SASE is the new emerging concept in Cybersecurity....
In August 2019, Gartner published a report "The Future of Network Security in the Cloud". This report brought a strategic roadmap for SASE convergence. And the term SASE came into being as a new emerging cybersecurity concept.
SASE (pronounced “sassy”) = Secure Access Service Edge
Before you want to learn more about SASE, you need to sit back and think a thought with some deliberation. Here is that--
The existing networking approaches & technologies are not able to provide the right-levels of 'Security' and 'Access Control' any longer that are actually practically needed by most modern organisations.
Why it is so?
-
It is so because modern organisation (like yours) need immediate & uninterrupted access for their users -- regardless of where they are located. Remote users and work-from-home employees are a reality you cannot close your eyes to.
-
Adding to this is another reality that there is very high adoption of 'SaaS' applications by all. What is happening here is that -- A huge amount of data is moving from data-center to cloud services.
-
And more & more of 'Traffic' is first going to public cloud services and branch offices of these organizations, than the data that is going back to their data-centers.
Briefly speaking, so much of data & traffic is happening between cloud-services and your users that is by-passing (to a large extent) your own data-center & security implementations, that you need a fundamentally new approach for networking and network security.
-
WHAT IS SASE?
Palo Alto describes that--
SASE is the convergence of wide area networking, or WAN, and network security services like CASB, FWaaS and Zero Trust, into a single cloud-delivered service model.
Gartner throws a little more light on SASE, as it mentions that SASE capabilities are delivered as a service based upon the followings:
-
The identity of the entity
-
Real-time context
-
Enterprise security/compliance policies
-
Continuous assessment of risk/trust 'throughout' the sessions
A small explanation:
------------------------
Identities of entities can be associated (read, defined) in terms of people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.
SASE is a kind of dictum that --The future of network security is in the cloud! Because in a cloud-driven world, your security needs to be unified, fully integrated, consistent and should be delivered from the cloud that it’s chartered to protect.
“The secure access service edge is an emerging offering (solutions/services) combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA, etc) to support the dynamic secure access needs of digital enterprises.”
The BIG logic is staring back into our eyes. That as applications are moving to the cloud, the old method of forcing all branches', all users' and all partners' TRAFFIC back through the corporate headquarters or data centers no longer makes sense. It makes much more sense if you deliver the same network security stack from the cloud, in such a way that this traffic destined for the cloud does not have to hit your corporate network, and less traffic needs to go to corporate data centers.
SASE is the solution going ahead...
Regardless of current state of affairs in cybersecurity industry where companies have been forced to work with dozens of vendors and use dozens of point-products and technologies. Yet the future of network security is in the cloud, and security vendors would have to evolve in order to effectively secure organisations anywhere and everywhere.
-
What are 10-Tenets of an effective SASE Solution?
By removing multiple point products and adopting a single cloud-delivered SASE solution, your organization can reduce complexity; rapidly deploy and scale out remote workers and branch locations; and enforce consistent security no matter where your users are, all while saving significant technical, human, and financial resources.
Here are 10-Tenets of an effective SASE Solution, as identified by Palo Alto:
Tenet 1. SD-WAN
Modern companies have already adopted the SD-WAN technologies, to connect their branch-offices to corporate networks and provide local-internet breakout as an alternative to costly MPLS connections. If your company is one of those, then using SASE solution, you would be delivering the branch architecture totally based on cloud. You would be capable of enabling branch-services, including its security and networking from the cloud. It would make the management of your WAN highly simplified and increase your ROI.
Tenet 2: Zero Trust Network Access
As you know that ZTNA requires your users who want to connect to an application to first authenticate through a gateway prior to gaining access. Right? This provides security administrators the ability to identify users and create policies to restrict access, minimize data loss, and quickly mitigate potential threats.
But the problem is that many ZTNA products are based on software-defined perimeter (SDP) architectures, which do not provide content inspection. It creates a discrepancy in the types of protection available for each application.
Using a SASE service, you would build upon the ZTNA's key principles and applies them across all the other services within a SASE solution. You would be identifying your users, devices, and applications no matter where they are connecting from. It greatly simplifies your policy creation and management. SASE removes the complexity of connecting to a gateway by incorporating your networking services into a single unified cloud framework.
Tenet 3: Cloud Access Security Broker
CASBs are cloud-based security policy enforcement points that provide you a gateway for both your SaaS provider and your employees. A SASE service would surely offer you a CASB solution as a gateway for both your SaaS provider and employees. It would greatly help you to enforce your company policies for user access, and protect their data from hackers.
Tenet 4: Firewall as a Service
You are already using physical or virtual firewalls wherever your users are, whether it is HQ, branch-offices, data-centers, or the cloud. But most organizations are badly struggling to manage dozens or more of firewalls to cope up with the explosion of remote users and apps.
As an essential component of SASE, FWaaS will offer you the same firewall functionality of a NGFW as a cloud-based service. It would help you greatly to manage your firewall deployments from a single platform.
Tenet 5: Secure Web Gateway
A large number of companies are already using SWGs to protect their users & devices from accessing malicious or inappropriate websites. You don't want your users/employees to visit gambling, pornography, streaming entertainment websites, e.g., Netflix, etc. But the problem is that most SWGs are offered as a separate device or services, that results in inconsistent enforcement of policies.
Since a cloud SWG is integral part of SASE, it would give you complete VISIBILITY and CONTROL over your entire network, regardless where your users are located. Scaling is never an issue with SASE.
Tenet 6: Digital Experience Monitoring
User experience is critical for employee satisfaction and productivity. This aspect will be autonomous with SASE, as you would gain 'Segment-wise' insights across entire delivery-path of services. It would allow you to drive autonomous remediation (troubleshooting) of digital experience your user might face, at any point in time.
Tenet 7: Threat Prevention
Threat-prevention is still the top-most requirement for cybersecurity. Your company might already be using tools such as anti-malware, IPS, File-Blocking, etc. But the issue is that all these tools are point-solutions and usually come from various vendors. It makes their management and integration very difficult for security professionals. They always result in delayed responses to threats/incidents.
In a SASE solution, all these point-based tools and services would come totally integrated with a single cloud platform. This would provide you a simplified management and oversight of all threats and vulnerabilities across your network and cloud environments. Machine learning capabilities should be included in SASE, allowing the prevention of other unknown threats in near-real time and extending visibility and security to all devices, including never-seen-before IoT devices.
Tenet 8: Internet of Things
In a number of posts on IoT, I have already explained that most companies fail to manage their IoT which are connected to their corporate network. Number of loopholes are left behind with the usage of IoT devices. And security teams often don't have enough visibility of these devices.
With SASE, IoT security should be integrated into the platform to secure remote branches, sites, and workers from the cloud. By utilizing the cloud, SASE is able to accurately detect devices for full visibility and enforce policies to ensure security across the network, eliminating the need for additional IoT security solutions.
Tenet 9: Data Loss Prevention
Data loss prevention (DLP) tools protect your sensitive data and ensure it is not lost, stolen, or misused. DLP is a composite solution that monitors data within the environments where it is deployed (e.g., networks, endpoints, clouds) and through their egress points. It also alerts key stakeholders when policies are violated.
But most DLP solutions come pre-loaded with many features, disjointed policies, configurations, and workarounds. DLPs have become very complex, difficult to deploy at scale, and too expensive.
In the SASE architecture, DLP is not a standalone solution anymore. It is embedded in the organization’s existing control points, thus eliminating the need to deploy and maintain multiple tools.
DLP becomes one cloud-delivered solution centered around the data itself, everywhere. You could apply the same policies consistently to your sensitive data, at rest, in motion, and in use, regardless of its location.
Tenet 10: Platform Extensibility
Since there are already too-many types of cloud-based services, it would highly imperative to most companies to integrate well these services with an effective SASE solution. It is a MUST and goes without saying.
A SASE solution should embrace the integration of third-party services too (regardless who is the vendor offering them) and simplify the process for administrators by providing a platform that easily integrates other services. In order to help companies do that SASE provide need to give them full support.
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM