Skip to content

You Finished Your SASE Implementation. Now What?

By Peter Lunk

Security architects, thought leaders, and industry analysts have been pushing SASE and more specifically single-vendor SASE solutions as the core to a modern security architecture. In an effort to reduce the rapidly growing number of vendors in the typical enterprise’s security stack, it makes sense to go with an integrated, identity focused approach that reduces the number of connection points and the variety of policy controls that need to work together in harmony.

A SASE solution is typically comprised of several parts. These include a Cloud Access Security Broker (CASB) to protect enterprise use of SaaS services, a Secure Web Gateway (SWG) to limit exposure to malicious web sites, Zero Trust Network Access (ZTNA) for secure remote access to corporate applications and resources, and Software Defined Wide Area Networks (SD-WAN) for secure connectivity between offices.

We often see customers who have finished their SASE deployments looking to close a few important remaining gaps in their security foundation. The first gap is around contractors and remote employees using their own devices. The second gap is expanding Data Loss Prevention (DLP) capabilities beyond basic file transfers, and the third gap they are looking to close is around security for less commonly used and niche SaaS applications. Let’s dive into more detail on these attack surfaces.

Unmanaged Devices

Unmanaged devices often come into the picture with short-term contractors and remote employees wanting to use their own devices to connect to enterprise applications and data. This creates a gap in traditional SASE security coverage, with companies unable to install and configure an agent on personal devices. With the prevalence of contract workers and employee work from home initiatives, the number of unmanaged devices is only going to grow in the future.

Companies can close this security gap by using an Enterprise Browser. The browser is easily installed by the user. Furthermore, the browser need only be used when accessing corporate applications. When using their device for personal use, the remote users can continue to use the browser of their choice, eliminating any potential privacy concerns. This approach addresses employee privacy concerns, while still providing companies with the visibility and control they need. The browser provides secure remote access to specific applications and data, without giving blanket access that invites trouble.

Expanded DLP Coverage

The operational model of modern applications is vastly different from 20 years ago when DLP was initially developed. Data leakage paths have expanded far beyond the initial use case of file transfers. Today users are printing web pages and files, copying the content from enterprise applications to cloud storage sites, and sharing their screens through video conference without any meaningful controls.

Enterprise browsers are a great solution to expand DLP systems to include all major browser functions like file upload/download, copy/paste, watermarking and screensharing. The DLP protection follows users, regardless of their location and networking connection, providing expanded visibility into user behavior and closing the gap in traditional SASE DLP deployments.

Long-tail SaaS Applications

Securing most common enterprise-grade SaaS applications with a SASE solution is straight forward with API level integrations that allow security policies to be enforced across enterprise users. This approach starts to run into problems with less common, yet still business critical SaaS applications that may not have a robust API architecture available. In this case, providing security gets more complex with a variety of proxy or reverse proxy approaches that can negatively impact user experience.

When securing these less common SaaS applications, the Enterprise Browser offers an elegant solution. The browser can provide comprehensive and uniform data access and security controls for any SaaS application by moving security closer to the end user. Operating at OSI layer 7, the browser has complete control over functions like document upload/download, copy/paste, data masking, screen capture and watermarking to protect company data.

The Enterprise Browser Approach

Some large Enterprise Browser companies try to promote themselves as an alternative approach, completely replacing SASE solutions. At Mammoth Cyber, we believe that products in the two technology categories can work together to deliver a better and more comprehensive solution. There’s no need to re-architect your security systems to include the enterprise browser’s benefits.

When you finish your SASE implementation, take a breath and celebrate that victory with your security team. It’s a big milestone on the path to modern security architecture. But then look around and see where the biggest gaps remain in your environment and consider the Enterprise Browser. Covering those gaps may be easier than you think.