In many ways, the world is defined by oscillations from one form of working to a completely different model – and then back again. In IT terms, I’m thinking of centralization – like a single data center – and decentralization, or running multiple best-of-breed tools to perform different related jobs or having a single tool that does all the jobs and integrates them into a single user interface.Â
And where we are, at the moment, is moving well away from a centralized data center to multiple cloud environments for data storage and application delivery. And, we are probably taking the first steps in moving away from multiple point security tools – such as VPNs (Virtual Public Networks), office firewalls, and SWGs (Secure Web Gateways) – allowing people to safely work from home or wherever they want and moving to something like Secure Access Service Edge (SASE – pronounced sassy).
Learn More: What Is a Firewall? Definition, Key Components, and Best PracticesÂ
What is SASE?
SASE started life as an idea for networking cybersecurity described by Gartner in 2019 in their reportOpens a new window , The Future of Network Security in the Cloud. The thinking behind the idea was that current technologies were no longer providing adequate security and access control. In 2020, this became more important with the move to remote working and data being stored in the cloud rather than in data centers, plus the increase in Software as a Service (SaaS) applications being used.
SASE frameworks provide IT Teams with a more holistic approach to cybersecurity, in which existing point solutions are unified into a cloud-native service. So, from a single place, IT teams can monitor what’s going on, enforce security utilities, and manage things like custom access policies. And, because it’s a cloud service, it scales well and is cost-effective, meaning it’s a good fit for organizations during these changing times. In effect, a SASE network makes it easy for IT teams to connect and secure all of their users and resources.
Gartner tells us that SASE is a service that has four main parts.Â
-
- Identity-driven – by using user and group identity, application access, and the sensitivity of the data being accessed, it becomes possible to control interactions with resources.
- Cloud-based architecture – the implementation of cloud capabilities allows organizations to have an efficient platform that is easily adaptable to their needs.
- Supports all edges – the entire organization can use a single network, including data centers, branch offices, cloud resources, and mobile and remote users.
- Globally distributed – this ensures complete networking and security capabilities apply to everyone and everything.
Drilling down into what makes up SASE — there are security functions such as secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and zero trust network architecture (ZTNA); and there are wide-area networking capabilities in the form of software-defined wide area network (SD-WAN). These are then put together in a package and delivered as a service providing security levels that depend on an entity’s identity, its real-time context, and an organization’s security/compliance policies. With SASE, it’s also possible to identify sensitive data or malware. Also, it provides continuous monitoring of sessions for risk and trust levels.
Under the Hood: SASE Components
Let’s look at these SASE components in more detail. SWGs (Secure Web Gateways) are discussed below. A CASB (Cloud Access Security Broker) is, in the SASE model, cloud-hosted software (rather than being on-premise) that sits between users and cloud service providers. A CASB can discover shadow IT operating within an organization, protect the information, protect against threats, and enforce policy compliance and governance. FWaaS (Firewall as a Service) provides a threat management service in the cloud rather than using multiple on-premise appliances (see later). It monitors incoming and outgoing traffic in addition to enforcing an organization’s security policies. ZTNA (Zero Trust Network Architecture) is a way of working where an organization won’t automatically trust anything on its network or trying to access its network.
We’re probably familiar with WANs (Wide Area Networks). SD-WAN (Software-Defined WAN) is different so far as the management and operation of the WAN are separate from the actual networking hardware. The advantage of this is centralized management, deployment is easier- and it can be cheaper.
Learn More: Transforming Network Security With SASE: Hype or Hope?Â
Exploring the Near-Future of Legacy Firewalls and VPNs
So, what’s wrong with VPNs? VPNs allow users to login to the corporate data center through a secure tunnel. And that worked well in the days when, perhaps, 10% of the staff was working out of the office. Since the pandemic started, that figure has risen to 70%, resulting in contention for resources, and so these end-users’ experience of using VPN is poor. This can be overcome to a degree by increasing the VPN terminating appliances in the data center. The other issue with using VPNs is that all traffic is routed from the end-user to the data center even if it’s the final destination is somewhere in the cloud, and then routed back again. It makes sense for many organizations to migrate parts of their network to the cloud to be more flexible and provide a better service to their end-users. That’s the driver away from using VPNs towards SASE.
What about office firewall appliances? What’s the problem with them? Obviously, an office firewall appliance is a physical device usually placed between an internal and an external network. The appliance contains the necessary hardware and software to protect whatever it’s attached to. While this solution works well in a centralized data center environment, there are clear challenges with this approach when moving to cloud-based networks. Hence, the solution that’s part of SASE is to use Firewall as a Service (FWaaS), which is cloud-based, scalable, and application-aware.
And what’s wrong with SWGs? To be honest, SWGs have been used in data centers for a very long time. They have been called web content filters and internet proxy filters. They act as a protective layer between an organization’s employees and the Web. They can be used to block specific websites, and they can filter Web content – identifying and responding to malware. Companies can use SWGs to enforce acceptable usage policies, prevent data loss, and report on internet usage. Traditionally, they have been installed as an appliance in a data center. As with firewall appliances, you can see the problem. So, a move to cloud working and mobile working expansion mean that cloud-based SWGs are needed. Again, cloud-based SWGs scale well and require few changes from the IT team.
Growing SASE Adoption Can Topple Legacy Technologies
In conclusion, you can picture SASE as a combination of network traffic technologies and security technologies. It fully embraces the cloud and allows organizations to scale up their online working while at the same time increasing the speed of working for their users. From the organization’s point of view, they get increased security and reliability. Gartner is predictingOpens a new window that “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.†The research firm says the SASE market is expected to balloon to almost $11 billionOpens a new window by 2024, at a CAGR of 42%.
The traditional ways of working, with employees working from home or anywhere using VPNs to connect to the data center and firewall appliances and secure web gateway appliances being required at each location are starting to change. The need for centralized authentication for users has led to them experiencing delays and IT teams working in a complex environment. With SASE, IT teams need to specify the security rules in one place – the cloud – and allow users to access the resources they need – and no others.
Do you think SASE is critical for a strong security posture in remote work environments? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!