Demystifying secure access service edge (SASE)

WHAT IS SASE

The need for more robust cybersecurity measures skyrocketed with the rise of remote work since the pandemic. This made organisations question the future of work and how that will change their operations. While employees can now work from anywhere, they still require the same level of access to applications, tools, and services. This creates additional cybersecurity threats as employees accessing the network from different locations entails changes to the corporate network perimeter. It's now more pressing than ever to have adequate cybersecurity strategies in place, as the risk of possible attacks on an enterprise’s network increases with the popularity of remote work.

This is where Secure Access Service Edge (SASE) comes in, the new concept that aims to better fulfil the security requirements of enterprises that require flexible workforce arrangements. As more organisations consider implementing this trailblazing solution, the question remains - what is SASE?

Gartner coined the term SASE in 2019, defining it as a cloud-based offering that combines SD-WAN functions with performance-enhancing and security features like cloud access security broker (CASB) and zero-trust network access (ZTNA). SASE combines various cloud security (link to cloud security content) and network functions in a single cloud service. The market has been gradually expanding since the term first appeared, but the industry still hasn't decided on a final definition of what a SASE deployment should look like. There are several approaches to deploying SASE, each with its own set of advantages and disadvantages.

Despite the gradual adoption of SASE, many security professionals are still confused about how it really works. According to a 2022 survey conducted by Accelerate Technologies, 94% of respondents know what SASE is, but the market seems unclear about its relationship to SD-WAN. This indicates that the industry is still unaware of the full potential of SASE architecture. However, understanding how it works will have significant benefits for your organisation.

HOW A SASE ARCHITECTURE CAN HELP YOUR ORGANISATION

• Flexibility: You can apply and deliver security services such as web filtering, threat prevention, DNS security, sandboxing, credential theft prevention, data loss prevention, and next-generation firewall policies using a cloud-based infrastructure.
• Cost reductions: Using a single platform rather than purchasing and handling multiple point products will substantially reduce your costs and IT resources.
• Less complexity: By reducing the number of security products your IT team must manage, update, and maintain, you can simplify your IT infrastructure by consolidating your security stack into a cloud-based network security service model.
• Improved efficiency: With a cloud infrastructure, you can connect to resources wherever they are located. Global access to apps, the internet, and corporate data is available.
• Zero trust: Applying zero trust security to your cloud infrastructure eliminates trust assumptions when users, devices and applications connect. A SASE solution will provide complete session protection, regardless of whether a user is on or off the corporate network.
• Threat prevention: You gain increased network security and visibility by incorporating full content inspection into a cloud-based SASE solution. This allows you to identify users, devices and apps no matter where they connect from, without the hassle of connecting to a gateway.
• Data protection: Applying data protection policies within a SASE framework helps prevent unauthorised access to and misuse of sensitive data.

According to a 2021 research by ESG, surveying 613 cybersecurity, networking, and IT professionals, respondents who started using SASE reported substantially positive outcomes.

SASE DEPLOYMENTS IN THE REAL WORLD

While SASE is in its infancy, some companies have taken the plunge and adopted the new technology, which significantly eased their transition to remote working and minimised their security concerns when the COVID-19 pandemic hit.

Company: Thornton Tomasetti
Industry: Engineering consulting
Size: 42 global offices

In 2019, IT professionals at global engineering consulting firm Thornton Tomasetti evaluated how they were managing their WAN, especially concerning network security and access control. "We recognised we were in a very reactive mode," stated Lance Brophy, IT director of operations transformation. Their WAN security strategy lacked cohesion because diverse hardware was deployed inconsistently across the company's 42 branch sites, and an ideal solution would have been to standardise and streamline WAN management without increasing total spending.

That led the team to conduct a formal study to explore their options, and they quickly saw the potential of SD-WAN and SASE technology. They decided on Versa Networks as a SASE provider. Brophy stated that Versa was their all-in-one solution, providing cloud security, next-generation firewalls, threat management, and role-based access control under one umbrella. Having a comprehensive SASE solution allowed Thornton Tomasetti to only replace their firewalls rather than the majority of their infrastructure.

Brophy's IT team, along with a third-party network management partner, began deploying SASE technology in January 2020 and finalised deployments across their 42 offices within 90 days. Luckily, they finished right before COVID-19, allowing them to immediately transition to a secure, dispersed workforce, which would not have been feasible on the company's traditional network infrastructure, according to Brophy. "We've been able to prove as a business that we can work as a remote workforce, something that we wouldn't have even dreamed about a year ago," he said. "And it's got to be secure -- that is key."

SASE USE CASES

SASE combines cloud agility, convergence, and fast performance to support various business use cases.

MIGRATING MPLS TO SD-WAN

SASE enables businesses to switch quickly from pricey, capacity-restricted MPLS networks to a more cost-effective alternative that makes use of high-capacity internet links. It achieves this by connecting PoPs networks with a global private backbone that offers the same level of performance and predictability as MPLS at a lower cost and faster. While SASE deployment at each location typically takes a few days or hours, MPLS implementation could take weeks or months.

SASE improves usable capacity and resilience globally once linked, which optimises performance and maximises throughput to on-premises and cloud applications.

SECURE BRANCH INTERNET ACCESS

SASE solutions improve and streamline branch office WAN security with an integrated cloud-delivered network security stack. You can protect all traffic, both WAN and internet-bound, by connecting all branch locations to the SASE PoP using an enterprise-grade, cloud-based security service. It's no longer essential to buy stand-alone cloud security solutions, backhaul internet traffic to a data centre or regional hub, or deploy and maintain branch network security appliances.

The entire WAN is protected by a security stack and a set of security policies, and SASE handles all security service updates and upgrades.

CLOUD CONTROL AND ACCELERATION

SASE seamlessly accelerates cloud traffic by routing it from all of the network edges over its global private backbone to the SASE PoP that's closest to the cloud data centre. SASE PoPs share the data centre footprint of major cloud providers, reducing the latency between them and SASE to zero. You can optimise cloud application access by simply adding one application-level rule that defines where cloud application traffic should leave the SASE cloud. Now you no longer need to choose between MPLS, which is not suited for cloud connectivity, or SD-WAN solutions, which are not always reliable over the public internet.

HOW SASE & ZERO TRUST NETWORK ACCESS (ZTNA) COME TOGETHER

SASE integrates networking and network security services like ZTNA, firewall as a service (FWaaS), cloud access security broker (CASB), data loss protection (DLP), and other services into a single holistic, integrated solution that supports all traffic, applications, and users. Companies can use SASE architecture to authenticate users quickly, detect and reduce potential security threats. This also means that they no longer need to set up separate infrastructure to address both internet and private applications, as was previously the case with traditional proxy- and software-defined perimeter products.

Businesses can combine SASE security and Zero Trust principles as a unified solution to achieve ZTNA, which enables them to apply and enforce security protocols consistently throughout their entire network.

The benefits of a SASE and ZTNA approach include

• Improved network security.
• Streamlined network administration.
• Significantly lower costs due to large security deployment.
• A single, comprehensive view of the whole network.

SASE IS THE FUTURE OF CLOUD SECURITY

Gartner predicts that by 2025, at least 60% of enterprises will have clear SASE adoption strategies and timelines encompassing user, branch, and edge access, up from 10% in 2020. As business leaders begin to consider how to properly implement this technology, a few crucial questions can assist their decision-making process.

The most important question is whether SASE architecture can help solve their business challenges. Additionally, does the solution fit their requirements for stable connectivity and a seamless user experience? Is the service in line with the company's risk management strategy? Will it provide the expected level of security robustness that they need?

These questions compel businesses to take a holistic look at their network. Rather than applying a plethora of networking and security solutions, they'll opt for more integrated solutions which help reduce complexity and improve their security posture. Ultimately, these new technologies and practices will enable businesses to adapt to a more flexible and spread-out workforce model, which will continue to impact security and networking requirements in the near future as we continue adapting to remote work.

DEMYSTIFY SASE AT BLACK HAT MEA

There’s no better way to learn about emerging cybersecurity technologies like SASE than with real industry professionals. Join us at Black Hat MEA, the cybersecurity event that gathers global CISOs, elite ethical hackers, and Black Hat trainers to share their knowledge and give technical cybersecurity courses for infosec leaders and enthusiasts alike. Black Hat MEA aims to bolster the Saudi community’s infosec capabilities to align with the kingdom’s 2030 vision of a technology-enabled future.