This blog was written by a third party author
Today’s “new normal” business environment is heavily focused on cloud. The ongoing trends we’re seeing today show no signs of letting up. Workloads moving to the cloud, an escalating number of devices accessing applications and data, and the more distributed nature of the workforce have been accelerated by last year’s global health events.
While security centered on the data center makes deployment and management easy, in today’s modern environment this hub and spoke model isn’t as effective. With the increased amount of traffic flowing over the network links before heading out to the internet, combined with a growing number of employees working from branch office or remote locations, the latency is overwhelming.
Secure access to services needs to be everywhere, not just at the datacenter. This is where Secure Access Service Edge (SASE) comes in.
What is secure access service edge (SASE)?
SASE (pronounced “sassy”) is a cloud-based model or architecture that addresses the limitations of the traditional ‘hub-and-spoke’ network infrastructure that connects users in multiple locations (spokes) to resources hosted in centralized datacenters (hubs), hosting the applications and data. Accessing those resources either requires a localized private network or a secondary network connecting to the primary network via secure leased line or VPN.
Problems with hub-and-spoke
In theory, the hub-and-spoke model is simple. However, the model cannot handle the complexities involved with cloud-based services like software-as-a-service (SaaS) and escalating distributed workforces. As more workloads, applications, and sensitive corporate data move to the cloud, organizations must re-evaluate how and where network traffic is inspected and how secure user access policies are managed.
Rerouting all traffic through a centralized data center isn’t practical (due to latency) when many applications and data are hosted in the cloud. Adding to the latency issue, remote users may suffer when using a VPN to connect to a corporate network. It’s not uncommon for frustrated users to instead access company resources over an unsecured connection, exposing themselves to additional security risks.
SASE to the rescue
Enter SASE, which places network controls on the cloud edge as opposed to the corporate data center, closer to the service being accessed. SASE implementations do away with layered cloud services requiring separate configuration and management—streamlining network and security services to create a secure, seamless network edge.
One of the key features of SASE is the use of identity-based, zero trust access policies on the edge network. With it, organizations can provide specific access to only the applications and data users need to complete their job duties, without having to connect to the network via VPN. The enterprise gains more granular control over network security policies and can do away with legacy hardware like VPNs and firewalls.
The best of today’s security functions
To support the ever-changing secure access needs of many organizations today, SASE incorporates various network security functions like secure web gateway (SWG), cloud access security brokers (CASB), firewall-as-a-service (FWaaS) and Zero Trust Network Access (ZTNA). These capabilities are delivered along with SDWAN and are primarily “as-a-service,” utilizing the identity of the connecting user or device, real-time context and security or compliance policies.
Essentially, SASE is a new package of security functions that includes the aforementioned technologies as core abilities. Using these security functions, examples of what the SASE model can accomplish for organizations include identifying sensitive data or malware (using DLP), decrypting content at line speed (using NGFW, SWG or SSL/TLS decryption appliances) and continuously monitoring sessions for risk and trust levels.
What are the goals of SASE?
The main goal of the SASE framework is to help modernize networks and security to keep up with the ever-evolving business requirements. In doing so, SASE provides unified security across users, wherever they do business, and provides visibility and control over what can be accessed.
According to Gartner, organizations that implement SASE should adopt the CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach. With CARTA, in order to obtain effective risk and cybersecurity management, you will need:
- Complete device visibility and automated control
- Micro-segmentation of networks to reduce lateral movement and contain breaches
- Continuous monitoring, assessment and remediation of cyber and operational risk
- Products and solutions from multiple vendors, with new levels of orchestration, automation and response
- Securely and effectively manage agentless IoT devices and operational technology (OT systems)
- Discovery, posture assessment and remediation/control of physical and virtual devices as well as cloud infrastructure and workloads
Key to implementing CARTA, and in turn SASE, is adopting a Zero Trust approach. The strategy of “Verify, then trust” as opposed to trusting by default is critical. With Zero Trust, you assume your network has been compromised, and users and devices must prove they are who or what they say they are. Even if users or devices are already located within the network perimeter, strict identity verification is required.
At a high level, the ultimate goal for businesses who wish to adopt SASE is this: leveraging cloud-centric technology to reduce operational burdens and costs, and in doing so, reducing threats to the organization.
The key technologies that make up a SASE architecture
It is important to understand that SASE architecture isn’t tied to any vendor or solution, and aims to provide the most flexible security infrastructure possible. The following security and network components make up SASE architecture.
- Secure Web Gateway (SWG) for traffic inspection to protect users from malicious sites and enforce access policies
- Firewall as a Service (FWaaS) for next-generation firewall (NGWF) capabilities to protect the network against a wide range of modern threats. Not only does NGFW defend assets, such as servers hosted in the data center, but also users that work on-site or connect via VPN.
- Cloud Access Security Broker (CASB) for an additional layer of support to ensure network traffic between on-premises devices and cloud providers comply with an organization's security policies
- Zero Trust Network Access (ZTNA) solutions for seamless and secure connectivity to applications without placing users on the network or exposing applications to the internet or relying on legacy solutions.
- SD-WAN for saving WAN costs and securing IoT devices. From one pane of glass, SD-WAN allows organizations to see and manage the data flows across all internet circuits and provides the ability to prioritize bandwidth to business-critical applications.
Benefits of SASE for a business
The SASE model encourages businesses to consolidate these core technologies with fewer vendors. Ideally, they would be managed from a single portal.
More specifically, the benefits of implementing a SASE architecture in an organization include:
- Latency-optimized routing — SASE helps reduce latency by routing network traffic across a global edge network. At the edge, data and network traffic are processed closer to the user or device.
- Lower costs and complexity – By consolidating vendors and technology stacks, costs and complexities can be reduced.
- Agility – New digital business scenarios with quicker adoption are viable with less risk exposure and less operational overhead.
- More easily enable ZTNA – Allow secure network access based on the identity of the user, device, or application with end-to-end encryption.
- Centralized policy, local enforcement – Gain cloud-based centralized management while maintaining a distributed enforcement of policies.
At the end of the day, when implemented properly, SASE allows organizations to attain cloud-centric technology, reduce the operational burden and cost, and improve security and reduce threats. Remember, SASE is not something you can buy off the shelf and there are many ways to assemble a SASE solution.