Securing Network Devices in SASE Architectures

Secure Access Service Edge architectures are modernizing traditional industries with features like SD-WAN, centralized network management, network-wide visibility, policy automation, traffic segmentation, security service provisioning, and transport independence that includes 5G. While these innovations provide faster connections at greater volume for global locations accessing the cloud, the conveniences include overlooked security risks that should be addressed with an approach that incorporates identity contexts of the user, on-premises data and hardware.

Despite the recent rhetoric focused on cloud architectures and virtualization in a way that relegates physical platforms to be mere connectivity pipes deployed at core locations, branches and colocation facilities, it is becoming increasingly evident that these platforms carry contextual company data offering precious, untapped and overlooked value. Device protections should be included as part of SASE architectures.

Network World's Zeus Kerravala has spoken at length about SASE architectures, going so far as to showcase how "cloud-managed, on-prem security" performs better than cloud deployed models. In his research, the on-premises approach works best for locations with a large number of employees. While I agree that on-premises deployments can achieve great performance benchmarks, I believe that the risks today demand a truly secure access service edge that extends further.

For example, part of the SD-WAN component within SASE architectures includes remote device activation (often called "zero-touch provisioning"), an innovation that allows network managers to order, ship and activate a network device from anywhere in the world without having to find a certified specialist for on-site setup. This presents an enormous benefit to networking teams. Today, when a forklift or conveyor belt stops working because of a network outage, manual service creates slow mean-time-to-resolution, which negatively impacts the business. With remote activation and provisioning, all that's needed is an on-location employee - technically savvy or not - to receive the device, plug it into the IT closet, and lock the door. This is a marked improvement in terms of both cost and speed versus legacy provisioning models.

Trust is an important factor here. The network manager ordering the device online must trust that the transaction itself was secure. In addition, the product must be trusted to have secure design and coding, that it's assembled without manipulation, honest about its origins, shipped from the factory without interception, and stored—often in customs facilities across the world—without issue. While many network managers are concerned with speed and reliability (many require same-day shipment and replacement), to assume these processes operate with integrity puts the networked organization and all partners in the ecosystem at risk.

In addition, network teams are forced to trust that actual branch locations, wherever they may be, are secure and that their network device is safe while on premises. Branches can be a busy retail store, a government embassy, or a pharmacy lab testing new vaccines. The network device will see any and all data as the primary routing, switching, and security center. While it is critical to secure endpoints such as workstations, mobile, and IoT devices; the network platform itself must be considered vulnerable to attack as a data aggregation point. Network segmentation helps to protect critical traffic from prying eyes, but it remains a single-layer approach. Cloud-managed, on-prem security deployments such as IPS and NGAV help layer network device security against rogue devices beyond traffic segmentation and make a zero-trust approach more thorough. And while some vendors offer network security as a cloud service, once the location gets above a few dozen endpoints, the traffic generated through security inspection outweighs the cost-benefit of using the cloud. On-prem security simply offers the highest performance levels with the most control.

Furthermore, the remote activation process mentioned in this article involves taking the network device control plane (a function once tied to the device itself, thus requiring an on-site certified specialist) and moving it to a cloud-hosted architecture. Assuming the bare-metal cloud infrastructure hosting the SD-WAN or SASE console is itself secure (many IaaS providers should have documentation on their efforts here), the data transactions that verify and use the device must traverse the internet to operate and should be encrypted in a secure manner.

Building a SASE architecture does not have to be a hopeless endeavor that jams risky devices into sensitive networks. For years, Cisco has been quietly researching and building quality network devices for SASE architectures with verifiable integrity. Our supply chain process leads the industry so you can trust the devices on your network. In fact, Cisco Trustworthy Solutions include a proprietary Trust Anchor module (TAm) that secures the hardware and reduces operational risk, protecting against counterfeit and manipulation with hardware-anchored encryption key storage, secure boot, boot key attestation, secure unlock, Bitstream FPGA defenses and more. Only Cisco offers these hardware-anchored security functions to protect network integrity when activating and provisioning remote devices in SD-WAN and SASE architectures.

As more and more enterprises realize the value of deploying SASE architectures, network and security teams across multiple industries must hold the network device to the same stringent standards as cloud and virtualized components. Only then can the world truly enjoy the transformation that comes with trustworthy SD-WAN and SASE architectures. Product quality and integrity matter. Here, you can trust Cisco to be one of those rare few to build a trustworthy SASE architecture.

For more information, please visit:

Cisco SD-WAN
Cisco Trustworthy Solutions

— Pat Vitalone, Product Marketing Manager, Cisco Routing & SD-WAN This content is sponsored by Cisco.

Be the first to post a comment regarding this story.
Sign In