Secure Access Service Edge (SASE – but pronounced ‘Sassy’ for perhaps intriguing reasons!) is the new kid on the block for network security. At its core, SASE is about shifting the focus from protecting the location of data, to protecting the user and the journey of their data. SASE represents an external, holistic view, rather than an inwards data centre-based approach to network architecture.
If this sounds confusing, it needn’t be. SASE isn’t a tool or a single service, it covers a range of services including SD-WAN, Zero Trust Network Access, DNS protection, Data Loss Prevention and Firewall as a Service. SASE has evolved as businesses continue to adopt cloud-based solutions, mobility and remote working – all digital transformation drivers that have rendered traditional point-based security solutions less effective.
This 90 second video will help you wrap your head around SASE.
Gartner predicts that by 2024, at least 40% of enterprise will have explicit strategies to adopt Secure Access Service Edge1. Let’s take a look at three trends in network transformation driving the uptake of SASE:
The move away from storing applications within data centres to storing and running them in the cloud has been an enormous shift in how we work.
We know that users, offices and devices are now completely dispersed, with ‘anytime, anywhere’ access to apps required regardless of whether they are located on-premises or in the cloud.
As a result, perimeter-based network security solutions just aren’t suited to this new role. Organisations can’t continue funneling remote traffic through the data centre and then out to the cloud. It’s simply become an inefficient route that’s causing you unnecessary lag. This doesn’t mean perimeter security solutions are obsolete, however trying to make them fit this evolving paradigm is leading to further complexity in the network – something we’re all trying to avoid.
“We have a mantra in our security team at Data#3: Complexity is the enemy of security. Simplicity is the ultimate sophistication.”
The idea that the data centre is no longer the centre of the corporate network universe, means we’re flipping network architecture from an internal view to one that takes a highly visible, external view in protecting the myriad of users, devices and locations.
While there’s no doubt that protecting your organisation with an increasingly distributed environment is more challenging. The good news is that SASE makes it easier by delivering one cloud-based service that can provide protection everywhere your users and data are located.
SASE’s capabilities are based on policies rather than a physical perimeter, allowing it to dynamically secure and protect networks at multiple access points. Interestingly, the “edge” that SASE refers to isn’t the network edge as we’ve traditionally defined it: it refers to data crossing an organisation on its journey to and from…. anywhere.
Let’s take a closer look at the idea of eliminating the data centre-centric view. If we consider today’s increasingly remote and mobile-first workforce, back-hauling everything through data centres creates unnecessary barriers, introduces latency and impedes working. Even worse, it delivers an unsatisfactory user experience for both workers and third parties.
Consider the extent of all the SaaS applications your teams are likely accessing on a daily basis. This includes Office 365, Salesforce, Teams, Webex, OneDrive, Slack, perhaps your CRM like Dynamics 365… and the list is only growing. In fact, 41% of small to medium enterprises in Australia have bought and installed new software to manage the move to remote working2.
If you require access to all of these tools, through the likely slow or cumbersome corporate VPN, people are inevitable going to seek workarounds. They may realise they can connect straight to the cloud service without using the VPN – which still requires a password, so it’s secure… right?! Not exactly. In bypassing the VPN, it leaves a security gap. The traffic is no longer routed through your perimeter-based security; and you’re no longer protecting the data on its journey.
Providing a positive user experience is always key to getting buy-in to processes and preventing users from seeking workarounds – you need to let people directly access what they need. By combining a bulk delivery of services from the cloud, and converging networking and networking security, with a ‘light branch, heavy cloud’ SASE model you can provide a great user experience. There will also be a reduction in operating complexity, and enormous improvements in overall agility and speed.
SASE can manage data and applications across your whole network. Everywhere users are, there can be defined policies put in place to provide security and protection.
Just think, a more seamless and secure network experience will also lead to more productive and innovative teams, not only internally but also with third parties. And better team collaboration can drive a faster development and output of your core services.
A lot of businesses are still relying on legacy architecture and technology that was designed for when staff were physically coming into an office and working there.
While old protocols like Multiprotocol Label Switching (MPLS) might have been cutting edge at the time, these legacy systems weren’t designed for a mobile-based or remote workforce. MPLS provided a way for companies to share information on a private network without the need for encryption, although it was an expensive solution also requiring full integration with telecommunications and other specialised resources.
SD-WAN has made significant in-roads here as it’s a cheaper, a more effective way of connecting branches, and has more customisable security options. SASE incorporates these elements of SD-WAN, picking up where the limitations of MPLS start.
In addition to providing encryption and decryption at scale, it benefits from a convergence between Network as a Service and Network Security Architecture as-a-Service utilising SD-WAN and security capabilities in one cloud-based service, as you can see in graphic below.
Reducing point products and converging into cloud delivery means offices can also benefit from stronger, more pervasive protection, lower cost, higher bandwidth internet connectivity – delivering greater flexibility and cost management.
We’re all now familiar with the challenges businesses face in rapidly adapting to a fully remote working environment. Even so, it can still be difficult getting IT stakeholders to shift their thinking away from more traditional network architecture and security solutions – like purchasing, and layering more and more point products that are rooted in the data centre. This is where you’ll always hear us say that complexity is the enemy of security!
Organisations are also seeing firsthand how the whole concept of what an office is and what it’s used for is changing. With COVID drastically affecting the use of commercial office space, office footprints have reduced and are likely to diminish further as people continue to embrace a flexible, hybrid work environment. It’s an older saying now, but one that rings much louder today – work is no longer a place we go, but a thing we do.
This shift means the organisation needs to change how it supports staff, ensuring better security is in place and that network traffic isn’t being sent back to the data centre.
By deploying a SASE based approach, organisations can address all of these security issues, and more, with the added benefits of greater flexibility and cost management. It is a big change and IT teams are coming around, but they also need further guidance as there are still relatively few available resources for them to learn how to do it themselves.
The right SASE vendor will provide all of the core components of a cloud-based secure gateway, within a single platform that can bring visibility and security to all of your network traffic.
To ensure adequate networking and network security capabilities there are a few ‘must haves’ in addition to SD-WAN and a secure gateway. These core capabilities include Cloud Access Secure Broker capabilities (CASB), zero trust network access and Firewall as a Service, including IPS capabilities. Being able to identify sensitive data and malware is also essential as well as encryption and decryption capabilities.
Other recommended capabilities would be features like web app and API protection, recursive DNS and remote browser isolation.
One of the standout solutions is Prisma Access, from Palo Alto Networks – it provides all of these key capabilities and more, having been developed specifically for cloud and mobile-first organisations hamstrung by legacy architecture.
To learn more about the shift to SASE and simpler, more powerful security solutions, contact one of our security experts today. We’ll take you through everything you need to know about moving to a cloud-based solution with demonstrations, real life examples and use cases.
1. (August 30, 2019). The Future of Network Security is in the Cloud. [Online] Available at: https://start.paloaltonetworks.com/sase-the-future-of-network-security.html
2. (April 21, 2020). 5 Ways Australia’s Lockdown Has Fast- Tracked Digital Transformation. [Online] Available at: https://www.capterra.com.au/blog/1453/australias-lockdown-fast-tracked-digital-transformation
Tags: Connectivity, Information Security, Network Security, Networking, Palo Alto Networks, Palo Alto Prisma Access, Remote Workers, Secure Access Service Edge (SASE), Security, Software-defined Networking (SD-WAN)