The information age requires data to move in different ways. Users can be anywhere in the world and still have a need to access resources. While this has many benefits, it also brings challenges and limitations, as traditional network and security solutions, made of separate components, are not designed for the growing needs of users. A shift is needed, designed to provide secure and optimal access for everyone, everywhere and on every device.
Organizations have been using virtual private networks to support teams on remote initiatives for many years but in the recent past usage has brought to light some disadvantages. Namely, not being designed for continual use, lack of granular security, and unpredictable performance and availability. Cost and complexity become an issue as more connections are made. The more complex a system is, the more scalability becomes a concern.
There are three main drivers of adoption of a technology.
First, strategy provides the vision for change.
Risk determines the upsides versus downsides.
And the financial aspect determines the ROI.
While this is largely written for the strategic aspect, I will include the others as they are interconnected and closely related.
Gartner, a global research and advisory firm introduced the idea of a Secure Access Service Edge in 2019. SASE (pronounced "sassy") is a cloud-based security architecture that combines networking, security, and analytics to enable secure access to applications from anywhere, on any device.
The cloud has brought many advantages to organizations. It has become common to migrate existing applications to the cloud as well as develop new applications. The percentage of applications being developed in the cloud natively is increasing rapidly.
SASE makes it possible to move networking and security aspects to the cloud, something that was not feasible before. This opens up opportunities for value creation.
The strategic benefits are numerous.
Simplified networking and security architecture
Simplified networking and security operations
Near unlimited scalability
Reduced technological footprint
These benefits can make initiatives easier to take on and manage, potentially making the adoption of SASE a growth and profit enabler. In regards to risk, security blind spots can drastically be reduced. Compliance is made easier by incorporating a zero-trust environment. Financial benefits can be achieved by reducing IT support costs via network simplification and optimization. As legacy systems are retired and replaced, a single integrated solution can provide lower total cost of ownership. Reduced configuration, operation, and maintenance costs all add up to provide immediate value, and value long term.
SASE is designed in a way to help organizations leverage cloud mobility by providing a single, unified networking and security architecture that can be deployed and managed from the cloud. This can help organizations simplify and lower the cost of their infrastructure, while also enhancing its security posture.
A successful SASE solution will merge networking and security into a single, integrated solution. This ensures users have consistent security protection, regardless of their location or device. It will combine software-defined wide area networking (SD-WAN), zero trust network access (ZTNA), cloud access security broker (CASB), secure web gateway (SWB), and next generation firewalls at the edge (FWaaS) to identify, record, and circumvent malicious traffic while allowing the organization’s traffic to pass freely and optimized based on geographical location.
It is important to clarify what these services are in order to understand what is being combined. SD-WAN connects parties at a distance optimized via software. ZTNA introduces the added benefit of identity verification. This helps prevent unauthorized access to networks.
CASB provides visibility and control over cloud usage, helping organizations protect their data and comply with regulations. SWG is a security appliance that filters and blocks malicious websites and content protecting users from malware infections, phishing attacks, and other online threats. FWaaS is a cloud-based next generation firewall, including intrusion detection and prevention services that help protect the edge and outside perimeter. By combining these technologies, SASE can provide organizations with a more secure and efficient way to connect users and applications.
There are several capabilities a provider should meet when considering a solution. It is important that points of presence provide global reachability. Services should also be fully integrated rather than independent.
A provider should include a unified data model and data lake, for storing log and event information. This is useful in providing analytics to drive business decisions in regards to usage and risk. A unified management plane, rather than connected systems via API. A single security policy, for sensitive data inspection. Single-pass traffic malware scanning and single-pass re-encryption that scales. A solution should also include a flexible architecture allowing dynamic scaling.
Ease of use and flexibility are also worth consideration. For example, single tenancy should be offered for security specific environments. A question an organization should ask is how easy it is to set up a new location. This could give an indication of a need for a solution that provides easier management and configuration. A single provider SASE solution must include all of the capabilities listed.
Networking and security convergence is handled differently among providers in their offerings. Each time another product is integrated to form a SASE solution, traffic moving through the network will require data to be encrypted and decrypted at each point. This introduces the notion of single-pass processing. Data that has to be decrypted at the first stop, only to be re-encrypted before heading to the next, adds time and extra processing. With single-pass processing the comprehensive security functions are unified into a single platform, allowing traffic to be processed once, improving network performance and security.
There are two main types of SASE solutions: A portfolio or a platform. These differ in that a portfolio combines products to create a SASE solution. This offers the ability to use the multiple products an organization might already be familiar with for a highly customized solution. The key benefit to a platform is cloud-based delivery and security convergence. This solution offers a less complex architecture, while also allowing granular customization.
One feature not yet mentioned is the use of a private networking backbone provided by a vendor. This architectural approach provides a private, alternative route of travel and is able to provide a service level agreement of stability and performance. SD-WAN alone cannot guarantee a level of performance without a private backbone due to traversing the internet. Companies have had to rely on public cloud providers to address this. A cloud-based solution that includes a private backbone can therefore greatly enhance the performance achieved by embracing SASE.
By 2024, more than 60% of software-defined, wide-area network (SD-WAN) customers will have implemented a secure access service edge (SASE) architecture, compared with about 35% in 2020.” Hype Cycle for Network Security, 2020
As we continue to move to the cloud it only makes sense to re-think how traffic flows and transition from a perimeter-controlled approach to a zero trust, omni directional approach.
The primary benefits are as follows:
Agility: With a SASE architecture, IT can provide optimized networking and robust security to all locations, applications, and users no matter where they are. Deploying new resources and capabilities is quick and easy by installing the appropriate edge client and connecting to the platform.
Collaboration: Teams can benefit from the convergence of network and security to manage all features and policies in one interface, and gain deep insight into events. Furthermore, cross-team collaboration is enhanced by converging network and security teams.
Efficiency: Physical topology, redundancy, scaling, sizing, and upgrading is dramatically reduced. Teams can now deliver better service with less effort and resources.
Cost reduction: The simplification of the network and security stack, and the consolidation of multiple point products allows both vendors and customers to lower the overall costs of keeping the infrastructure running.
Security: Zero Trust Network Architectures (ZTNA) are a type of security framework that provide enhanced protection by requiring identity-specific access for any network resource, regardless of location or device.
Business continuity: Enterprises have realized that supporting secure remote access, at scale, is a vital part of their business continuity plan. The flexibility of SASE’s cloud-native architecture enables a work-from-anywhere model.
Each solution for converging networking and security has its own advantages and disadvantages in terms of speed and agility, security and resiliency, and cost efficiencies. A comparison of vendors and providers is out of scope for this overview. However, the most successful implementation depends on the specific needs and goals of the business. Therefore, it is essential to compare and contrast the different approaches and choose the one that best suits the organization. SASE provides a novel and enhanced method of architecting and managing networking and security functions by consolidating them in the cloud.
Creating the right foundation is crucial when designing the organization’s network. Ensuring the network is future-proofed and agile to scale in the information age is top of mind for most organizations. The SASE approach creates a holistic and unified method of connecting all edges while optimizing cost, performance and agility.
Footnote:
According to a report by Gartner, in 2021, 30% of new digital workloads were deployed on cloud-native platforms. This number is expected to grow to 95% by 2025.
Sources:
https://www.gartner.com/doc/reprints?id=1-2BBI42K2&ct=221004&st=sb
https://www.gartner.com/en/documents/3953690
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/ebooks/the-10-tenets-of-an-effective-sase-solution.pdf?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-19-11-11-7010g000001JAHVAA4-P2-Prisma_Access-10-tenets-sase
https://go.catonetworks.com/rs/245-RJK-441/images/The-Network-for-the-Digital-Business-Starts-with-the-Secure-Access-Service-Edge-SASE.pdf
https://www.paloaltonetworks.com/cyberpedia/what-is-sase