The time has arrived to transition from traditional security architecture to SASE driven architecture
The last decade witnessed significant progress in cloud adoption and with the COVID-19 crisis hitting hard, organizations are moving more rapidly to the cloud while even the most reluctant (organization) of the lot is having no option but to follow the wave. Enterprise perimeter can no longer be defined within limited boundaries and organizations are encouraging the end users to operate remotely from a variety of end computing devices. This paradigm shift is paving the way to dynamic edges and changing the way an organization needs to approach security and risk management.
So, what are the challenges that arise out of this shift and why do we need a new framework to manage this?
Enterprises are increasingly less dependent on private data centers, with more applications running on the cloud rather than on-premise and with users being spread all across the globe. Traditional security architecture such as a hub and spoke model requires user traffic to be routed through data centers where a Secure Web Gateway attempts to manage access and provide protection. However, this approach of backhauling user traffic to a central data center before the traffic reaches the cloud is neither scalable nor efficient. Hence, in the current scenario, it is required that security comes to the traffic and traffic doesn’t need to travel to security. This means, instead of routing the traffic to a point, to get itself inspected and secured, it’s more effective to embed the security controls along the course of the traffic to provide better performance.
So, this is where SASE, comes into play.
Secure access service edge (SASE), pronounced as “sassy”, a term coined by Gartner in August 2019, is a security framework that converges network and networking security into a single, cloud-delivered solution that supports the needs of digital business transformation, edge computing, and dynamic workforce mobility.
SASE provides the organizations with the opportunity to connect to a single secured network, where the users can access cloud resources, regardless of their locations. The framework prescribes user access policies that are based on identity & device, regardless of the location of the entities requesting the capabilities, and regardless of the location of the networked capabilities, they are requesting access to.
So, SASE is essentially a new package of existing technologies combining WAN capabilities (I.e., SDWAN) and security functions (such as SWG, CASB, FWaaS, ZTNAs) as core capabilities. These capabilities are delivered as a Service(DaaS) based on the identity of the entity, context, and security and compliance policies. These capabilities can detect sensitive data or malware, decrypt content at wire speed and continuously monitor sessions for risk and trust levels, and take policy-based decisions.
Picture Credit: Gartner
Primary Use cases
- Maintain high-speed network performance while ensuring stringent access controls.
- Increase in remote workforce
- Visibility of cloud-based application and data
- Data protection into the cloud and beyond
How should the organizations start their SASE journey
- Identify where its users are, and the data required to be accessed
- Determine the use cases relevant to the organization for implementing SASE
- Upgrade the network security set up and define the security and compliance policies
- Start the migration of your security stack to the cloud
Some of the vendors offering SASE solutions in the market
- McAfee Mvision cloud edge
- Palo Alto Prisma Access
- Zscaler SASE
- Cato networks
- Forcepoint Dynamic Edge Protection
Please note that the above list is just an indicative one, and isn’t arranged in the order of ranking.
Edge – Devices that provide entry points to an enterprise network, for example, routers.
SD-WAN – A Software-defined Wide Area Network (SD-WAN) is a virtual WAN architecture that allows enterprises to leverage any combination of transport services – including MPLS, LTE and broadband internet services – to securely connect users to applications.
CASB – Cloud access security brokers are on-premises or cloud-hosted software that sit between cloud service consumers and cloud service providers to enforce security, compliance, and governance policies for cloud applications.
ZTNA – Zero trust network access operates on an adaptive trust model, where access is granted on a “need-to-know,” least-privileged basis defined by granular policies.