as a platform ecosystem environment where collaboration in areas such as threat based research will start to materialize.

At Orange, our ambition is to host these vendor platforms (SSE + network overlay) on our Orange core back bone to ensure a unique tier 1 SLA performance across networks + cybersecurity operations.

There will be a need for an agnostic set of SASE services that sits on top of the vendor platforms. Our Orange ambition is to meet this market demand with our new Managed Secure Access (MSA) services offering, which is de-coupled and independent of the underlying vendor platforms. This Orange end-2-end SASE orchestration layer of services is offered as a co-managed or managed services offering with a menu of choice. vendor consolidation & platform plans to deliver network overlay solutions in partnership with our cybersecurity vendors, as an alternative to traditional SD-WAN. 

• Does Orange Cyberdefense advise a single or multi-vendor strategy approach?

We can see that the SASE promise of having a single vendor supporting all SASE functionalities is this year becoming reality and that the first magic quadrant of Gartner has positioned those vendors last summer. However, we also see that most of the projects we are working on are typically based on one vendor for the network requirements and one for the security requirements. We expect the portion of a single vendor to be used for the whole SASE requirements to rapidly grow in the coming months and years.

• What is the biggest attack vector that Orange is seeing currently?

Research shows that the biggest attack vector we’re seeing in this area is focused on cloud, with over 80% of the attacks targeting cloud assets.

Distribution of exposures (Critical, High, Medium) in the cloud versus on-premises.

Cloud-based IT infrastructure is always in a state of flux—on average over 20% of externally accessible cloud services change every month. Without continuous visibility, it is easy to lose track of accidental misconfigurations and the steady spread of shadow IT within an organization. For most organizations, over 45% of their high-risk, cloud-hosted exposures in a month were observed on new services that were not present on their organization’s attack surface in the prior month. Thus, the creation of new, publicly accessible cloud services, both intended and unauthorized, accounts for nearly half of all high-criticality exposures at a given time.

According to PaloAlto Unit 42 Threat Research Team: nearly 95% of EoL software systems exposed on the public internet of the organization measured were found in cloud environments. This suggests that organizations might be slower to retire outdated systems that are publicly accessible in cloud environments than on-premises ones, and also that it is comparatively easier for developers to create and deploy large volumes of new services with substantially outdated software in the cloud.

Similarly, over 75% of publicly accessible software development infrastructure exposures were found in the cloud, making them attractive targets for attackers.

Common exposures that are found primarily on-premises may inadvertently increase:

• 67% of unencrypted logins and text protocol exposures

• 89% of insecure file-sharing exposures

• 93% of internet-exposed databases

While these exposures are being found primarily on-premises, organizations should be cognizant of these exposures when migrating sensitive data to the cloud. Any of these exposures being accessible over the public internet is a cause for concern since they can act as a toehold for attackers to gain unauthorized access to an organization’s network and access sensitive data.

The exposures can be attributed to frequent misconfigurations, shared responsibilities, shadow IT, and lack of visibility into cloud assets. Within Orange, we advise our customers to re-address their SASE strategy and have a primary focus on closing these gaps as soon as possible.

• What is your advice for having an ROI conversation about an SSE solution? What principles can I use?

Engage with the CFO and his team early in defining your SASE strategy.
Seek to bring ROI and value realization early in your journey.
Our guidance is seek to develop industry / customer specific SASE data use cases that deliver tangible value realization within 6 months.
Our Orange team of experts can support you as we seek to co-develop your SASE data use cases with you to support the key ROI justification and business case generation. Pragmatic TCO business case approaches are now becoming mainstream for SASE.
One of the key issues is the lack of talent which is hindering the ability to scale and leverage the full functionality of license purchases. This is where co-managed or managed services can help to address these challenges in order to achieve business value realization and ROI targets.

• What are the most common journey starting points?

Typically, 3 main starting points are seen within the transitional journey within the Orange customer base:

1) Zero Trust Network Access (ZTNA): focused on the delivery of applications from an on-premises perspective. Very often the initial conversation around this starting point is around the replacement of legacy VPN infrastructure.

2) Securing Internet Access for users: focused primarily on implementing Secure Web Gateway (SWG) or Cloud Access Security Broker (CASB) functionalities to make sure the endpoints are protected from malicious content and behaviour.

3) Compliancy requirements: Orange recently is starting to see increases in requests coming from a compliance point of view. Many enterprises struggle with both internal and external auditing on their technology and processes and fail to meet targets from both the compliancy and regulatory perspectives. Most of these cases end up leading back into the first 2 cases described above, but the way to address these requires a different approach to tackle this specific challenge. Our Managed Secure Access (MSA) service has specific security controls in place to focus on the compliance angle and help our customers receive the right information to satisfy the auditing requirements.

In all the cases mentioned above, Orange advises taking a step back and looking at a holistic approach and implementing a solid SASE strategy. While it might look like a good idea to quickly implement the required functionalities that will satisfy the immediate use case, we very often see that this will have negative effects on the security maturity of an organization in the medium to long term.

• As SASE is a cloud-focused framework, will it also contribute to on-premises infrastructure?

This is a very important point indeed. SASE must be seen as an evolution, not a revolution. For that reason, it will have to support and integrate existing on-premises security solutions. However, building a SASE strategy will also help challenge the reasons for having local security functions vs having central cloud-based security functions. Only an extensive analysis can help build the perfect fit roadmap based on use cases’ requirements and ROI, but also taking into account how the chosen architecture helps ensure the application of consistent policies in a hybrid setup.