SASE: Looking Into the Future of Remote Network Access
This article introduces the concept of Secure Access Service Edge (SASE), combining network and security functions with Wide Area Network (WAN) capabilities.
Join the DZone community and get the full member experience.Join For Free
The global impact of the COVID-19 pandemic is forcing millions of people to work from home. However, the traditional network and network security models cannot effectively support the remote access requirements of digital businesses.
These changes force IT departments to support critical work-from-home services like videoconferencing, and Software-as-a-Service (SaaS) apps. Supporting tens of thousands of employees now suddenly working from home can be significantly challenging with traditional hub-and-spoke network infrastructure and Virtual Private Networks (VPN).
This post introduces the concept of Secure Access Service Edge (SASE) which combines network and security functions with Wide Area Network (WAN) capabilities to support the dynamic, secure access needs of today’s organizations.
What is SASE?
SASE is a cloud-based alternative to the traditional ‘hub-and-spoke’ network topology used to connect users in multiple locations to resources hosted in centralized data centers. The SASE security model combines Software-Defined Networking (SDN) with network security functions like CASB, SWG, and FWaaS. The combined model is delivered by a single service provider.
As a cloud platform, SASE connects and secures any type of edge device based on user identity and its real-time location and device characteristics. This includes mobile devices, branch offices, IoT systems, and edge computing.
What Problems Do SASE Solutions Solve?
In a traditional hub-and-spoke network model, applications and data are stored in a local data center. To access those resources, branch offices, users, and applications connect to the data center through a localized private network or a VPN connection.
This network model works fine when the company expects 10% to 20% of its employees to work remotely at any given time. However, the numbers may reach 50% or 70% with the rise of remote workforces and cloud-based services. This creates significant latency and a poor VPN experience. In addition, companies can expose themselves to additional security risks when employees access company resources over an unsecured connection.
SASE, on the other hand, places network security and access control on the cloud edge, and closer to the user. Implementing zero-trust access policies on the network edge enables companies to expand their network perimeter to any remote user device, application, or branch office. As a result, organizations can get more granular control over their network security policies without using legacy firewalls and VPNs.
Components of the SASE Model
Every SASE offering must include the following core set of essential security of elements:
Secure SD-WAN—provides advanced WAN networking functions like self-healing, dynamic path selection, consistent user experience, and support for high-performance applications.
Zero-Trust Network Access (ZTNA)—requires real-time verification of every user to every protected application. As a result, companies can lock down internal resources from public access and protect against potential data breaches.
Firewall-as-a-Service (FWaaS)—refers to cloud-based firewalls that protect infrastructure, platforms, and applications in the cloud from cyber attacks. In contrast to traditional firewalls, FWaaS is not a physical appliance. FwaaS is a set of security capabilities that includes intrusion prevention, uniform policy management, and URL filtering across all network traffic.
A Secure Web Gateway (SWG)—protects devices and users from security threats by analyzing malicious website traffic, enforcing internet security and compliance policies. SWG also prevents data leakage, ensures compliance with regulations, and enforces acceptable use policies for web access.
A Cloud Access Security Broker (CASB)—is a software that sits between a cloud service consumer and a cloud service provider. CASB prevents data theft and stops malware and other threats from penetrating a system by enforcing risk identification and regulatory compliance policies.
SASE Use Cases
The SASE security model can help organizations in several ways, including securing the remote workforce, protecting access to on-premises apps, and preventing data leakage.
Securing the Remote Workforce
Protecting employees working outside of the office is challenging. Cybercriminals can easily bypass traditional firewalls and proxy-based secure web gateways to execute phishing attacks or steal sensitive information.
SASE solutions leverage CASB, SWG, and ZTNA technology to enable secure access to managed and unmanaged cloud services, websites, and proprietary applications in private data centers and the public cloud. Furthermore, SASE offerings eliminate the need for VPN, hardware appliances, and backhauling traffic. SASE platforms prevent data leakage, stop the spread of malware, authenticate users, filter unsafe content, and ensure consistent protection for any user interaction.
Securing Bring Your Own Device (BYOD)
BYOD is a system that enables employees to work from personal endpoints. This requires comprehensive security measures, but traditional tools are not equipped for the job. Users are often concerned about giving IT full visibility into their personal apps and data. Security teams often don’t have enough visibility into the personal devices used for work purposes.
SASE solutions provide BYOD security through multi-mode CASBs that provide agentless deployment options. CASBs leverage reverse proxies instead of agents to monitor access to managed IT resources like corporate IaaS and SaaS resources. This means that they give real-time visibility and control over enterprise data on personal devices without monitoring users’ personal information.
Protecting Access to On-Premises Apps
Organizations store most of their sensitive data on on-premises applications. Usually, access to these resources was managed by VPN connections which established secure tunnels to the network. However, VPNs rely on expensive appliances, they aren’t scalable, introduce latency, and provide open access to the entire network.
SASE platforms leverage zero-trust network access to protect specific on-premises resources by enforcing real-time data and threat protection policies. These solutions are deployed in the public cloud for performance and scalability. Once SASE platforms are deployed, they can secure sensitive or regulated information, block uploads of malware, and extend contextual access to key apps, files, and web analytics tools.
Preventing Data Leakage
Leakage of sensitive information like Personally Identifiable Information (PII), or Protected Health Information (PHI) can expose organizations to identity theft and spear-phishing schemes. Additionally, companies can be exposed to fines due to regulatory noncompliance, and create a loss of brand reputation that impacts overall business success.
A key objective of SASE platforms is to prevent data leakage in any device, app or attempted action. This is achieved through an integrated approach that combines technologies like SWGs, CASBs, and ZTNA. In addition, SASE platforms protect data at rest in managed cloud apps through DLP capabilities like quarantine and encryption. SASE also prevents leakage at access with real-time capabilities like redact and Digital Rights Management (DRM).
Securing Infrastructure as a Service (IaaS)
IaaS is a form of cloud computing that delivers on-demand storage, compute, and network resources, over the internet, and on a pay-as-you-go basis. The cloud-based infrastructure of IaaS platforms like Microsoft Azure, and Amazon Web Services (AWS) is usually outside the reach of traditional security tools. While IaaS platforms provide some native security and compliance features, there are multiple gaps.
SASE platforms scan the IaaS platform to identify sensitive data. If sensitive data is discovered, the SASE platform encrypts it to prevent unauthorized access and usage. In addition to encryption, SASE solutions secure access to custom applications built on IaaS platforms. The access is granted by contextual variables like device, location, and user group. Furthermore, SASE leverages Cloud Security Posture Management (CSPM) tools to scan IaaS instances for misconfigurations and noncompliance issues. For instance, by detecting public-facing buckets that contain confidential information.
The Future is SASE
SASE is in the early stages of development. The demand for SASE solutions is driven by the adoption of SaaS, edge computing, and other cloud-based services. These services are often accessed by increasingly distributed and mobile workforces. Gartner predicts that by 2024, at least 40% of organizations will have explicit strategies to adopt SASE, compared to only 1% in 2018. In addition, by 2025, at least one of the leading IaaS providers will offer a competitive suite of SASE capabilities.
Opinions expressed by DZone contributors are their own.