About SASE
(Secure Access Service Edge)

Look to the cloud for simpler, faster, less expensive security

 

 

The traditional network perimeter is dissolving.

Corporate data is moving to the cloud, employees are increasingly mobile, and digital transformation initiatives are gaining momentum, meaning more data is flowing to more locations. All of this changes the requirements for networking and security and inverts the traditional security stack.

 

Business leaders want stronger defenses in the face of ever-increasing cybersecurity threats; users want transparency and privacy without sacrificing convenience or performance; and IT wants to enable their business and maintain continuous compliance with changing regulations.

 

Simply put, legacy approaches do not provide the level of security and access control today’s perimeterless enterprises and users demand. The result is a growing need to converge security defenses and networking—so that service delivery can be simpler, faster, more flexible, more efficient, and less expensive.

 

 

What is a SASE?

Secure Access Service Edge, or SASE (pronounced “sassy”), is a term coined by Gartner in 2019 for a new cloud-native security architecture. SASE unifies multiple web security, cloud security, data and threat protection defenses, plus networking capabilities into a cloud ‘heavy edge’ to support users, data and applications in any location. In this evolving model, perimeter-based appliances and legacy solutions transition into fully integrated cloud microservices creating one platform with unified policies supported by a highly-performant, extensible global network infrastructure.

 

 

SASE includes the following technologies

 

  • Cloud-native microservices in a single platform architecture
  • Ability to inspect SSL/TLS encrypted traffic at cloud scale
  • Inline proxy capable of decoding cloud and web traffic (NG SWG)
  • Firewall and intrusion protection for all ports and protocols (FWaaS)
  • Managed cloud service API integration for data-at-rest (CASB)
  • Public cloud IaaS continuous security assessment (CSPM)
  • Advanced data protection for data-in-motion and at-rest (DLP)
  • Advanced threat protection, including AI/ML, UEBA, sandboxing, etc. (ATP)
  • Threat intelligence sharing and integration with EPP/EDR, SIEM, and SOAR
  • Zero trust network access replacing legacy VPNs and hair-pinning (ZTNA)
  • Software defined perimeter with zero trust access (SD-WAN, SDP)
  • Carrier-grade, hyper scale network infrastructure with global access POPs
  • SaaS acceleration, traffic shaping, caching, and bandwidth optimization

 

A SASE architecture is capable of identifying users and devices, applying policy-based security controls, and delivering secure access to the appropriate applications or data. SASE makes it possible to provide secure access regardless of where users, data, applications or devices are located.

 

 

Gartner’s SASE predictions

20%

of enterprises will adopt SWG, CASB, ZTNA and branch FWaaS by 2023

Source: Gartner report: The Future of Network Security is
in the Cloud

40%

of enterprises will develop strategies to adopt SASE by 2024

Source: Gartner report: The Future of Network Security is
in the Cloud

Benefits of SASE

01

Flexibility

Allows for direct-to-net or direct-to-cloud access from anywhere vs. traditional hair-pinning back to the data center

02

Cost savings

Eliminates CapEx for on-premises infrastructure and provides lower, predictable OpEx due to its Security-as-a-Service model

03

Reduced complexity

Enables organizations to shift security staff from managing appliances to focusing on delivering policy-based security services; in addition, consolidated / converged technologies with unified policy enforcement simplify SecOps

04

Increased performance

Enhances and accelerates access to Internet resources via a global network infrastructure optimized for low-latency, high-capacity and high-availability

05

Zero trust

Provides secure access to private apps in public clouds and data centers, instead of access to the network

06

Protection contre les menaces

Detects and prevents cloud and web attacks such as cloud phishing, malware, ransomware, and malicious insiders

07

Protection des données

Protects data everywhere it goes, inside and outside of the organization, including within public clouds as well as between company and personal instances of cloud apps

Getting Started with SASE

At the core of SASE is an integrated, extensible architecture that redefines security defenses in the cloud as a service. To get started, following these steps:

Look to consolidate your secure web gateway (SWG) and cloud access security broker (CASB) into a single inline proxy solution capable of decoding thousands of cloud apps and web traffic using APIs and JSON.

This will provide critical visibility and control for data loss protection (DLP) and advanced threat protection (ATP) defenses that are also cloud-hosted in the same platform. Along with retiring your legacy SWG appliances, migrate to zero trust network access (ZTNA) to replace your legacy VPN appliances to modernize your overall secure access posture.

As the majority of internet traffic is encrypted, implement a cloud-scale SSL/TLS decryption and inspection solution.

This cloud approach applies inspection anywhere vs. hairpinning traffic back to your data center at HQ, slowing down further analysis.

Utilize a global edge network for high performance and availability.

As the use of public cloud hosting for security defenses is costly and does not scale out financially in the long run, a better and different network is required for SASE-ready environments. Cloud Service Providers (CSPs), Internet Service Providers (ISPs) and SaaS application providers predominantly provide network infrastructures that are cost-based vs. performance based. Use a SASE solution in which local access is provided via multiple POPs with hyperscale networking that minimizes any trade off in performance for security. This optimizes the first mile, however, look for optimizations in the middle and last mile in a SASE-ready architecture. Main and remote offices should be able to use GRE and IPsec tunnels to connect, while remote users can be client-enabled, or brought into cloud security defenses by their IAM/IdP access and a reverse proxy deployment for personal, unmanaged devices without a secure client.

Avoid security and networking solutions that are merely appliance-based or cloud-hosted and require multiple consoles, disparate interfaces, different policy controls, and, therefore, burden SecOps with ‘console chaos’ analytics and investigations.

Integrated consoles, cloud architectures and agents will provide a much simpler security configuration, operations and response experience when building a SASE-ready environment. Staying focused on consolidation with reduced complexity and cost are always good objectives to follow.

Ressources