Transcription:
Rebecca: Hello, and welcome everyone. Thank you for joining us for today's webinar, SASE and the Future of Security. We're going to be looking at how SASE can simplify protection in the cloud-first world. My name is Rebecca, and I will be your host and moderator for this session.
Over the next hour, we'll be diving into why Unified SASE is becoming a critical part of enterprise security strategies. We'll explore how organisations can simplify security, reduce risk, and protect users.
Before we get started, let's quickly run through some housekeeping. Today's webinar is being recorded, so you don't need to worry if you miss anything. We'll be sending out an on-demand link shortly after this session. And as this is a webinar, you don't need to worry about your camera or your microphone being on. But we absolutely want to hear from you. Please feel free to introduce yourself, ask questions or share any comments at any time using the chat or the Q&A tab that you should be able to see on the right of your screen. We'll be keeping an eye on those and address as many of your questions as possible during the Q&A, and at the end of the session, we'll be running through some of those questions as well.
So let's kick this off. I'm really pleased to be joined today by two fantastic speakers. Leigh is with us today from Naastar.
Leigh: Yeah, good morning. Thank you for joining us. Happy to be here. My name is Leigh Walgate. I am the Managing Director of the Secure Networks Division at Nasstar. I have a background in telecommunications and secure networking, and I've got over two decades of experience in working with organisations to modernise and transform their digital ecosystem. So, really looking forward to having this conversation and unpacking some of the concepts around secure networking and SASE.
Rebecca: Thanks, Leigh. We're also joined today by David from Fortinet.
David: Thanks, Rebecca, and thanks for inviting me along today. So, yeah, I've been working in the world of IT for way too many years to mention, but I've had the privilege for the last five and a half years of working for Fortinet here in the UK as a business development manager in the worlds of SASE and Zero Trust. And that period of my tenure has been really quite beneficial because it's allowed me to be there right from the start of the SASE wave and also the start of Fortinet's SASE proposition and seeing it grow from its initial points to where we are today with the news this week that we just entered the leaders quadrant for the Gartner Magic quadrant for SASE platforms. So there we go.
Rebecca: So, before we dive into what SASE actually is, it's probably a good idea for us to talk about this evolving threat landscape, what the challenges are that organisations are facing now, what they have been facing, and what's driven this need for a new approach. So Leigh, can you walk us through why Castle & Moat just doesn't work any longer?
Leigh: Sure, yeah. So the Castle & Moat security posture… It made sense when there was such a thing as a defined perimeter. We had a corporate network and a private network. Users came into the corporate network. They accessed applications, workloads, and data that was contained inside that corporate network. And it was protected by a perimeter of corporate firewalls and protected from the internet. And you can quickly see that that's all but vanished. That security posture no longer makes any sense. Users are literally everywhere.
The data that they access is hosted on the cloud. And we use the internet as the primary medium of communication. And that's what we saw as the untrusted part of the network. We had a trusted and untrusted part of the network. So that fixed perimeter you can see clearly doesn't work anymore, but the problem with that is, in today's world, our security tools still assume that that posture is intact. If I just use a VPN, as an example, a user will authenticate onto a VPN and then they're seen as a trusted user, right? So if an attacker has compromised those VPN credentials, they've got malware on the machine that the user is using, they can then start moving laterally across the organisation and often remain undetected. So we need to start changing the way that we put a security perimeter around our enterprise, and this is where Zero Trust starts to come in.
We assume in Zero Trust that everything is always breached. It's a never-trust model. Every access request is authenticated and authorised, and it's continually assessed and monitored for security posture during that transaction. So today's security architecture is not about building a taller wall or hardening your exterior posture from a firewall perspective. Zero Trust flips that model. It's about restricting access to just absolutely what is needed, minimising the attack surface and minimising the blast radius if something does go wrong.
Rebecca: And this really ties into a stat that I saw recently, that 80% of breaches target those users. So is this just down to us, hybrid working, and the way that we work now?
Leigh: Well, look, hybrid networking has definitely increased the attack surface. Users are, as I said a moment ago, they're working from home, they're accessing applications that are hosted on the cloud, they might even be using their personal device. And that would fall outside of that standard security model. But it's not the only factor. That statistic you're saying, 80%, is that users have become the new perimeter. They are the edge of the security perimeter. And the attacks that they're facing have become a lot more sophisticated. So phishing and social engineering campaigns now often use AI-generated content. It's much more compelling and effective than it was previously to trick users into giving up things like credentials. And it's obviously a lot cheaper and more efficient to target an end user through social engineering than it is to hack your way through a sophisticated security system.
So hybrid working is a factor, yes, but it's more about the sophistication of the attack against the end user that's creating that statistic of 80%. And that's why we need to use new tools to protect that environment. You need things like MFA and 2FA, you need endpoint security posture checks, and you need SASE and Zero Trust to really limit the impact if you are breached.
Rebecca: And this is the thing, because these cyber criminals, they're just getting smarter, aren't they, David? How are they taking advantage of home users and really targeting those VPN users?
David: Yeah, sure. So, I mean, as Leigh alluded to, by their very nature, remote users are more at risk because they're working from a location that doesn't have the enterprise-grade security that they get when they're in the office. They're visiting websites and using applications that they wouldn't when they were in the office. And they're also using public Wi-Fi in airports, hotels, and so on. So their endpoints are more at risk of infection. And when you combine that with the fact that these remote users are predominantly using VPN, that gives us a problem because VPN was a technology that was developed when times were much simpler. It's designed to give wide network-level access to that remote user. And one of the consequences of that is that there's lots of network-level visibility when the user connects to VPN. And that's exactly the type of visibility that modern threats take advantage of to spread laterally across the network.
I would say that the threat actors are actively conscious of these weaknesses and these aspects. So they know there's many more users working from home. So they're creating social engineering campaigns to target those home users. And they're specifically writing malware which looks for VPN connections, targets those VPN connections, and takes advantage of that network visibility.
Rebecca: And we've all seen in the last few months several cyber attacks that have been in the news. And these can be devastating for an organisation. So, David, let's talk about the cost of a breach.
David: Sure, sure. So, there's lots of different reports that get published by different analysts around this, sort of headline costs of breaches. And they tend to focus a lot on some of these large breach costs that run into the hundreds of millions, like some of the ones we've seen recently. But there was a more interesting report done recently that looked at the average breach cost across all sizes of organisations. And that came out with a figure of $4.9 million. So these are not insignificant events when they occur. And one of the factors that's leading to those high costs is the complexity of organisations' cyber security environments, which is causing them to have a very long time to detect when something has happened and when a breach has occurred. And I think, Leigh, you can add more context to that.
Leigh: Yeah, I think, as you said, financially, it can run into the millions depending on the severity of the breach. But it's not just about the financial impact. It's the downtime that occurs, the impact of the teams that are doing the restoration. And that can take weeks or months, again, depending on how severe the breach is. Loss of trust from customers and clients, and then regulatory compliance. What cases have we got to answer from a regulatory compliance perspective? All these things add up to the impact.
This is why we need to, as I said earlier, really change the way that we work, move from reactive to proactive security, and put these tools in place so that if the worst things happen, if we can't mitigate and prevent every risk, then we limit the impact when it occurs.
Rebecca: And, you know, organisations are just finding it harder and harder to keep up with this ever-evolving threat landscape. And this is where SASE comes into the conversation. It's a relatively new turn. It's gaining traction. But, David, can you give me an overview? What is SASE?
David: Sure, sure. So I guess the starting point is that Gartner originated the whole concept of SASE. So back in 2019, they published a paper entitled The Future of Network Securities in the Cloud. And they kind of outlined multiple reasons as to why they felt they needed this new model. And the first of these was referring back to what we said in earlier parts of the discussion, there was the prevalent security model at the time in the shape of the perimeter security model, that was no longer fit for purpose, you know. Gartner were regarding what they called the digital enterprise, with most of their, the vast majority of their resources in the cloud and more and more users working from anywhere.
So the idea of those users' traffic coming into an on-premise security platform only to go back out again to these cloud resources just didn't make any sense. So they wanted to develop a model where the security controls stay in line, so the users access the application, rather than that hairpinning redirection in and then back out again. And at the same time, because of this growing number of application locations and users working from anywhere, there was a burgeoning growth in the number of access paths that needed to be secured. As well as, because of the use of the internet, growth in encrypted traffic. And one of the implications of that was it was becoming very difficult to try and maintain separate security and networking systems. That was becoming more and more complex.
So the other aim from Gartner in this new model was to converge the networking and security mechanisms into the same integrated platform. So they came up with this idea of a converged cloud-based platform containing all of these security and networking capabilities, and they focused that on three main use cases. Secure private access for users accessing internal applications. Secure internet access for just general internet access, and more specifically, secure SaaS access for accessing SaaS applications. And for that, they needed ZTNA capabilities for secure private access to replace VPN because they saw that as more secure and started to introduce those Zero Trust controls that are so important. They needed a firewall and secure web gateway capabilities for that secure internet access, and then CASB for that secure SaaS access. And not forgetting that they wanted to combine this with the network access mechanisms. And they chose SD-WAN for the networking side of things to get the application visibility-driven efficiencies and performance that SD-WAN provides. So that's what SASE is, an integrated cloud platform containing all of these security and networking capabilities.
Rebecca: So does SASE replace older security measures like VPN, or does it work alongside them?
David: So I guess one of the key ways of looking at this is that SASE is not a set of new capabilities. It's a way of delivering existing capabilities in a much more beneficial way for the modern workspace. So yes, an organisation may already have something in place for secure private access. Most typically, VPN. But by deploying SASE, they're going to get a much more integrated way of doing that.
So yes, in that case, the ZTE capability of SASE is going to replace that VPN solution. And the same for internet access. They might have a web proxy solution in place for securing that internet access. But again, incorporating that into an integrated platform allows you to replace that ageing web proxy solution with a much more modern approach, combining Secure Web Gateway and CASB. Because CASB, it's quite important to point out, many organisations don't have anything in place for securing SaaS access specifically. So it's about replacing some existing solutions, but incorporating new elements as well.
Rebecca: So SASE isn't just one thing, it's a collection of solutions. Can you give me an example of how that works in practice then?
David: Sure. So, although Gartner came up with this SASE model combining both SD-WAN and those security elements that we outlined, what we saw straight after they came out with this model was 2020 came along, the pandemic. So the focus actually shifted, to begin with, very much on delivering what was required for remote users. So Gartner actually tweaked things a little bit by giving off the SD-WAN element and leaving the rest as what they call secure services edge, or SSE, for cloud-delivered security for remote users.
So at the full SASE framework side of things, we still have that combination of SD-WAN combined with the SSE. But if we take the SSE element, the way that works is it's a cloud-integrated platform of those ZTE, CASB, Firewall and Secure Web Gateway capabilities distributed over a global network of what we call points of presence, so POPs. So the end user's endpoint then will connect into the nearest POP, and all of their internet-bound traffic, or traffic going to corporate applications that are stored elsewhere, is going to be redirected via that POP. So they get a single in-line platform that's going to do a single pass for all of those security capabilities to screen all of their internet and private access.
Rebecca: Great. So SASE is about converging network and security into a unified cloud-native platform that really does support those hybrid workers. But as the market matures, we're seeing this shift from fragmented multi-vendor solutions towards a far more integrated approach, which is now being referred to as unified SASE.
So, David, as organisations have built up these multi-point solutions over time from different vendors, legacy infrastructure, can you unpack the difference between a multi-vendor setup and a unified SASE platform and why this shift is so important for organisations?
David: Sure, sure. So there's definitely been a bit of evolution in the SASE concept since Gartner first came out with that model. When they first came out with that model, the market hadn't really caught up. There were very few vendors that could offer that complete integrated platform. So some of the early adopters of SASE, they actually took a DIY approach, where they were taking what they could get from different vendors with the limited integration capabilities that those provided and building their own SASE infrastructure. But again, there's lots of complexity in that and not really much integration.
We then had that big explosion of the SSE market during and immediately after the pandemic. So what we then saw was organisations taking a dual vendor approach to SASE, where they had one vendor for the SSE element of that cloud-hosted security and then a second vendor for the SD-WAN part of SASE.
Moving on from that, because that still involves complexity, we then started to see the emergence of single vendor SASE, where a single vendor, such as Fortinet, could offer both elements, the SD-WAN and the SSE, and a much greater level of integration because they're building those as an integrated platform. And then bringing things completely up to date. This is speaking more from our perspective at Fortinet, we've basically taken that initial Gartner concept and adapted it even further to what we call Unified SASE. Because if you think about that Gartner concept to start with, that cloud-only security model is great for those digital enterprises that Gartner was talking about where you've got these remote users accessing cloud-based resources. But that's not what we see in the real world when we talk to most organisations.
We see most organisations still in a hybrid world where they've still got a significant level of on-premise users and on-premise resources. And if you think about that Gartner cloud-only model, cloud-only security platform model in the world of those on-prem scenarios and on-prem user accessing an on-prem resource, we're basically reversing that problem that we had with VPNs because we've got to go, that traffic's got to go out to the cloud-based security platform only to come back in again to the on-prem resource.
So what we're doing with Unified SASE is we're basically trying to deliver a platform which, yes, we've got the cloud-hosted POPs for delivering that cloud-hosted security in line for the remote users accessing whatever resources they're accessing. But Fortinet are also in the advantageous position of already having a converged platform for that on-prem scenario in the shape of our FortiGate firewalls. These have long been a converged network and security platform covering those elements of School Web Gateway, Firewall, CASB and ZTNA. So we can provide that on-prem to on-prem scenario in an in-line thing without having to hairpin out to the cloud while still covering all the cloud access scenarios from those cloud-hosted pops. So, a much more unified approach for those hybrid organisations.
Rebecca: So let's talk about the benefits. What are the key business benefits of moving to a unified SASE approach?
David: Sure. So really a lot of these benefits all stem from that reduction in the number of vendors and solutions that we're talking about. So to start off with, you're vastly reducing the licensing and procurement complexity that you're having to deal with because you've got one vendor to deal with rather than all these multiple vendors for these multiple point solutions that most organisations have ended up with over the years. We're also then reducing the skills coverage and admin overhead because there's a lot less to administer. And that becomes increasingly important because of the skill shortage that organisations are having to contend with.
We're also, because of that reduction in admin overhead, enabling you to get to a quicker time to detect when something does happen and minimising the risk of those breach costs that we talked about earlier. And then lastly, we're also, because of that coverage that we're giving for the hybrid organisations and the ability to deliver a consistent coverage, user experience, whether the user is at home or in the office, delivering a much better user experience, which aids user productivity. So all of those aspects together help reduce costs. And I think there's maybe more Lee can say to that as well.
Leigh: I think from an IT operator and SOC operator perspective, I think it just frees up their time to be able to spend their work on more value-added services. So rather than, as you said, trying to work across disparate stovepipe systems, make uniform policies work with each other, in the modern IT architecture space, before SASE, maybe you had 5, 10, 15 vendors to work across. So the SOC operators and the security operators were trying to stitch together the gaps between those solutions. So that's really just freed up their time now to do higher-value work. They're looking at whether it's threat hunting, security posture analysis, or automation work. I think that's a real key benefit for the SOC operator.
Rebecca: So let's move away from the IT team and the SOC operator. Let's talk about someone like me that's just going to log in. How does SASE change my user experience? How does it make my life easier?
Leigh: I think for the end user, things just work, right? It really is about a seamless experience for the end user. There's no more clunky VPNs. There's no multiple passwords to remember or different authentication methods. And whether you're in the office or you're working remotely, what you want is the same experience regardless of location or the application you're accessing. So if you're going on to a SaaS application like Salesforce.com, you want to access some data hosted on cloud or you want to have a workload that's maybe on Azure, whatever it is, the end user just wants to have a unified experience. And then what SASE gives you there is that experience. Productivity without the friction, but the IT team still gets to have strong controls and good visibility.
Rebecca: Really important because SASE isn't just about strengthening security, it's about improving that performance, end-to-end visibility and delivering that better user experience. But this is a major transformation, and adoption doesn't come without its challenges. Organisations will have legacy infrastructure, they're going to have tool sprawl, internal resistance, and you mentioned earlier skills gaps. Organisations could be facing roadblocks to this. So what are the challenges that we're seeing when we're talking to our customers for those trying to adopt SASE?
Leigh: I think it's not a technical challenge. I think as we've just been discussing, when you look into the technical benefits, they really start speaking for themselves. It's really more about the challenge of transition and the challenge of migration. As we mentioned a moment ago, as I said, in the standard security architecture, you may have many, many vendors and users, best-of-breed point solutions.
If you stand back and look at that from a migration and transformation perspective, from the outside, that looks quite challenging and scary. Also, contractually, it might not be viable if you look at them to do it all at once for sure. You may have some parts of your stack that are becoming end-of-life and end-of-support. They are candidates to go first, but other things may have months or years to run and commercially, it might not be viable. So there's this challenge with contractually, understanding how you're going to do the transformation, and there's the human factor. People are resistant to change. Obviously, the risk factor of transformation.
So that's why what we've tried to create at Nasstar is the SASE adoption framework, which allows us to meet our customers wherever they are on that journey. Whichever candidate they've got ready to go first, we can meet them on that journey. We've created an architecture based around NIST so we can manage whichever transformation candidate they want to move with first. And it's not just about the delivery, it's about in-life management. So when we get into operations, it's about that continual evolution and tweaking of the platform to make sure it fits the customer's business requirements.
Rebecca: So you mentioned something there that I want to dive into just a little bit further. You talked about the SASE adoption framework. We use it at Nasstar. What are those key steps?
Leigh: So we've tried to break it down to allow people to show or understand how we manage that complexity of transformation, to make it simple, to make it understandable, and to take it into piecemeal chunks rather than a big bang approach. So, there's five steps. I'll quickly run through them. At the beginning, we identify and prioritise. So this is us working with our clients to understand which are the transformation candidates, which part of their security stack do they want to move incrementally towards a global unified SASE solution first? We then assess and audit the inventory of that service. So we might be looking at the posture and doing some posture analysis and some transformation of the service, but we identify and work through an audit. And then there's a point of value piece in our assessment. So we'll assess, produce a point of value, show that the service is working before it goes into production. Then there's an implementation stage where we put it into production and test. And then there's a run and optimise phase.
So as I said earlier, we're continually evolving, continually managing, and tweaking the service. Now that sounds like five steps just for one delivery, but it's actually a life cycle. It allows us to traverse the landscape of SASE. And each time we find a part of the stack, a service, point, that we want to move in towards the unified SASE solution, we run that same process over and over.
Rebecca: So we talked a little earlier about DIY, do it yourself, SASE. And just listening to you talk, this feels like a transformation where you really want to be working with an MSSP compared to trying to go this alone.
Leigh: Yeah, there is some resistance that we get. I think what we've tried to do at Nasstar is answer the common concerns and the most common concern we have with IT teams and security teams about outsourcing and working with an MSSP, is the loss of control they feel like they're going to be locked out of the environment. And then there's a trust scenario that you've got to overcome so what we've done is we've created this hybrid approach where we have a co-managed service, so that allows our customers and our clients to have the access they need to access the visibility tools to see the reports but also to make a change.
One of the concerns one of the reluctances is they might be a customer might think they are beholden to the MSSP for even the smallest of changes, so through role-based access control, through RBAC, we work with our clients to make sure that they have access to the domain, access to the environment, so they can make and administer their own changes. We think that gives the best of both worlds. This hybrid approach allows our customers to stay in control, but leverage the skills of an MSSP immediately, so there's no really steep learning curve. They can start adopting the more advanced features immediately and have access to a 24/7 managed services team.
Rebecca: Great. So basically, working with a partner like Nasstar can really help to smooth out that journey because adoption is not a one-size-fits-all. But let's talk about that adoption. Let's talk about how SASE can be a really powerful enabler. And it often starts with addressing some challenges and some pain points. So, David, what challenges might organisations be facing where SASE is the answer?
David: Yes, I think it's fair to say that actually, most of the organisations that we speak to about SASE, don't come to us asking to speak about SASE. They're coming to us with other strategic initiatives that they're looking at because of particular challenges and pain points that they're looking to address.
So the first of these is that a lot of CISOs are very concerned about that increase in complexity of their cyber security environments. They've got this burgeoning list of point products across their environment, and they're struggling to make sense of everything that's coming from those and their security teams are just overwhelmed. So they're looking to address that challenge.
The second area that we see is organisations have obviously gone through a big expansion of hybrid and remote working, and they're struggling to deliver the security across that fragmented environment. We've then also got the continuing cloud journey for applications. And in a lot of cases, that cloud journey has been slowed down and stymied for some organisations because of security concerns. They're unsure how they go about delivering the security for those cloud applications because some of the tools that are there in the cloud just aren't up to scratch. And then also there's this journey to zero trust.
As Leigh mentioned way back in the introduction, Zero Trust really is the direction of travel for cyber security. It's a game-changer in terms of reducing risk to the organisation. So across all of these strategic initiatives, we tend to see SASE as an endpoint of those conversations because it helps organisations make large strides in addressing each of those areas.
Rebecca: So if an organisation is already on a digital transformation journey, what sort of projects would really benefit from SASE?
David: Sure. So we see various specific infrastructure-related projects really separate from those, away from those strategic initiatives. We speak to heads of networking and IT that are looking at specific projects that are ideal starting points for a journey to SASE.
So one of the first ones we see is WAN transformation to SD-WAN. A lot of organisations are still dealing with ageing MPLS WAN networks, and they're really looking to get the benefits of an SD-WAN journey. We've also got that transition for remote users from VPN, with all the associated problems of VPN to ZTNA.
There's also, as I mentioned earlier on, a lot of organisations have got fairly ageing proxy solutions for trying to secure users' internet access. So again, transitioning those to something more modern and also including the SaaS security with CASB in there as well. And more simply, just plugging some of the security gaps that they've got for remote users.
Most organisations have VPN in place to secure users' private access, but in quite a lot of cases, they don't have anything in place for securing their internet access. Those users are at home accessing websites and SaaS applications without any security whatsoever. So all of those types of infrastructure projects really benefit from a SASE approach, a more forward-looking approach to make the solution that you're putting in place much more future-proof.
Rebecca: So the key to this is finding the right partner to be able to face those challenges and to aid with that adoption of SASE and go on that journey. Leigh, big question for you. Why Nasstar and why Fortinet?
Leigh: Yeah, well, that's right. I mean, as you said, finding the right partner is important. In fact, it's absolutely essential. And when I say partner, I mean partners, because clearly there's two partners here. You've got Fortinet from the OEM perspective and their unified SASE platform, and Nasstar from an MSSP perspective.
Basically on Fortinet, we've mentioned it earlier, but we should say again that Fortinet, if you've been anywhere near Fortinet's social media campaigns over the last few weeks, you will have seen this, and rightly so, they should be very proud. They've moved into the Gartner Leader Quadrant space for their unified SASE platform. We've been expecting that all along. We know we've signed up with the right partner there.
But from Nasstar's side, we're an MSSP expert. We are one of only two UK partners with the breadth of certifications that we've got. We're an MSSP expert through their Engage Partner Program. We have SD-WAN specialisations. When you mentioned the components of SASE, we've got SD-WAN. We've also got operation technology as a specialisation. So if you're in manufacturing and you're in that OT, IT convergent, the industry 4.0 phase, you'll understand the importance of that inside the SASE ecosystem as well. We've got the expert certification as well for managed SASE. So that layer of certifications gives you access to over 200 people inside Nasstar who've got accreditation against Fortinet's architecture.
So the Fortinet and Nasstar partnership shows you that we've got partners you can work with to go on the journey towards single vendor SASE or unified SASE.
Rebecca: Thanks. So this is where we're going to move into Q&A. So we'd love to hear from you. If you've got questions, please drop them into the chat. We've had a few coming through.
So first question, and I'm going to leave this to you both to kind of jump in for these. How is SASE being deployed in retail environments, particularly with the rise of connected stores and distributed locations? What benefits are retailers seeing from this approach? David?
David: Yeah, so from a solution perspective, one of the areas of our unified SASE solution I've not touched on yet is what we call thin edge connectivity. So if we take a step back and think about it, we talked earlier on about how the user's endpoint gets directed to the closest POP for the SASE solution and redirects the traffic to the air for security screening.
That's fine for managed endpoints and things like that, but we also come across a lot of organisations that have a big number of small sites, and retail is a perfect example, where what they're looking for is a means of connecting that entire site to that cloud-enabled security. So this is when our thin edge connectivity comes in. So we can deploy a thin edge device at that location, which is going to redirect all the non-local traffic up to the SASE POP for security screening. So all of that site's internet access and private access to applications stored in other locations is going to get screened by the SASE solution.
Leigh: Yeah, I think I would add from a retail perspective, this is one of the areas where, from an industry's perspective, you can immediately realise some value. If you look at what's happened in retail over a very, very short space of time, we've moved from a world where cash is key to credit cards to kind of contactless transactions with a credit card to digital wallets with things like Apple Pay and Google Pay. And each time we've gone through one of those transitions, the importance of the availability and the security of the network has increased dramatically.
So even with contractless credit cards, for example, there's something called a flaw limit, where even if the POS, the point of sale server, the infrastructure wasn't available via the network, there was a limit that was allowed to be cleared without network connectivity in a digital wallet world. With mobile payments, the network has to be there. Otherwise, essentially, that retail store or location is not trading. So deploying SASE, being able to give you a resilient, highly secure connection to your cloud-based pause provider, your point-of-sale provider, and making sure that you've got available high availability and security at the store is really important. You can see that value and realise that value immediately from a SASE deployment.
Rebecca: Thanks, both of you. You mentioned manufacturing earlier. We've had another question come in. What does SASE look like in the manufacturing or OT setting where legacy systems and operational uptime are critical? How do you balance security with operational continuity?
David: So again, I'll just start off with a little bit from the solution perspective. And it really tags on to what we just outlined for retail in terms of that thin edge connectivity. Because one of the benefits of that thin edge connectivity is there is no requirement for an agent on the endpoint or device that's making the access request. So that opens it up to not just user endpoints, but to OT devices as well, where you don't really have the option of putting an agent on there. But you still need security delivered because these devices don't have security built in, in most cases.
So by placing one of these thin edge devices on whether it's a small site with a mixture of users and OT devices or some OT only locations, you know, like energy companies and such like have, you can still deliver a centralised cloud-based security solution across all of those locations for those OT devices.
Leigh: Yeah. Sure, I think I agree with everything. From an OT perspective, clearly the scenario is that OT and IT convergence is occurring. What was previously there in the OT world was you'd have a completely air-gapped, disparate, proprietary network that was connecting manufacturing equipment, the old SCADA-type systems. That was not connected to the IT domain.
But the way that Industry 4.0 is changing things, we're moving from the traditional factory model to a digital paperless factory. The OT network needs to be connected to the IT network. The manufacturing execution systems, the NES systems, need to be connected to the traditional IT stack. Your CRM and your ERP, all the IT stack, they all need to be connected. It needs to be IP-enabled.
So having a SASE network that can connect into the OT network of the same orchestration and automation layer and the same operating systems over the top is absolutely critical as well. And it's really important that both domains are highly secure, obviously.
Rebecca: Thanks. So we've had another one come in. This is an interesting one. So are all SASE solutions cloud-based? Can they be on-prem, and what are the pros and cons of either of them?
David: Sure. So I can start off on that one. So I think, as we outlined, there's been an evolution of the SASE approach. When Gartner first envisaged this, it was talking about a cloud-based security platform solely. And as we said, that's absolutely fine for those organisations that have all their applications and resources in the cloud because every user, whether they're on-prem or remote, has to traverse the internet to get to those resources. So having a cloud-based security platform is absolutely fine in that scenario.
But again, as we outlined earlier, that's not true for all organisations. A lot of organisations still have this hybrid model of having significant numbers of resources still on-prem. And we outlined how that on-prem to on-prem scenario doesn't really work with a cloud-only security platform. You really need to have something that is much more flexible, which can deliver the cloud-based security, yes, but also has the same ability to deliver on-prem as well. And that's what the Unified SASE approach is all about.
Now, you have these different elements of this Unified SASE. You've got your cloud POPs. You've got your on-premise device. In our case, FortiGate Firewall is performing that same level of network and security convergence. But these are all built on a common operating system. And that gives you integration between them and commonality of policy controls. So you're not talking about disparate solutions with no integration. You're talking about an integrated solution.
And one other area where I would also talk about, you know, is it cloud only or does it incorporate on-prem as well? What we're starting to see is is a big demand for sovereignty now when it comes to SASE solutions and in that scenario a lot of organisations do have valid concerns about a cloud only delivered solution, ‘how can I be sure that my traffic isn't going out of country?’ and if you think about compliance programs like TSA in the telecoms sector, you know that's something really got to look at so vendors such as Fortinet are producing sovereign SASE solutions that allow organisations and managed security service providers, such as ourselves, to house that entire SASE infrastructure within your own data centres. So it's not just a cloud-only solution. You can control where those SASE elements are deployed.
Leigh: Yeah, and not much more to add on that other than clearly David's outlined that there's the flexibility, there's the choice, and it really depends on the scenario, why you would implement an on-prem versus a cloud-based solution, or would you go for a hybrid? And, clearly, the sovereignty of data, the sovereign SASE solution, is one use case where you'd want to keep things close.
Rebecca: Thanks. So I've got an adoption question that's come in. So would a SASE security design wholesale an abrupt change away from castle and moat? Or can it be bolted onto an older security model as part of a program of transformation of security?
Leigh: It sounds like whoever's asked the question, they're probably still in the early stages of SASE adoption. They're probably still in that castle and moat environment. I think the concept is: which part of the ecosystem do we want to go first? And it doesn't have to be a big bang, absolutely. What we find is that people traditionally start with a VPN replacement or a network replacement component of that journey. We've gone through that, the joining of SD-WAN and SSE services to have the SASE framework. Typically, those are the two places to start, but it's really down to the business priority of the user. We've got the flexibility to start anywhere. If you want to go all Big Bang, it can be accommodated, but it's not the usual approach.
David: And I think, as we mentioned earlier on, there are individual infrastructure projects that you can tackle in an incremental fashion. So, definitely the SD-WAN transformation of the WAN is a fairly common starting point for a lot of organisations. But then you've got that platform there with SASE to deliver those different capabilities. That doesn't mean you have to use all those capabilities from day one. You can take that incremental approach.
So you can start off with ZTNA and slowly transition your VPN access across to that before you then move on to the secure internet access side of things with secure WebGate with Gatsby. So you can take an incremental approach.
Leigh: And even the ZTNA rollout can be done incrementally.
David: Absolutely.
Leigh: You can start off in an SSL VPN mode, find some kind of postures or personas that you want to move towards a Zero Trust architecture, and just start with those personas rather than going big bang.
David: And that's an incremental transition that our solution particularly helps with because we're using common components for both VPN and SASE. So you don't need to change components on the endpoints in order to switch between VPN access and ZTNA access. So you can do what we've done internally within Fortinet and incrementally change application by application, what method you're using to protect those applications.
Rebecca: So you can really bespoke it then.
David: It's very flexible. Yes, yeah.
Rebecca: Okay, so I've had another industry-specific question come in, this time for the educational sector. So what about in the educational institutions to enhance cyber security and to help support remote learning? There are often challenges such as limited budgets and a shortage of in-house IT expertise, and having to meet cyber essentials and be in line with their controls and requirements. So, I guess, where does SASE come in and help with that?
David: I mean, certainly on the dealing with skill shortages, that is one of the main benefits of a SASE approach. You're getting away from this point solution side of things where you need different skills, different solutions, and different vendors. And you're narrowing that down into one integrated platform with commonality of controls. So the skills burden is vastly reduced. So that can help in these environments where there isn't a high level of skilled resources to do that. And then obviously, an MSSP is going to help you even further there.
Leigh: Yeah, I'd agree. I think the main value and the main proposition really is simplicity. There's a reduced cost for sure, which is probably important. I think we mentioned earlier, when you're trying to stitch together a security posture and you're using separate tools, you quite often get feature overlap between the tools, so you're essentially paying twice for the service. So there's definitely a cost efficiency that is being received, but I think the highest benefit I can see from the question is the simplicity and the complexity reduction.
Rebecca: So I've got another adoption question for you that's come in. What are some practical first steps that you can take if you don't want to overhaul everything? And we talked earlier that it can be done step by step. We can work with an organisation. We can use our adoption framework. But what are those practical first steps that we would want to go on with the customer?
Leigh: We offer a cyber threat assessment, which could potentially be a good step. If there's no business priority that's kind of jumping out, we can look at doing a cyber threat assessment to kind of identify where the weaknesses are, where the potential transformation candidates would be, what the best business benefit would be.
David: Yeah, and it comes back to those incremental projects, whether it's WAN transformation, VPN, or ZTNA. And that's where your threat assessment is going to help an organisation define their priorities as to where that starting point should be.
On the point of replacing everything all at once, there is something else that I'd like to add on, that we offer within our solution. So we've talked about the agent-based connectivity to SASE. We've talked about the thin edge for those retail sites and such. Again, for some large organisations, we've got lots of sites, lots of locations, and they may already have existing firewalls. They probably do have existing firewalls at all those locations. They're not always going to be Fortinet firewalls, although we're the biggest firewall vendor in the world, obviously. And they're concerned about switching out all of those third-party firewalls at the same time.
So we see that concern. So we have a connectivity method that allows them. It's called branch-on-ramp, and that allows them to connect those third-party firewall devices directly into our SASE infrastructure in the cloud over generic IPsec connectivity. So they can adopt that cloud security framework with SASE without having to replace all those branch devices that they already have in place.
Rebecca: Right. Cool. Thank you. So we're going to close out the Q&A live now, but feel free to continue to drop your questions into the chat and we will make contact with you and answer those as they continue to come in.
So let's have some final thoughts. I think for me, SASE, it's not just a technology trend. This is something that's evolving. It's a strategic enabler. It's a digital transformation. But it gives you the clarity and the confidence to move forward and face what is an evolving threat landscape. Leigh, what are your final thoughts?
Lee: Yeah, I think if there's any takeaway from me, hopefully we've explained from the Castle and Moat infrastructure why that's now obsolete and not fit for purpose in today's world. We've tried to simplify SASE, although it's a complicated subject. There's many components to it. I think if there's any takeaway that I would like to leave us with is that with Fortinet and with Nasstar, you've got a partner that can meet you on that journey and simplify it for you, take you through that and deliver the outcomes that you're looking for.
Rebecca: Great. And David, what about you? Final thoughts on SASE?
David: Final thoughts, sure. Yeah, so we touched on earlier that SASE has already evolved from Gartner's original model through the concept of single vendor SASE to what we've got now with Unified SASE. So SASE should never be viewed as a static solution. This is something that is going to evolve. And I can't speak for all vendors, but at Fortinet, we are treating that SASE platform as a vehicle for introducing further capabilities as well, not just focusing on those capabilities that Gartner initially defined within the model. And I believe that means that SASE can adapt to the changing needs of organisations.
But at the same time, that underlying easing of complexity and that delivery of consistency across that fragmented environment is always going to be there. And that means a SASE approach is always going to be required by organisations.
Rebecca: Thank you. Thank you for joining us today. It's been such an interesting conversation. Thank you so much to you both, Leigh and David, for joining us.
If you have any other questions, if you want to discuss SASE any further, reach out to our team at Nasstar. You can get hold of us via one of the many links that you'll be seeing on here, but also have a look on our website and reach out to us, and we can discuss what your SASE requirements are for your organisation.