Transitioning to a SASE architecture
There are several key points when contemplating a change in your security architecture.
First, and foremost, there is still a security perimeter. The perimeter, however, is changing – the new perimeter follows your distributed users and their devices as they move from location to location. There is still the need for a secure branch router or firewall. But these devices need to be smarter and work seamlessly with cloud-based security to create a Secure Access Service Edge (SASE) architecture.
Juniper thinks of SASE as the embodiment of networking converged with security. It provides protection from attack, regardless of where users are located, ensuring consistent security enforcement wherever they are without having to backhaul traffic to a corporate data center. The network must be capable of understanding network services, and then route to the appropriate security devices located in the branch or in a cloud.
SASE is an architecture, and not a product. One way to understand why SASE is important is to consider the large amounts of data processing necessary to provide high levels of security. There are many thousands of new domains added daily to categories of web traffic deemed unsafe or inappropriate. The sheer number of IP addresses involved in ongoing attacks is, in itself, a very large stream of data.
IDS/IDP patterns, and malware signatures continue to pile up. Small, affordable firewalls distributed to the edges of the network may not be an optimal approach given that such a large amount of information is necessary to secure a network. But you still need security at the perimeter.
Cloud architectures scale massively and cost a magnitude less to operate per unit of secured data. Cloud architectures are also very elastic and can expand or contract dynamically with ease. On a pure cost basis, cloud-based security simply makes sense. As cloud edges move closer to corporate branch locations, the pragmatic option will be cloud-based security.
Each type/class of network use may require different levels and types of security. An optimized system would apply the correct levels of security, and bypass security steps that may be unnecessary and add to costs and latency.
Some cloud services such as Microsoft Office 365 recommend no security, and just use the internet. But as stated earlier, there is still a perimeter that needs to be protected where egress traffic uses the internet to get to Microsoft.
Typically, IDS/IDP is required minimally, and in some cases proxies are recommended. Zoom video conferencing may suffer quality degradation when going through a full layer-7 security stack, or hairpin through a corporate data center.
SASE architectures require session-smart routers capable of intelligently looping in the optimal security stack in the optimal location. Real-time media, VOIP, and Zoom video are all examples of applications that should receive different kinds of security that are appropriate for each, individually.
When sending web traffic to the internet, or receiving traffic from the internet, a complete and exhaustive set of security tools should be applied. Cloud-based security is frequently located at the internet edge and can easily route the traffic directly to the internet. This actually saves a large amount of bandwidth from going over the corporate WAN in order to get to a data center-based security stack.
Over the past ten years, the percentage of traffic going to the internet from a branch versus the corporate datacenter has increased from 20% to over 80%. This is likely due to corporations implementing SaaS services for accounting, CRM, Office 365, and many others.
When security and networking get tightly intertwined, there is a great opportunity to reduce operational complexity. Having cloud-based configuration and management are essential to operational efficiencies. Life cycle management of networking and security software is essential. Single panes of glass for managing the edge all the way to the cloud simply makes sense. Zero touch provisioning of all elements is mandatory as well. All of these are baseline components of a proper SASE architecture.
A SASE architecture, once deployed, can provide the basis for an AI/ML-driven secure network. By having central and cloud-based analytics and insight, security events processing can be automated avoiding much human involvement.
In summary, SASE is an architecture. SASE will change how and where security is performed. Network routing will be used to bring the data to the correct security stack on an application-by-application basis.
Certain SaaS services that embed security in their offering may receive less additional security inspection, as appropriate, to improve performance and reduce costs while also limiting security risks. As one twists networking and security into a single solution, one will need cloud-based management of both that supports the transformation of the network to a SASE architecture. AI techniques will transform the operation of SASE architectures.