Network attacks continue to proliferate, especially sophisticated probing of user domain registries, ransomware attacks, and malware injections via trojans.
To further challenge IT, network traffic is far more distributed than in the past: Enterprise applications continue to migrate to the cloud instead of being hosted in the corporate data center, the number of workers accessing enterprise applications remotely continues to increase, and the number of IoT devices connecting to the network is also exploding. This creates a rather complex scenario of connectivity needs that must be satisfied in a secure and well-managed fashion.
Better answers and entirely re-thought solutions are required. SASE, or the Secure Access Service Edge, is a term coined by analysts at Gartner in 2019, and it represents a model / framework / architecture that describes the necessary WAN edge network functions combined with cloud-delivered security services, all delivered and managed in the cloud. The proper integration of these network and security functions is now commonly referred to as SASE.
Necessary WAN edge functions include SD-WAN; routing to communicate with the world outside the WAN fabric; basic security functions to protect the branch from any incoming threats such as a zone-based firewall and segmentation, perhaps IDS/IPS; application and network visibility; and even WAN optimization.
Ideally, all these functions are unified in a single WAN edge platform that greatly simplifies branch WAN edge infrastructure. Gartner calls this a “thin” WAN edge. WAN edge functions are married with cloud-delivered security functions that include firewall-as-a-service (FWaaS), a secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), data loss prevention (DLP), sandboxing, antivirus, intrusion detection and prevention (IDPS), and more.
Why SASE now?
The short answer is so much has changed. If we look back a dozen years ago or so, all enterprise applications were hosted in the data center. The data center as we have known it is no longer the center of the universe for most enterprises today.
All users – regardless of where they were located – connected back to the data center to access their respective business applications. An enterprise could build a proverbial moat or a fortress around the data center to protect it. Users connected from branch locations over secure private line connections like MPLS or from remote locations across a VPN. This model worked fine. But then came the cloud and its decentralized approach. Quickly, SaaS apps like Salesforce, Service Now, Dropbox, and unified communications including Ring Central and Zoom, Microsoft 365, and many others, have come to dominate the everyday workflow of global business.
The cloud also includes infrastructure-as-a-service providers – IaaS – like Microsoft Azure, Amazon AWS, Google Cloud Platform, and others. However, sending cloud traffic that is destined for the internet back to headquarters simply doesn’t make sense. It adds delay that degrades application performance, and it consumes costly leased-line bandwidth.
Securing the edge to the cloud with SASE
With the increase in remote workers connecting directly to cloud applications, traditional perimeter-based security is insufficient. By transforming WAN and security architectures with SASE, enterprises can ensure direct and secure access to applications and services across multi-cloud environments, regardless of location or the devices used to access them.
Keeping cloud security enforcement points up to date with the latest threat intelligence and remediation measures is also far easier than doing so with firewalls deployed at potentially hundreds or thousands of branch locations.
Cloud-delivered security services place security enforcement closer to the user where they are working instead of backhauling traffic to a headquarters or hub site for inspection. Furthermore, cloud security enforcement points are usually deployed in the same data centers where common SaaS apps are hosted. Application response time is significantly improved by connecting users to security and cloud-hosted application doorsteps closer to where they are working, improving quality of experience and business productivity.
The real goal of the SASE architecture is to connect users more intelligently to their applications without compromising any security. Business benefits of SASE are many, including:
- Improved business productivity and customer satisfaction
- Enhanced, consistent security policy enforcement across the enterprise
- Reduced risk and brand image protection
- Increased IT efficiency and lower overall WAN and security costs through centralized management
- Ability to evaluate and easily adopt new security technologies as they emerge
What about SD-WAN? Does SASE replace it?
The short answer is no. Don’t think of this transformation as “SASE vs. SD-WAN”, because SD-WAN is a foundational component of a SASE architecture. A substantial take-away is that the SD-WAN must be able to support adaptive internet breakout. This means the SD-WAN must be able to identify the application on the very first data packet to steer it to its proper destination.
Once a session or flow has been initiated, it can’t be moved to an alternate path. For example, a business might define security and quality-of-service policies to direct Microsoft 365 traffic and unified communications-as-a-service traffic directly to the SaaS provider to minimize delay and provide the best quality of experience for users but then direct Box, Dropbox, Facebook, and LinkedIn traffic first to a cloud-delivered security service before handing off to the SaaS provider.
The emerging SASE framework, working in conjunction with a versatile SD-WAN infrastructure for distributed branch office settings, can best be labeled as a natural conclusion for the industry’s myriad challenges. Mainly because this approach works directly in concert with the revolution that the industry has seen in adopting the cloud and mobile applications over the last decade. We no longer have static and predictable data and thus the network of the past simply cannot support it. After all, security is paramount to any cloud-backed connection.