The last decade has seen a notable step in the evolution of network security and operations as companies move to a Software Defined Network (SDN) model, centralising control of switches, routers, VPN concentrators, load balancers and SD-WAN devices. This simplifies the management and operation of the network, driving down operational costs and reducing risk through better patch and update management.
At the same time, some organisations have also seen the value in moving to a network-as-a-service (NaaS) model, replacing CapEx expenditure with an OpEx model and outsourcing the management of all network components. Alongside this approach, organisations are also replacing traditional private links, including MPLS circuits with an SD-WAN model for WAN connectivity. Gartner expects that by 2026, 45% of enterprise locations will exclusively use internet services for their WAN connectivity.
However, the one area overlooked by this evolution to NaaS and SDN is the integration and management of the security layer. This oversight has been highlighted over the last few years by the change in working practices. Network traffic no longer runs through the infrastructure that enterprises built inside of a data centre or office. It is now traversing through the internet without touching traditional security layers. Organisations can’t inspect it, can’t troubleshoot it, and don’t know how to provide the best user experience to their end users.
Further complicating this is the fact that users are now on personal devices and accessing cloud based corporate applications, which—when an organisation uses traditional VPNs—can often result in strange “hairpin” network routing.
Surely, then, the next step of this evolution is to move security enforcement primarily to a single cloud-based enforcement point, with remote application access and SD-WAN deeply integrated, combining aspects of a NaaS model with the in-built security missing from the original model. This is in essence the premise of secure access service edge (SASE).
Here at Netskope we firmly believe this to be the case and this is validated by Gartner, with the prediction that end user spending on SASE will grow at 39% year over year (2022 vs 2023) and placed SASE at the top of their “Six Trends impacting I&O” list for 2023 and beyond.
Often, a SASE model does still require a hardware or virtual layer on-premises (for example, if you are running applications within your own data centres or require SD-WAN connectivity from branches), but one of the benefits of a SASE model is the further simplification of this hardware, removing the need for VPN concentrators, advanced branch/store firewalls and on-premises web filtering, all of which can be moved into a security service edge (SSE) platform with direct integration with SD-WAN.
On-premises devices at the branch and store level can become commodity devices that simply steer traffic. VPN concentrators are replaced with cloud-managed and typically virtualised application “publishers”, providing zero trust-based application access for those both on and off premises. In both cases, replacing a number of the traditional benefits of a “hands off” NaaS model.
On the face of it, that still leaves access and control within the network outside of the traditional scope of SASE. However, zero trust network access (ZTNA) solutions are now being extended to the local network or “campus” level, affording those within the network the same access and security controls as offered to those coming from outside the network.
This consolidation has the additional benefits of driving a reduction in operational costs, both on the infrastructure and security sides. For those considering a NaaS model, a modern SASE architecture offers a better alternative for most organisations, allowing them to maintain control of their networking and security stack, providing not only the best user experience but also driving down overall risk.
For more information on designing a SASE architecture, check out our Dummies Guide.