Secure Service Edge (SSE) as a security category offers some convenience for enterprises, but it only reinforces the current status quo of a fragmented security market and doesn’t address new attack surfaces in the rapidly changing security landscape.
 
To learn more, VMblog reached out to industry expert, Renuka Nadkarni, Chief Product Officer at Aryaka, who has 20+ years of industry network security experience.  Nadkarni believes what’s needed is integrated networking and security with end to end (user to application) visibility and control.

VMblog: We're now two years into the sudden workforce-and consequential networking-shift from on-premise (in-office) to a hybrid model. Given everything we've learned over the past years, what do you see as the biggest challenge today?

Renuka Nadkarni:  As remote work/ hybrid model becomes the norm we are seeing customers struggle with the ‘second order' problems of remote access. Most remote access solutions (VPN) only focus on offering secure remote connectivity but have a terrible user experience due to slow network performance, packet drops and bad network quality. Employees / remote users expect LAN-like user experience over the remote access. Especially when it comes to latency-sensitive voice and video calls. The biggest challenge enterprises face today is to provide that seamless experience that is necessary to ensure employee productivity and function effectively in the hybrid model.

VMblog: You're an outspoken critic of SSE. What do you see as the problems with it?

Nadkarni:  The main problem with SSE is that it does not address core problems of 1) connectivity of applications that are anywhere from users that are anywhere ensuring availability and high performance. 2) security where needed as it completely ignores/underestimates the complexity of traffic redirection for specific security needs and 3) observability and management of multiple sources such as branch offices and remote/mobile users and destinations of cloud, SAAS assets etc. SSE solutions don't guarantee application performance for acceptable user experience and on the contrary introduce latency with multiple network hops. Security is only good if it can be enforced and SSE implementations only see partial traffic types allowing attackers to easily bypass them via rerouting, tunneling, port hopping and similar simple techniques.

VMblog: Without eliminating SSE or SASE, how can one build a holistic approach to security?

Nadkarni:  First and foremost, security controls should be easily enforceable at multiple places and wherever needed. It requires a combination of security applied at the customer premise closer to where the users are, in the cloud and closer to the destination where the applications are. To address the entire spectrum of the attacks, appropriate security functions need to be applied. For instance, traffic bound to the Internet would need secure web gateway capabilities such as URL filtering, malware scanning, data exfiltration detection. For the user traffic going to the public cloud, one may want to scan assets for the sensitive data for compliance and need features like CASB for SAAS applications. Its critical to apply security controls based on the context while ensuring a good user experience. While inline technologies work the best for access control, low and slow advanced threats can only be detected with more sophisticated analysis of data patterns over prolonged periods of time. Observability to the traffic pattern variations can ensure detection of anomalous behavior.

VMblog: End-users aren't concerned with how it works, they just need it to work securely all the time. How does this take into account the hybrid workforce's need for SAAS, IaaS or the public cloud? 

Nadkarni:  In the new hybrid environment, just offering network connectivity is not enough. Poor application and network performance has a huge impact on employee productivity and customer satisfaction. Most used modern applications for voice and video communications are latency sensitive and react unfavorably to network packet drops. At least two of our customers shared their woes with remote call center users unable to conduct business because of network performance issues while using remote access VPN solutions. Remote users expect LAN-like user experience when accessing workloads in public cloud or SAAS based applications. Most public cloud offer good performance as long as the users are in the same availability zone and unless the applications are replicated globally across multiple availability zones, the user experience is highly variable and non-deterministic.

VMblog: What do you envision the move away from a network-centric idea of security means for enterprise and the end-user?

Nadkarni:  Integrated networking and security with end-to-end (user to application) observability and control is what is needed. Enterprises in the past were conditioned to think in a very network-centric way that assumes a rigid and static, location-based approach with users in the offices and applications protected inside the confines of their own data center. With applications anywhere and users anywhere, the constructs of network-centric thinking of perimeter security has become irrelevant. More and more customers are transitioning from, "How do I solve WAN connectivity?" to asking, "How do I deliver applications securely with best user experience?" The move away from the network-centric thinking requires network redesign and rearchitect that provides secure and delightful user experience.

VMblog: Digital Transformation has gotten a lot of ink these past few years. As a security professional with years of experience, what is your assessment of DT in a post-pandemic environment?

Nadkarni:  Digital transformation aka business agility requires on-demand provisioning of IT infrastructure, networking and security, and efficient day to day operations. As public cloud and virtualization vendors solve the IT infrastructure as a service, SASE was a promise to fulfill that vision to complete the networking and security needs. However, it fell short due to the organization's boundaries from practical implementation, management to end-to-end operationalizing of workflows with dependence on different (and almost opposing) networking and security technologies. For instance, when the connectivity is provisioned by the networking team, does the security team have all necessary controls and audits for compliance? Does the application owner have a sign off from the networking team to confirm the availability as well as the security team? These answers are impossible to get from fragmented technologies and teams.

VMblog: We spoke before about users being dependent on their apps, and how IT departments are fragmented in their approach to application delivery and security. How do you balance those two?

Nadkarni:  One way to practically solve for the technology fragmentation problem and operationalizing across different organizations is to:

• Ensure consistent security policies across all the enforcement points, aka the unified control plane. This is particularly important when it involves handling encrypted traffic and sensitive data analysis within to avoid multiple hops and encrypt/decrypt.
• Ensure security enforcement closest to the secured asset, aka the distributed data plane. In the case of user-generated traffic for outbound, this could be at the branch customer premise equipment (CPE) or as a client on the remote user laptop. For application inbound traffic, this would mean closer to the datacenter (DC) or x-cloud boundary.
• Ensure role-based access controls and accountability, aka observability. Provide relevant data, alerts and access mechanisms for different teams in the organization to perform their roles for smooth operations and hand offs between the teams.