The traditional network security model, in which traffic is routed through the data center for inspection and policy enforcement, is for all intents and purposes obsolete. A 2019 study by research firm Gartner found that “more users, devices, applications, services and data are located outside of an enterprise than inside.”
Driven by the adoption of multi-cloud infrastructure and applications, mobility and distributed workforces, the focal point for security has shifted to users and devices. As a result, the current data center-centric approach to network security is struggling to support a load it was not designed to bear.
This outdated architecture is impacting productivity and the user experience, while increasing networking costs since more and more circuits and APIs are needed to move traffic in and out of the corporate network. Meanwhile, implementing various security functions on remote devices requires a complex and difficult-to-manage mix of endpoint software agents.
The writing is on the wall: security needs to move from the data center to the edge of the network. Bringing security inspection engines closer to entities (users and devices) eliminates the need to trombone traffic through the data center. Research firm Gartner calls this architecture secure access service edge or SASE, and it provides several major benefits.
The benefits of SASE
First, reduced latency provides a better quality of experience for users, particularly when using time-sensitive business apps such as video and VoIP. Security at the edge enables requests for service to be authenticated at or near the point of access, which can mitigate possible poor voice and video quality associated with MPLS traffic backhaul.
Second, by harnessing the cloud, organizations can reduce their carrier-provided private MPLS network costs, although not without first encrypting and filtering traffic between computing devices and hybrid access points.
However, it’s important to note that the cloud has associated usage costs as well. Companies pay egress fees, usually based on a “per terabyte” basis. For example, organizations whose workers and network infrastructure access and pull data from multiple clouds are assessed an egress fee from each cloud provider.
These costs, as well as network integration, privacy and security challenges, can be reduced by using a secure cloud interconnection exchange that consolidates hybrid and multi-cloud access at the edges of an enterprise network.
Moving security to the edge and making enforcement decisions based on the identity of an entity at the source of a connection (user, device, branch, IoT, location, etc.), is ideally suited for today’s perimeter-less, mobile and anytime/anywhere access requirements.
Security at the edge
In addition, edge-based security enables organizations to implement a zero trust architecture that:
- Categorizes access for all endpoints based on role, group, least privilege, and strict verification processes, and enforces security functions such as multi-factor authentication (MFA), and device/server status (e.g., ensuring that each connecting endpoint is properly patched).
- Employs next-generation methods of identity verification, such as activity logging and analysis of behavioral characteristics and digital trails.
- Segments the network so an infected endpoint is prevented from spreading malware or other malicious threats to other devices.
- Automates and orchestrates security functions rapidly through a software-defined perimeter approach that doesn’t rely on the physical network layer.
By implementing zero trust at the network edge organizations can extend always-on advanced security to mobile endpoints and control access to the network, resources or sub-resources, all without having to backhaul each service request through the data center and a centralized security stack.
In this architecture, the data center becomes just another service that entities need to access and is no longer the center of the network environment. This enables connectivity to be extended wherever the organization and workforce need it, reducing the reliance on a central server environment and physical infrastructure.
From a cybersecurity perspective, a software-centric SASE approach enables protection to be placed closer to where access is needed.