Root Causes 120: PKI and SASE
SASE (Secure Access Service Edge) is a new term to describe the complexity of authenticating access across today's diverse and heterogeneous computing environments. Join our hosts as they discuss the role of digital identity and certificates in this paradigm.
- Original Broadcast Date: September 18, 2020
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
So today, what we are going to discuss is we are going to discuss SASE. SASE, this is an acronym. It’s spelled SASE and it’s short for Secure Access Service Edge and, how SASE and PKI fit in with each other.
-
Jason Soroko
Yeah, Tim, you know, it’s no longer a self-addressed stamped envelope. It’s Secure Access Service Edge. And, of course, the analyst firm Gartner came up with this. I think it was August 2019 when they first coined it within one of their reports.
-
Tim Callan
Ok.
-
Jason Soroko
And it’s an umbrella term that brings together a whole pile of concepts and, you know, Tim, I think first and foremost the reason why this term is needed, the reason why the principles behind it are needed, really what it comes to is this big push to the cloud, the big push that digital transformation and the whole idea that corporate assets, enterprise assets are gonna be spread across all kinds of spaces. So, in other words, you are going to be authenticating to the cloud. You are gonna be authenticating from a laptop, from a mobile device. The world of authenticating to one system a day from a single workstation, a laptop or something like that that’s behind a safe firewall, those days are long gone.
-
Tim Callan
So, this ties into some of these other things we’ve talked about, like software-defined perimeter, right? This is part and parcel of that same conversation. Is it not?
-
Jason Soroko
It absolutely is because really this whole idea of where is the perimeter?
-
Tim Callan
Yeah.
-
Jason Soroko
I think it’s very important to look at the words that are part of that SASE acronym and I think then all of the sudden where PKI fits in will become very, very clear. Secure Access Service Edge. Well, first of all, that word edge might be one of the - - unless you’ve been in the networking world or the cybersecurity world, that term edge might be a little bit foreign. But let me simplify it.
The reason why they chose the term Service Edge was so that they didn’t very specifically prescribe something like a laptop, a mobile device or an API, or an application, or an IoT device. All those things essentially become their own edge of a network. So, what used to be the definition of the edge of a network was probably your firewall or in a home environment it might be a router. In IoT environments and early IoT you might have heard the concept of a gateway. All of those things would be considered network edges. But if you look at it now, Tim, it’s kind of better to think about just about every asset you have that connects to the internet as being an edge.
-
Tim Callan
Right. Its own edge.
-
Jason Soroko
Its own edge. Exactly. So Secure Access Service Edge, Secure Access to me in my mind, one of the important things that comes up in that is authentication. There are other concepts that Gartner is throwing into this such as authorizing as well, which is why when you hear vendors talk about SASE, quite often you are talking about privileged access management. You are hearing about firewall rules. You are hearing about a lot of policy management and so that’s what defines the secure access part of it, but one of the most important parts of secure access that you just can’t get away from is strong authentication.
-
Tim Callan
Yeah. Exactly. For authorization you need identity.
-
Jason Soroko
That’s the important point here, Tim.
-
Tim Callan
Yeah.
-
Jason Soroko
So, if you want to take Secure Access Service Edge and turn it into a PKI concept, which it actually is. It’s a wider concept than that but the PKI perspective on it is that the secure access means a strong authentication and service edge means whatever corporate access that’s doing that strong authentication. Therefore, what it really, really - - to boil it down is you need to have provisioned devices and provisioned systems, provisioned applications for everything. And in order to be able to do this form of secure access. If your device or application cannot attest to itself digitally and attest to itself cryptographically, no matter how much policy or any of the other things that you throw into SASE, all the other vendors that play in this space, you are in trouble. PKI plays a central role in SASE.
-
Tim Callan
And I’m hearing echoes of our not too long ago discussion of PKI and zero trust as well in here. Right? Because we had a similar conversation which said how are you going to do zero trust if you don’t know what everything is? Right? And I think we’ll say the same thing about SASE. Like at the end of the day you’ve gotta reliably know what everything is or you don’t have a secure service edge.
-
Jason Soroko
That’s right, Tim. So, you’ve probably heard of cloud access brokers. You’ve probably heard of all kinds of concepts that are thrown into this. This is Gartner taking all of those legacy terms, putting them all together into a new term along with the principle of least privileges, which are the principles behind zero trust, which is something that we’ve talked about in previous podcasts.
-
Tim Callan
Yes, we have.
And so, just to, not to belabor it but at the end of the day are there surrogates for PKI? Like would there be another approach to providing identity? Because you are gonna need identity for every device and every access point and etc. Like is PKI just sort of assumed here?
-
Jason Soroko
Sure. I think, Tim, one of the answers to that question could come directly out of NIST’s guidance on zero trust architecture.
-
Tim Callan
Yeah.
-
Jason Soroko
NIST provides guidance that PKI can absolutely be a central, very fundamental technology that is part of zero trust. Meaning you can issue essentially x.509-based PKI certificates to a mobile device, to a laptop, to an IoT device, etc. and that’s one form of digital identity. But there are others. There are other forms of strong authentication identifiers as well. So we are talking about things like SSH keys. We are talking about potentially S/MIME certificates. We are talking about other forms of crypto keys which are essentially key pairs that are not necessarily PKI enforced or PKI issued. Right? So in other words, the reason why we like to use the term digital identities is because of the fact that we need a term that’s a little bit more generic than just PKI certificate, which typically refers to something very specific, which is an x.509-based certificate which would contain a key pair.
-
Tim Callan
Sure. So, they are not all x.509 certs but at a high level if we back up one step you are still talking about key pairs. Like everything you described at the end of the day has a public/private crypto key pair. Like that is still the fundamental enabler of identity in this whole SASE strategy that we’ve been describing.
-
Jason Soroko
Yeah. When you boil it down, you know, the whole concept of asymmetric encryption is at the heart of it. There are other sometimes needs for symmetric tokens as well. For systems that might have very, very limited capability, limited bandwidth. So there are also something that you wouldn’t call a key, it might just be called a token, right. So therefore, we still might use the term a digital identity for that but how you manage that would obviously be different than just standard PKI.
-
Tim Callan
Right.
-
Jason Soroko
So, Tim, I think what’s really, really overarching important concept here is we use the generic term digital identity in this case but what should become really clear is if you’re managing YubiKeys, right, if you are managing what you and I talked about a long time ago which is, you know, hard tokens for legacy applications or soft tokens from a mobile app and you are subsequently also managing SSH keys and you want to eventually have a plan to transform those into SSH certificates, you are managing S/MIME certificates and possibly you are also managing PKI-based x.509 certificates for your standard SSL use cases, for your other forms of user authentication use cases and perhaps for DevOps and IoT, I mean I just rhymed off a lot of things there, Tim.
-
Tim Callan
Right.
-
Jason Soroko
Then, my goodness, if you are CSO, a Risk Officer, an IT Director, you would really want a single pane of glass to manage all of that. You and I, Tim, have talked a lot about certificate management and the incredible importance of that. Well, I think underneath the umbrella of SASE, this is our opportunity to think about identity management much more holistically and your ideal world is to have a single pane of glass and visibility to all the digital identities that you are managing within your enterprise, within your critical infrastructure, within whatever it is that you are doing. Having that visibility is just so important regardless of the type of digital identity that it is.
-
Tim Callan
So, SASE you mentioned is this umbrella term and it incorporates all of these things. So, I might imagine that to some degree that means if you look at pretty much any contemporary enterprise you are gonna say, oh, well SASE is in place, but then you would probably find for many or most of them that there are gaps. There are, you know, white spaces that haven’t really been implemented. So, to some degree, one of the benefits of SASE is it gives you a framework to think about all of the different aspects of providing this Secure Edge, right and making sure that you have the pieces in place to do so and of course, one of those pieces becomes digital identity.
-
Jason Soroko
It’s a way to start thinking about all the aspects of, I’d like to use concrete use cases in this case now, which is, users who are authenticating to multiple systems within your enterprise whether they are on-premises, whether they are in the cloud. What are the benefits to using a single sign-on? Where do you keep your identity management? For a lot of organizations, it’s Active Directory. For others, it could be something else. What are you using? If part of what’s logging into your APIs might be partner human users or potentially even IoT devices which are sending sensor data into a system, these things are gonna become much less isolated in their interactions. I think that the reason why SASE is important is because we’re - - first, we are already there. We are already living in a world where your corporate assets are sometimes most often in hostile environments and so therefore those Service Edges need to have strong digital identities to be able to perform strong authentication. What forms of authorization do you want to put on that? Which then begs the question – are you protecting your privileged users? What other policies do you want to be able to put on things like, you know, a remote printer. It just goes on and on and on. It’s a better way of thinking about all your assets, how they interact, how they will authenticate to where they need to be, etc. etc. It’s everything from networking to policies to the actual identities themselves. It’s all those things underneath one umbrella.
-
Tim Callan
And then, again, sorry not to belabor it, but this is all just completely intertwined with other concepts that we’ve talked about here like zero trust, like software-defined perimeter, like principle of least privileges and all of these ideas, like if you made the Venn diagram of these ideas it would be very complex with a whole lot of overlap, right. But think of SASE in the context of those other concepts because in a way they’re almost like looking at the same thing through a different lens.
-
Jason Soroko
In fact, Tim, the best way to see the proof of what you just said is to survey some of the vendors who claim to be involved in SASE.
-
Tim Callan
Right.
-
Jason Soroko
And you will see policy engine vendors who they see it through a very narrow lens. If you look through the privileged access vendors, they see it their own way. I think the digital identity vendors, the PKI vendors, such as, you know, that’s where we’re from; that’s the world we live in. We like to look at it a little wider than everyone else because our digital identities are kind of the basis for how everything else then interacts.
-
Tim Callan
Right. Digital identity must touch everything.
-
Jason Soroko
Yeah. We are at the center of it all.
-
Tim Callan
Yeah. Yeah. That’s nice.
So, I think that’s a really great, crisp definition and explanation of SASE and, you know, it’s funny right when we think we’ve got our head around everything they throw a new word at us, right and now we all have to go learn the new word. But this is a useful word. This is a good word, and it has a place in the world and it’s good to just clarify where PKI sits in that conceptual framework.
-
Jason Soroko
And I think it was important on this podcast, Tim, to really spell out the fact that as a vendor of digital identities we even recognize the fact that PKI and x.509, it will be around with us for a very, very long time. Indefinitely. But recognizing the fact that there are other forms of identity to perform strong authentication for specific use cases and what we are really pushing into an innovation is to be able to be the provider of that single pane of glass for all of those types of digital identities regardless of what they are.
-
Tim Callan
Yeah.
-
Jason Soroko
But especially from our core, you know, our core heritage of x.509 and PKI specifically and that’s where PKI fits. PKI really fits in that central place amongst all the other forms of strong digital identities, and I think that this is the time for the digital identity vendors, the CAs, etc. to really stake their claim in SASE and very specifically within zero trust because of the fact that it is so fundamentally important to everything going on within this new push.
-
Tim Callan
Yeah, and you’ve kind of obliquely made another point here which I think is interesting, which I think we haven’t covered yet, which is that PKI is not a goal. PKI is a mechanism, and the goal is digital identity and they are not the same. And, for instance, in the right use case digital identity could be accomplished another way and that’s just fine because that’s the goal and PKI is how to get there. Now as it happens, PKI is an incredibly robust useful and versatile way to get there and efficient. Right? And therefore, it’s almost always what’s chosen, but in those circumstances or in a hypothetical world where it didn’t have to be chosen it wouldn’t have to be PKI, digital identity in principle could be accomplished another way. And it’s just good to keep those ideas clear in our minds.
-
Jason Soroko
For sure, Tim. I think the flip side to that is that I find it interesting, you and I have been around PKI an awfully long time and it will continue to be around an awfully long time because the right choice in many cases has been PKI and that has been true for IoT, that has been true for DevOps and it will be true for other innovative things that we probably haven’t even thought of yet.
-
Tim Callan
Oh sure. It keeps coming back to PKI for all kinds of great reasons. I mean the fundamental paradigm, the paradigm fundamentally is undefeated after decades of use, which is a very rare thing and it’s built into everything. It’s ubiquitous. Like I said, it’s efficient from a computing and a time perspective. There are all kinds of reasons why PKI is a great, great, great solution. That’s why we keep going back to it over and repeatedly, but it would not necessarily have to be PKI. If Aliens landed tomorrow and said we have a new way of doing it and it’s much better than PKI then we would just all move to that way, right? It’s not a goal. It’s a means to an end.
-
Jason Soroko
Because - we’ve been living in a world where various forms of digital identity have been around us. The unfortunate thing is that they’ve mostly lived in their own vacuums. Their own silos. It has meant that enterprises have had to struggle to manage these things in their own ways and in fact, if you look at SSH keys as an example, SSH key management unfortunately, you know, there definitely are some systems out there for that but the adoption rate of good SSH key management has been incredibly slow. We are hoping to change that, and we are hoping that we can put this pane of glass across all of these identifiers to make the management of all these identifiers just that much better – including x.509.
-
Tim Callan
I love it. So, thank you, Jay. I think that’s a wonderful explanation of the topic. Do you have anything else you want to add?
-
Jason Soroko
I think we’ll probably be revisiting pieces and parts of this in the future, Tim.
-
Tim Callan
I’m sure we will. So, thank you, Jason. It’s always fun to talk to you and always illuminating.
-
Jason Soroko
Thank you, Tim.
-
Tim Callan
Thank you, Listeners. This has been Root Causes.