Doing some last minute cramming before my Sec + tomorrow and this question bothers me xD
Question 86 of Dion’s third practice test for 701 is
Log Cabin Bank has recently expanded its services by purchasing several other banks. They now face security challenges that they haven’t faced before. The most significant challenge is providing the type of secure communication among the branches of the bank. State banking regulations require that all communications be secure even when traveling across unsecured networks. Which of the following will provide the BEST solution to the challenge faced by Log Cabin Bank?
Dion states the correct answer is a VPN because a SASE is far more technology than the situation calls for. Am I wrong for flat out disagreeing, nothing in the question indicates there is a limitation of resources. If the goal is the BEST solution to securing communications between the different bank branches a SASE would be the BEST choice while VPN would just be a good choice.
You need to break the question down to what they want and filter out all the filler details.
If you were asked: “What technology would best be used to secure communications over an unsecured network?”
Would you think SASE or VPN?
Yes, SASE is a great tool for cloud security, but the question is only asking about securing communication over an unsecured network (coffee shop, airport, etc)
SASE or secure access service edge is a cloud architecture model that combines SaaS and network functions together into a single cloud service with functions such as secure web gateways, CASB, firewalls, SD-WAN and zero trust network access (ZTNA).
It’s not to say it isn’t a valid option but with these tests often you have 1 answer that is the better choice where you need to understand the context of the question.
You needed to understand the question is asking about network security. Network security focuses on fortifying the network perimeter, but SASE recognizes that the perimeter has expanded with the proliferation of remote work and cloud adoption. As such SASE is a cloud native solution.
Remember the KISS method. You are trying to connect site-to-site with secure data transmission. The best answer would be the simplest because you don’t need all the added complexity and cost nor extra benefits a SASE provides. Remember with compTIA they are only asking you to answer the question with the info provided, not edge cases or solutions that go above/beyond the scope of the question.
What a fun debate. The BEST solution, IMO, would be the remote access service delivered from a SASE platform. VPN may indeed work, but the question is about the BEST solution to secure communication even when using unsecured networks. Any service (e.g. remote access) delivered by SASE is going to eliminate far more risk than it’s point product equivalent. Traditional VPN products imply the use of legacy hardware that is owned and managed by the enterprise.
Maybe the “gotcha” here is that the alternative option to VPN was just a broad reference to SASE. SASE, generalized, represents a full spectrum of edge networking (SD-WAN), network security (SWG, ATP, RBI) and CAS (CASB/DLP)…which, for this use case, would be too much. VPN is shitty alternative, though…IMO.
Unless you have resources constraints a SASE will always be the best option to answer that question though.
If SASE wasn’t an option I’d go with VPN, but if I were being consulted by an enterprise for that question I’d recommend a SASE over simply a VPN implementation every time as it is generally going to be the better solution absent additional factors.
I swear I’ve come across similar questions on Messers practice exams that have gone with the more comprehensive solutions unless a resource constraint was specifically mentioned.
From a test taking perspective I can understand this, but a VPN, minus additional factors, is always going to be a less reliable and inferior solution to securing communication between endpoints in the real world.
If the question had a resource or technical constraint I’d immediately go to a VPN.
I can certainly see your perspective. With these questions I try not to over think them. Just take them as they are at face value and you should be fine.
If they had mentioned scalability or multi-site environments I would easily choose SASE but the question at heart only wants to secure the traffic within a corporate network.
It might just be me as a security architect so my mind tends to be quite capable of breaking these questions down and for what they are merely asking, a SASE solution is over kill with the layers of functions it adds.
Truth be told having read Dion’s question I would be surprised if you would see anything of this nature on the sec+ as these practice exams don’t often do the best job of replicating the real thing.
They are good in that they get your mind working just as the comptia practice exams would. But they aren’t very close to the truth of exam actual. It is why they have success because by design they are more difficult.
Agreed, I’ve been working in Cyber Security for a while, just haven’t bothered with any education as I’ve had the fortunate networking/nepotism plus connections to constantly keep me in jobs that stretched me despite lack of qualifications I’m at 90% on messer and 86% on dion, so I’m feeling confident in the test tomorrow.
If I’m overconfident… Well at least there is the retake.
I’m at 90% on messer and 86% on dion, so I’m feeling confident in the test tomorrow.