developersRequest a Demo

Blog

Endpoint Device Security, The Missing Link in SASE
By: Michel Burger

Introduction

In today’s rapidly evolving digital landscape, ensuring the security of endpoint devices has become more critical than ever before. The proliferation of remote work, mobile devices, and cloud-based applications has introduced new challenges for safeguarding sensitive data and maintaining network integrity. In response to these challenges, many organizations are turning to Secure Access Service Edge (SASE) solutions to fortify their security posture.

 

Traditional Security Implementation

Traditional security models are often described as a “castle-and-moat” approach. In this model, the organization’s network is considered the castle, and security solutions such as firewalls and VPNs act as the moat. Everything inside the network perimeter is considered trusted, while external elements are treated with suspicion.

  1. Perimeter-based Security: Traditional security relies on a perimeter-based model where the organization’s network is the fortress, and security solutions (firewalls, VPNs, etc.) serve as the protective moat. Elements inside the perimeter are trusted, while anything external is treated cautiously.

  2. Centralized Security Appliances: Security solutions, like firewalls and intrusion prevention systems, are often centralized, especially at the data center. This often results in traffic being backhauled from remote locations or branches to this central point for inspection.

  3. VPN for Remote Access: Remote users typically connect to the network using VPNs, which can introduce latency since traffic from remote users is tunneled to the central office before accessing the internet or other resources.

  4. Disparate Solutions: Traditional setups might have various standalone solutions – a firewall from one vendor, a secure web gateway from another, VPNs from another, etc. This can complicate integration and management.

SASE Security Implementation

While traditional security implementations were well-suited for a time when most resources and users were centralized, the shift towards cloud services, remote work, and mobile users has revealed its limitations. SASE aims to address these modern challenges by offering a more flexible, integrated, and decentralized cloud-first security solution optimized for the current state of enterprise computing. Here’s how it differs:

  1. Identity and Context-aware Security: SASE treats every access attempt as untrusted instead of relying on a network perimeter. Access is granted based on the user’s or device’s identity, the access request’s context, real-time analytics, and other factors.

  2. Decentralized Security Services: Security is implemented closer to the point of access, often at the edge or as a cloud service. This means users connect to their nearest security service point, reducing latency.

  3. Integrated Suite of Services: SASE aims to combine various security services like Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA), etc., into a unified platform. This integrated approach simplifies management and ensures that security policies are applied everywhere.

  4. Optimized for Cloud and Mobile: Traditional security models have shown strains as organizations have shifted to cloud services and remote work. SASE is designed with the cloud and mobility in mind, ensuring that security policies are consistently applied no matter where users are or which devices they use.

  5. Scalable and Flexible: Being cloud-native, SASE solutions can scale as required and adapt quickly to changing business needs.

The Role of the Device in SASE Implementation

While SASE drastically changes the enterprise security approach, it still considers the end-user device, whether mobile, non-mobile, or IoT, as an integral part of the security solution. In a SASE (Secure Access Service Edge) solution, the services primarily reside in the cloud, leveraging a global network of points of presence (PoPs) to provide security and networking services as close to the end-user or device.

However, specific components or agents might run on the end-user’s device to interact with these cloud-based services. Here’s what typically runs on the device in a SASE architecture:

  1. Endpoint Agent/Client Software: This is a lightweight software client installed on the user’s device (laptop, smartphone, tablet, etc.). The agent is responsible for:

    • Initiating secure connections to the SASE cloud.

    • Enforcing local security policies.

    • Monitoring device health and security posture.

    • Redirecting traffic to the SASE service for security checks and policy enforcement.

  2. Zero Trust Network Access (ZTNA) Components: ZTNA ensures that every access attempt to resources, even from within the network, is authenticated and verified. The endpoint agent often includes components to enforce ZTNA principles, such as:

    • Identity verification.

    • Context-aware access controls (based on device health, location, user role, etc.).

    • Application-level connectivity (connecting the user only to the specific applications they need, not the entire network).

  3. Data Encryption Tools: The agent ensures that data in transit is encrypted when connecting to the SASE cloud or other organizational resources.

  4. Local Security Services: While most security services in a SASE architecture are cloud-based, certain local checks or policies might still be enforced on the device. This can include:

    • Local firewall rules.

    • Host intrusion prevention systems.

    • Data loss prevention checks for sensitive data.

  5. Security Posture Check: Before granting access to resources, the SASE solution might check the device’s security posture. This can involve verifying:

    • Antivirus/antimalware status.

    • Operating system and software patch levels.

    • Compliance with organizational security policies.

  6. Management and Configuration Tools: These allow IT teams to configure the agent’s behavior, update policies, and integrate with other IT management tools.

  7. Logging and Monitoring Components: The agent might also collect logs and other relevant data for analysis. This information can be sent to the central SASE solution for anomaly detection, analysis, and reporting.

The exact components and functionalities can vary depending on the specific SASE solution provider and the organization’s requirements. However, SASE aims to keep the on-device footprint lightweight and leverage the cloud for most heavy lifting, ensuring consistent policy enforcement and optimal performance regardless of the device’s location. These aims do not consider the latest edge-in approach and microservice architecture developments, which the mimik platform enables. This includes:

  • Running microservices that expose API directly on devices

  • Handling ad-hoc edge service meshes where microservices interact with each other directly without going through the cloud

The Role of mimik HEC in SASE

Implementation

Now, let’s explore how mimik Hybrid Edge Cloud (HEC) software platform can contribute to the implementation of SASE, enhancing its capabilities for securing endpoint devices.

The mimik HEC is crucial in enhancing SASE implementation by providing innovative solutions and components that ensure secure, efficient, and context-aware protection for endpoint devices. Here’s how mimik contributes:

  1. Distributed Computing: mimik facilitates distributed computing at the edge, reducing latency and enabling real-time analytics and response, essential for security solutions like SASE.

  2. Edge Server Capabilities: Devices powered by mimik can act as edge cloud servers, deploying SASE solutions closer to data sources or users, improving performance, and reducing the load on central servers.

  3. Interoperability: mimik’s platform fosters interoperability between different cloud services, edge devices, and on-premises resources, a critical requirement for implementing SASE in a hybrid environment.

  4. Resource Optimization: Implementing SASE solutions with mimik edgeEngine on the mimik hybrid edge cloud platform can optimize network and computing resource utilization by balancing the load between cloud, edge, and on-premises.

  5. Enhanced Security: Integrating security microservices at the edge using mimik edgeEngine enables granular and context-aware security enforcement, essential for Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG) components of SASE.

Edge-in Approach with mimik

One of the unique aspects of mimik’s contribution is the ability to move or complement SASE functions further to the edge, even directly on the user or IoT device. This approach enables a more contextualized and efficient security strategy, allowing for device-to-device interaction that is impossible in a traditional cloud-first SASE implementation.

mimik’s Impact on Key SASE Components

Looking at the significant components of a SASE architecture, it is possible to understand the impact of an edge-in approach enabled by the mimik platform:

  • Cloud Access Security Broker (CASB): By running CASB as an edge microservice on the device itself (eCASB), organizations can benefit from:

    • Decentralized Data Management: As cloud applications proliferate, so does the data between devices and these applications. With edge computing capabilities from solutions like mimik edgeEngine, there’s potential for more localized data processing and decision-making at the data source before sending it out. This can be leveraged to inspect data locally on a device before it’s sent to or received from a cloud service, aligning with some CASB functions.

    • Local Policy Enforcement: With the ability to execute applications and processes at the edge, organizations could run lightweight, localized CASB-like functions on the device. This would mean real-time policy enforcement even before data or requests hit the main CASB solution in the network path, allowing the ability to do multi-cloud brokering right from the device (at the edge) instead of in the cloud.

    • Enhanced Performance: By integrating edge capabilities with CASB functionalities, certain processes can be offloaded to the edge, reducing latency. For instance, initial policy checks or data classifications, augmentation, and tagging can be done on-device, reducing the need for all traffic to be routed through a central CASB solution.

    • Integration with Other Edge Services: As part of a broader edge ecosystem, CASB functionalities can be combined with other edge services, enabling more comprehensive security and data management solutions tailored for specific environments or use cases.

    • Custom CASB Solutions for Unique Use Cases: Developers can potentially build custom CASB solutions tailored to specific organizational needs or niche applications, leveraging the flexibility and capabilities provided by mimik edgeEngine.

  • Zero Trust Network Access (ZTNA): mimik platform took a zero-trust network approach as a core feature of the edge system. This approach allows edge engine to provide the following:

    • Localized Access Control: With computing capabilities extended to the edge; access decisions might be made locally, right where the request originates. This could result in reduced latency and more efficient access controls, as not every decision must be routed through a centralized authority.

    • Enhanced Security for IoT Devices: IoT devices can often be weak points in a network. If these devices are empowered with edgeEngine capabilities and integrated with ZTNA principles, they could have enhanced security postures, mitigating some of the risks associated with IoT deployments.

    • Integration with Decentralized Applications: As more applications and services become decentralized and move to the edge, integrating ZTNA principles becomes crucial. Using a platform like mimik edgeEngine, developers could create applications with built-in ZTNA functionalities tailored for specific edge use cases.

    • Continuous Authentication and Authorization: ZTNA emphasizes continuous verification, not just at the beginning of a session. With edge computing capabilities, this continuous check can be done more efficiently, utilizing real-time device data.

    • Micro-segmentation at the Edge: ZTNA often employs micro-segmentation to isolate and protect network resources. With edgeEngine, this segmentation could be extended to the edge, providing more granular isolation and protection of resources, data, and services.

  • Next-Generation Firewall (NGFW): The mimik edgeEngine resides on top of the operating system and, therefore, does not have deep access to the network stack and does not enable the implementation of features like DPI. However, by implementing an API Gateway, it is possible for a microservice running within the edge engine to enable the following features:

    • Localized Traffic Inspection: With applications and services running on the edge, localized traffic inspection and filtering at the message level can potentially be done. Rather than sending all traffic through a central NGFW, initial inspections and policy checks could be performed on-device or at the edge, enhancing responsiveness and reducing unnecessary traffic loads on central security appliances.

    • Context-rich Policies: The edgeEngine can provide granular, context-rich data from devices, given its edge-centric architecture. This context can be valuable for NGFW functions, allowing for dynamic and adaptive security policies based on real-time device status, user behavior, location, etc.

    • Protection of IoT Devices: IoT devices, often seen as vulnerable network points, could benefit from localized firewall capabilities. By integrating NGFW functionalities at the edge, there’s potential for better security postures for IoT deployments, with immediate threat detection and response.

    • Integration with Edge Services: As more services move to the edge, there’s an increasing need to ensure these services are secured. By integrating NGFW capabilities into edge-based services powered by mimik edgeEngine, there’s an opportunity for holistic security that’s tailored for edge-specific scenarios.

    • Decentralized Threat Detection and Response: By leveraging edge computing capabilities, threat detection and response can potentially be decentralized. If an anomaly or potential threat is detected on a device or within a network segment, immediate action can be taken at the edge, even before the central NGFW or security operations center is alerted.

    • Scalability and Adaptability: With the growth of connected devices and increasing network complexity, scalability becomes a concern for traditional NGFWs. By offloading some functionalities to the edge, there’s potential for more scalable security solutions that adapt to changing network conditions and demands.

  • Secure Web Gateway (SWG): Allowing microservice to run directly on the device on top of the mimik edgeEngine and this behind an API Gateway, it is possible to enable an eSWG which will have the following capabilities:

    • Real-time Content Filtering: An eSWG running on the device can provide real-time content filtering, blocking malicious or inappropriate content before it reaches the user’s device.

    • Local Policy Enforcement: Organizations can implement customized content filtering policies at the edge, ensuring that users are protected from web-based threats even when they are not connected to the corporate network.

    • Reduced Latency: By offloading content filtering to the edge, latency is minimized, resulting in faster web access for users.

    • Improved Performance: An eSWG can optimize web traffic, reducing the load on central SWG solutions and improving overall network performance.

    • Integration with Local Services: Organizations can integrate their eSWG with other local services and security components to provide a comprehensive security posture.

    • Enhanced Privacy: With an eSWG at the edge, user data remains on the device, enhancing privacy and reducing the need to send user data to centralized SWG solutions.

 

Conclusion

Securing endpoint devices is paramount in the ever-evolving landscape of cybersecurity and remote work. Traditional security models have limitations, especially in the face of the cloud, mobility, and the Internet of Things (IoT). Secure Access Service Edge (SASE) represents a new paradigm in security, offering an integrated, cloud-native, and context-aware approach. The mimik HEC is pivotal in enhancing SASE implementation by enabling distributed computing at the edge, fostering interoperability, and providing the tools for secure, efficient, and context-aware protection. By moving or complementing SASE functions to the edge, mimik’s innovative approach enhances security, reduces latency, and opens new possibilities for device-to-device interactions, bolstering the security posture of organizations in a rapidly changing digital world. With SASE and mimik, the future of endpoint security looks brighter, more efficient, and more resilient than ever before.

Join our newletter

sign up to receive an email on the latest mimik updates, features, and events

Related Articles

Subscribe to our newsletter