Modern network security requires a great deal of time, energy, and resources. With more enterprises going into the cloud, secure access service edge (SASE) has seen broad adoption among security and networking vendors alike.
To define, SASE is the convergence of network and network security services into an integrated cloud-native architecture. SASE guarantees broad and holistic network security services to support the needs of businesses and empower digital transformation.
Looking ahead to the next 12 months, a Help AG report predicts that SASE will see continued focus, alongside several other areas, including secure software-defined wireless wide area network (SD-WAN), application and endpoint security, micro-segmentation, managed security services (MSS), and server message block (SMB) security.
From its inception in 2019 until today, SASE is a practical and compelling model that can be partially or fully implemented depending on the business requirement and vendor capability. Digitalization, the surge of remote working, and cloud-based computing have accelerated SASE offerings. Hence, migration from the traditional perimeter and hardware-based paradigm to a SASE model is needed.
In a digitally-focused era, to ensure protection anywhere and anytime, SASE is opted by many as security standards become fitting in a software-defined and cloud-delivered environment. This influences changes in security architecture and vendor selection as a whole.
Core SASE elements
The fourth industrial revolution which involves large-scale automation and the growth of Internet of Things (IoT) is just half a decade old, yet everything’s changing fast. This means innovation-wise, security-wise, and technology-wise. To stay competitive, relevant, and secure, businesses have to change their underlying framework.
SASE stitches together secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), SD-WAN, and cloud-based firewalls into a single cloud-based service. This comprehensive service enables identity-based access anywhere in the network based on real-time context, security, and compliance policies.
- SWG: Secure web gateways are mostly used to protect enterprises against malware and malicious websites. SWG adoption targets web threats via an inline proxy solution with advanced threat defenses such as URL filtering, advanced machine learning (AML), anti-virus (AV) scanning, sandboxing, data loss prevention (DLP), and web isolation.
A gateway effectively blocks malware and acts as a barrier to prevent any confidential data from being stolen such as social security numbers, credit card numbers, and medical information. Having said that, the web gateway strengthens security against external sites, software, or data that could harm people and programs within the organization.
- CASB: The transition to a cloud and remote-working world pressured traditional perimeter-based SWG to innovate. Literally from any location on various devices, users can now directly access IT infrastructure and connected resources virtually. Hence, cloud access security brokers are designed to provide visibility and control over cloud applications.
Authentication, credential mapping, device profiling, encryption, tokenization, logging, and alerting are among the multiple security policies that CASBs execute. For malware detection and prevention, CASBs usually run in multi-mode as they are set up as a proxy or within API-based systems.
- ZTNA: To outsmart threats and liberate users, SASE is essentially built upon principles of zero trust; fundamentally changing the way enterprises are protected. Zero-trust network access removes excessive implicit trust as access is granted on a “need-to-know,” least-privileged basis. By creating software-defined perimeters and enforcing adaptive and context-aware policies, ZTNA connections grant access only after devices and users are verified.
Unlike the traditional approach of simply employing virtual private networks (VPNs) to secure access between applications and users, ZTNA also increases flexibility, agility, and scalability without exposing internal applications directly to the internet. This is done through micro-segmentation and full application cloaking.
- SD-WAN: SD-WAN is a software-based approach to building and managing networks that connect highly distributed offices. By means of SD-WAN, companies securely connect their branch offices in corporate networks seamlessly. No need to deal with multiprotocol label switching (MPLS) connections or other exclusive hardware.
Though commonly associated together, SD-WAN and SASE have an actual difference. SASE combines different security components that affect the overall network decision-making process. On the other hand, SD-WAN focuses on smart routing by using a centralized control function to securely direct traffic across the WAN.
- FwaaS: Firewall as a service (aka cloud-based firewalls) forms a virtual barrier around cloud assets. Taking the functionality of a next-generation firewall (NGFW), FWaaS provides a level of flexibility and scalability that standard firewalls struggle to match. Through a SASE approach, FWaaS leverages layer 7 and NGFW firewalls for maximum security.
Among its benefits is being a proxy-based architecture that enables granular firewall policies. Also, a cloud-based intrusion prevention system (IPS) delivers threat protection and coverage, regardless of location or connection type. As the first line of defense, a cloud-based firewall protects users from reaching malicious domains and uses advanced analytics to correlate events and provide insight into current and future threats and vulnerabilities.
Benefits and use cases
Companies are currently carrying out multi-year digital transformation strategies to survive in an era of digital disruption. As the nature of businesses changed, security leaders are set to face a new set of challenges arising from a decentralized workforce. As expected, as IT infrastructures evolve, so must security practices. Thus, embracing SASE enables companies to acquire the security, agility, and performance they need.
Some use cases of SASE are quite evident in work-from-home scenarios and the rise of IoT devices. As employees nowadays tend to access corporate resources from home or anywhere outside the office premises, SASE can help control who can access which by adapting permissions based on context. This works as well in securing the edge, data centers, and other cloud services that also power organizational assets.
As a result, SASE brings forth improved cloud security posture by providing an end-to-end (E2E) encryption mechanism with integrated web application and API protection (WAAP) services. Using the ZTNA model, strict access controls can be applied. Moreover, a boost in network performance is achieved through the SD-WAN and SASE integrated security service approach.
Leaving the security protocols working under an automated state, the number of branch devices, agents, and vendors will also be drastically reduced. This lowers not only the cost but also removes network complexity by abstracting away upgrades, patches, and network maintenance.
Adoption gaps and recommendations
Without a doubt, SASE will be the security trend of the decade. Being the latest cybersecurity toolkit for enterprises, SASE moves away from data center-oriented security. Instead, it unifies the network and security tools into a single service delivered via the cloud. All in all, it addresses the need for consolidation, cloud, and convergence.
The shift from on-premises data center-oriented security to cloud-native security may be viewed as a threat. Similarly, vendors with traditional product offerings may find it difficult to modify their offerings and keep up with the demand. Some SASE vendors are SD-WAN solution providers while others are network security companies which may cause them to overshadow their capabilities in non-traditional areas.
It is very important to remember that, in this context, any tools should fit into a company's cybersecurity strategy. The belief that ‘one size fits all’ does not apply here. Different enterprises have different security fabrics that may correspond with single or multiple vendors. Furthermore, SASE adoption will depend on the customer's starting point and its end goals.
For example, the tactics for a startup that needs a bottom-up security approach will differ from a multinational company that already has an existing framework. With the former, the choices available for a SASE environment extend to multiple operating systems. Thus, digital workspaces can interconnect and stay protected simultaneously. For the latter, with single-interface management for SASE elements, it’s possible for IT to move from on-premises to hybrid/multi-cloud environments without sacrificing workspace availability, application performance, or security.
Some recommendations and outlook of Gartner for a SASE roadmap include replacing legacy VPN by deploying ZTNA; consolidating market vendors; creating a dedicated team of security and networking experts; having consistent policy enforcement and coverage; combining techniques for sensitive-data visibility and control; and committing to contractual SLAs for high availability and low latency.