What is SASE?
Whenever sales of security products dip, vendors leverage buzzwords in an effort to explain business problems. They push the buzzword hard for a short while, just long enough for people to buy it and figure out the claims were vastly overblown. By that time, vendors have moved on to a new buzzword. This is a large part of the dynamic behind the cybersecurity hype cycle. The concept gained traction with the publication of the Gartner paper "The Future of Network Security is in the Cloud.”
The paper describes how software-as-a-service (SaaS) makes the internal network irrelevant. After all, every application users are running is in the cloud. All of the data also resides in the cloud.
Why invest in defending the place where your sensitive data isn’t stored?
The paper calls for less investment in perimeter security. Instead, focus would be shifted to investment in outbound bandwidth and inspection power of outbound traffic at the network edge (the SE part of SASE). As for secure access (SA), it relies mostly on two-factor authentication to the cloud services.
Are all of these speculations true? Sure, to a certain extent. Did they solve cybersecurity? Of course not.
There are some important caveats to secure access and secure edge.
Shared Secrets are "Secure Access"
When data is stored by a 3rd party in the cloud, the 3rd party needs to figure a way to provide you with access while ideally denying access to other people.
This Secure Access is provided across the Internet, without meeting a client’s employees or understanding their operational model. A company based in the American Midwest may have a globally distributed workforce, with some staff in Shanghai. The cloud service will provide anyone access if they have the correct credentials, regardless of their geographic location.
That’s why attackers steal cloud service credentials. They end up with access to sensitive data that can be an absolute goldmine.
The big problem with the concept of SASE is the failure to address a key point: an endpoint compromise gives attackers your secure credentials. That is why, if you read the Gartner documents in detail, the analysts advise the use of an endpoint detection and response solution in conjunction with SASE.
Micro-isolation with virtualized desktops does not solve the problem - it only moves it. Please leave a comment if you want the technical details in a future post.
The Hoax of Two-Factor Authentication
Wait, I’m using TWO-FACTOR AUTHENTICATION! Crisis averted! I’m safe!
Endpoint compromise also leads to two-factor authentication (2FA) compromise if attackers really want to access your data.
If hackers compromised a machine by intercepting a one-time code, they can also intercept a 2FA code. All it takes is a hacker to intercept user input, steal the code, and reuse it to automatically log on from another location.
The Vulnerabilities of the App Password
But wait, there is more. Users rely on a lot of programs that need constant access to cloud data. It would be very inconvenient if users constantly needed to enter their 2FA codes.
If emails are delivered from the Office 365 mail service, how often does Outlook prompt the user for a one-time code? A lot of applications have special “app passwords” (SaaS tokens) that enable them to bypass 2FA to increase useability and decrease user inconvenience.
If the attacker can access an endpoint to steal the app password from an unsecure cache or to gain access to the platform just once to add a new app, they can access the cloud data whenever, wherever they so please.
Authentication vs Authorization
Authentication requires two-factors while authorization relies on a single-use, randomly-generated secret token. Knowledge of that secret value is a sign that this user was authenticated and is authorized to access the data.
It may be easier for the attacker to just steal an authorization to gain access. If they gain access once, they can usually set themselves up for future access by setting up an app password. For many web apps, this access token is usually stored in cookies which reside on the local disk, so a compromise of the endpoint does the trick.
Is the edge really that secure?
One could argue that attackers exfiltrating stolen credentials would be caught at the “secure edge.”
Let’s be extremely generous and assume that a network signature exists for whatever command-and-control traffic is used by the endpoint compromise. Is endpoint traffic really crossing the “secure edge” 100% of the time?
Is every user physically on premise OR on the VPN every single time they use the machine containing the SaaS tokens? Even outside of office hours? In 2020?
Even if the magical network signature did exist, the secure edge might not provide the protection most companies desire. When the attacker gains access once, they can set themselves up for cloud access that would never cross your edge equipment. It would go directly from their attacker machines to the cloud instead
Is SASE bad, then?
No, SASE is not bad.
As with all security solutions, it is important to understand the limitations. Including the realities of your workplace. If you’re seeking a new endpoint security solution based on your security appliance vendor’s most recent product release, that’s one reality. If the global pandemic transformed your on-premise workforce into remote workforce overnight, that’s another reality.
When thinking about “end of perimeter” security architectures, it is important to remember that endpoints still contain the key to all the valuable data. Even if the valuable data itself was moved away from the endpoint.