SASE Architecture: The Evolution of Network Security

It is increasingly difficult for businesses large and small to achieve the level of cybersecurity required to stay protected in today’s elevated threat environment. With more people than ever working remotely due to the COVID-19 pandemic, the effectiveness of traditional on-premises cyber-protection is limited, and hackers are targeting the new vulnerabilities that have been exposed. For example, cybercriminals jumped on the opportunities presented by insecure Remote Desktop Protocol (RDP) ports, which were often used to enable remote workers. Cyberattacks skyrocketed in the months following the initial COVID-related lockdowns.

Of course, COVID only accelerated a trend that was already underway. Securing corporate IT assets had already become more difficult due to increasing reliance on cloud services. Old ways of securing corporate IT assets are no longer adequate. One emerging solution architecture that has gained traction to help secure modern distributed organizations is called Secure Access Service Edge (SASE, pronounced “sassy”).

SASE is more than simply another new network security technology–much more. SASE is a new paradigm in network security, a significantly different architectural approach for securing IT assets.

Past, Present, and Future Network Architectures

To understand the forces driving the new SASE architecture, it’s helpful to start with a look back at how networks have evolved.

The Past

Ten years ago, the data center was king. Pretty much all corporate software and data were hosted in the data center. For the most part, users worked in the office, using apps and data available via the local area network (LAN). There was some need to access the internet, and there were some users (often salespeople) who worked remotely, typically accessing the corporate network using a Virtual Private Network (VPN). The network architecture looked like a hub with spokes: the data center was the hub at the center, with a limited number of “spokes” representing remote users and connections to the internet. Everything was controlled from the center.

The Present

As mentioned above, two factors have radically changed the way today’s networks look: 1) migration to the cloud; 2) a dramatic rise in the number of remote workers that will influence working patterns long after the pandemic winds down.

“The cloud” is a term that can include many different services. “Cloud” could include:

• Software-as-a-Service (SaaS). Software is increasingly provided as an app you access over the internet rather than as a program that’s installed on your servers or computers.
• Infrastructure-as-a-Service (IaaS). Instead of spending money on hardware installed in a data center, enterprises can now rent or lease servers in the cloud, offering a great deal more flexibility. This is sometimes referred to as a “Virtual Private Cloud.”
• Platform-as-a-Service (PaaS). PaaS is similar to IaaS, except it includes software tools to support web application development.
• Private Cloud. This is your data center: Remote workers access the data center via the internet, conceptually making it part of the cloud.

With corporate IT assets found both in the data center and in the cloud, and users increasingly likely to access IT services remotely, today’s network architecture now looks more like a bowl of spaghetti rather than the neat hub and spoke diagram of the past.

Cloud-based apps are often outside the direct control of a company’s network administrators. At the same time, many cloud-based apps need to access data and files that may be hosted on the company’s servers. All of these connections can create vulnerabilities, and IT department may have limited visibility into them and even less ability to control and manage them. From a security standpoint, these new distributed perimeter-less environments introduce a host of new risks.

The big challenge is that yesterday’s tools are being used to manage today’s complex environment. Cybercriminals no longer need to figure out ways to breach the powerful perimeter defenses put in place to protect companies’ internal networks. Instead–or in addition–they can launch attacks on remote users, or infiltrate cloud-based apps or data.

Attempts to route all traffic through the data center for security processing are often futile or result in frustrating latency and interruptions in service. With no central point of command, network administrators have incomplete visibility into potential problems and limited ability to enforce policies throughout the network. Cybersecurity is often a patched-together hodge-podge with different pieces of hardware and software that don’t talk to each other and holes in the defenses that cybercriminals can easily step through.

The Future

Existing cybersecurity architectures often require system administrators to trade off ease of use and convenience with security. The goal of migrating to SASE is “to have your cake and eat it too” – a convenient, seamless experience for users with much better security for the company’s IT assets, regardless of where they are located.

Network architectures are likely to remain complex and messy for years to come. Most companies will continue to need data centers even as more resources move to the cloud. Some workers will be working from within a facility where they connect to an internal company network, while many others will be working remotely. The big change is that cybersecurity will be managed in a completely different way: from the cloud.

The SASE Revolution: Cloud-Based Security

SASE disrupts the data center’s role as a hub and addresses the fact that it is no longer relevant—or even possible—to create secure perimeters to protect the resources within. Instead, the network security perimeter is moved to the cloud, close to the “service edge,” shared by users and the resources being accessed.

Corporate networks have historically evolved over time with new point solutions being added to address specific needs. As new offices were opened, they were equipped with their own firewalls to enable a secure connection to the internet. As data traffic flow increased and private Wide Area Network (WAN) costs grew, many companies added SD-WAN (software-defined WAN) that allowed them to offload some of their private LAN traffic to the public internet. Each of these separate pieces was operated individually and provided different protections, resulting in the accumulation of technological debt — silos that are complex to manage and that frequently contain weak points or vulnerabilities.

In contrast, SASE is a cloud-native approach, not a legacy approach adapted to the cloud. It combines SD-WAN capabilities with security components that provide security as a service. These are some of the key characteristics of SASE architecture.

Identity-Driven

The traditional cybersecurity approach is typically driven by physical location. SASE instead focuses on identity. Every user, every device, every app, has an identity, and that unified identity is used to determine the risk of different IT access and use flows. Focusing on identity enables the use of risk-driven security controls that are context-aware. Identity and Access Management (IAM), combined with Multi-Factor Authentication (MFA) are foundational components of any SASE solution.

Enables Comprehensive Zero Trust Network Access (ZTNA)

One of the most important shifts in combatting today’s cybersecurity threats is the move to Zero Trust Network Access (ZTNA). In older perimeter-based security approaches, little attention was paid to lateral movement traffic between internal servers; all the effort went into securing the perimeter. A shortcoming of this approach is that in the event of a breach a lot of damage can be done. Zero Trust security does not rely on authentication coupled with anti-malware software alone, and it views all network traffic and all users as potentially suspicious. For example, ZTNA and identity-based segmentation (microsegmentation) approaches can be used to enforce least privilege access controls, which give users access to only the limited set of resources they truly need to do their jobs. With these controls are in place, the impact of a breach is dramatically reduced, since hackers cannot easily move within a network.

Globally Distributed

For larger organizations with employees and partners either located or traveling to multiple locations around the world, SASE platforms must be globally accessible via a distributed cloud platform. This allows for always-on security to be “pushed” close to users, wherever they are. As such, SASE providers need to deploy Points of Presence (PoPs) close to users, business locations, and cloud application providers to enable low-latency service at the edges. Gartner points out that this may mean going beyond the footprints of any one of the major public cloud providers (Amazon, Microsoft, Google, and Oracle) in order to ensure acceptable performance.

Conclusion

Old approaches to network security are simply incapable of keeping up with today’s complicated networking environment and the proliferation of cyberthreats that can inflict major damage on businesses and governments. Secure Access Service Edge (SASE) provides a completely different architecture for network and cloud security that enables protection for all users, whether in the office, at home, or on the road, and all assets, whether on a server in the corporate data center or residing in the cloud.

ZTEdge provides a comprehensive and simple SASE solution designed for midsize enterprises that can be quickly deployed at an extremely affordable cost. Request a demo to learn more.

---

Share this on:

---

About Gerry Grealish

Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.