MEF CTO Pascal Menezes sat down with Neil Danilowicz and Ralph Santitoro to discuss MEF’s new Secure Access Service Edge (SASE) standard and Zero Trust framework.
Danilowicz is the Editor of the MEF 117 SASE Service Attributes and Service Framework and the Principal Architect in the Office of the CTO at Versa Networks. Santitoro is the Editor of the MEF 118 Zero Trust Framework and the Director of Multicloud Networking Product Management at Ciena.
Here, they discuss why these standards are important and the benefits they provide.
Pascal Menezes: Why does SASE need standards? What pain points does it address?
Neil Danilowicz: SASE encompasses both networking and security for a given application for a given session. This implies that the solution needs to deal with what are traditionally two different business units within the enterprise. Usually, networking and security services are sold independently, but with Secure Access Service Edge (SASE), there must be a tight coupling between the networking and security. Because networking and security utilize different terminology and concepts, a common language set needs to be defined to create tight coupling, and that’s where standards come into play. MEF’s recently introduced SASE standard defines a common language, service attributes, and a service framework for SASE solutions. It helps to simplify offerings and enables customers to more easily compare different SASE offerings.
Menezes: What are some of the common misconceptions about SASE solutions?
Neil Danilowicz: SASE emerged in 2019 to encompass both networking and security. Next, Secure Services Edge (SSE) was introduced, decoupling networking and security to focus solely on security, and most recently, unified SASE was introduced to define a complete SASE solution consisting of tightly coupled networking plus security. Continuous definition and redefinition of terms has caused much confusion in the market and further highlights the need for standardized solutions and common terminology.
Menezes: What types of integration and services would a fully compliant SASE implementation allow? What is the advantage for customers?
Neil Danilowicz: MEF's initial SASE standard enables many deployment models. Current cloud security providers can make easy modifications to their implementations in order to comply with MEF’s SASE standard. The same is true for SD-WAN vendors who can implement a set of security functions in order to comply with the standard. As MEF continues to refine its SASE standard, vendors can do the same to ensure continued compliance with the standard.
All of this is a benefit to the customers as each component of SASE, as it complies with the MEF standard, allows for an evaluation by the enterprise in a standard fashion. For service providers, adhering to MEF’s SASE standard enables them to select a secure networking vendor and an SSE vendor to create a SASE offering, again enabling the enterprise to choose the solution that best supports the needs of the enterprise.
Menezes: Why did MEF develop a Zero Trust framework?
Ralph Santitoro: Various aspects of Zero Trust are discussed in different standards and publications. Perhaps the most commonly used is the NIST Zero Trust Framework, which is comprehensive in scope but focuses on Zero Trust for a single organization, e.g., an enterprise.
MEF develops industry specifications for services and technologies such as SD-WAN, SASE, and Zero Trust. MEF’s Zero Trust Framework (MEF 118) was developed to define requirements such as identity and authentication, among others, and service attributes that enable service providers to implement and deliver a broad range of services that comply with Zero Trust principles while addressing the unique differences for each subscriber and the managed service they are purchasing.
Menezes: What unique capabilities and requirements does the MEF Zero Trust Framework address?
Ralph Santitoro: The MEF Zero Trust Framework specification formally defines Zero Trust terminology to create a standardized vernacular. Enterprise-centric Zero Trust Frameworks use the term ‘resources,’ meaning networked resources within the enterprise-controlled domain, e.g., a database server in an enterprise data center. Yet many ‘resources’ are outside the enterprise-controlled domain. The MEF Zero Trust Framework replaces ‘resources’ with ‘targets' and defines 'subjects' as the users, devices, and applications which want to access a target. Also defined are the associated identity, roles, and capabilities of these subject and target actors, including how these can be securely delegated. This enables granular access control policies to ensure that a specific subject actor (or its delegate) is allowed to access only a specific target actor so unauthorized access is more readily identified.
Also addressed within the MEF Zero Trust Framework are service provider requirements to support different identity providers or identity management systems for each subscriber. It defines access control and monitoring evaluation methods for a user, device, or application actor after permitting its access, a fundamental requirement to ensure policy compliance or detect anomalous behavior. In summary, the MEF Zero Trust Framework is unique since it formally defines an extensive set of Zero Trust terminology and addresses the requirements for service providers to deliver multi-subscriber, managed services that conform with a Zero Trust framework.
Menezes: How do the MEF Zero Trust and SASE fit together?
Ralph Santitoro: MEF's Zero Trust Framework can be applied to any type of service to provide least privilege and continuously monitored access by a subject actor to its intended destination. A SASE service, which is the confluence of networking and security services, will use all aspects of the MEF Zero Trust Framework, including:
- Actor identification (who or what is requesting access)
- Actor authentication (can I confirm this actor’s identity)
- Policy-based access control (is this subject actor allowed to access target actors based on compliance to its permitted roles, attributes, and capabilities)
- Continuous monitoring of the subject actor before requiring reauthentication based on:
- Time period (only allowed to access for a specific period of time)
- Unique event (a specific event that triggers suspicion)
- Anomalous behavior (behavior deviations, determined through AI/ML, that triggers suspicion)
- Policy endpoint placement (network location where policies can be enforced, placing them as close to the subject actor as possible)
Learn more about MEF’s standards and certifications.
(Editor’s note: This article is part of our regular series of articles from the industry experts at MEF.)
Pascal Menezes is Chief Technology Officer at MEF. He is focused on SD-WAN, SASE, cloud scale architectures, real-time media networks, Software Defined Networks (SDN), Network Function Virtualization (NFV), and Lifecycle Service Orchestration (LSO). He is a former Principal from Microsoft Skype for Business Global Carrier Group, where he spent close to 10 years working on many real-time media and network technologies. Pascal has worked on five startups with multiple successes, has received numerous industry global thought leadership awards, presented extensively in numerous events worldwide, and currently serves on the Capacity Media Editorial Board. Pascal holds 30+ patents and patents pending and has co-authored many standards in the IETF, MEF, and Broadband Forum (MPLS). Read Menezes' full collection of Network Computing articles.
Neil Danilowicz is the Principal Architect for Versa Networks and brings over 30 years of networking experience to the SD-WAN and SASE community. Neil recently retired from Verizon Communications where he was responsible for the Proof of Concepts and Designs of emerging technologies such as SD-WAN and SD-Access. Neil is a longtime member of the ONUG community and, more recently, a member of the MEF community, where he co-edits the MEF W117 SASE and MEF W119 Universal Edge projects. Versa Networks is fully committed to the MEF standardization of SD-WAN, SASE, and Zero Trust. Neil also serves as a contributing member to MEF W70.1 SD-WAN, MEF W88 Application Security, MEF W105 SD-WAN Performance and Service Readiness Testing, and MEF W118 Zero Trust Framework.
Ralph Santitoro is the Director of Multicloud Networking Solutions Product Management at Ciena and a Founding Member and Distinguished Fellow at MEF. He is currently developing multicloud networking solutions at Ciena and is a lead contributor to MEF's cybersecurity standards: MEF 118 Zero Trust Framework standard, MEF 88 SD-WAN application security standard, and the new MEF W138 IP Security Functions standard in development. In roles at several companies, Ralph led product management, solutions architecture, development, partnerships, marketing, and customer engagements for SD-WAN, Security Service Edge (SSE), Secure Access Service Edge (SASE), and Edge Computing products and subscription-based (as-a-Service) managed services. Ralph is also a classically trained vocalist who performs with Areté Symphonic Choir and Conejo Valley Choral Society. Ralph holds a Bachelor of Engineering degree in Electrical Engineering and Computer Science from the Stevens Institute of Technology.