Our series to date has looked at the various features and benefits of SD-WAN and related considerations with adoption, deployment and operation. Increasingly however, many if not all SD-WAN discussions include a significant security element which in itself has taken on a new dynamic with recent changes to how we work and how we deploy network services. This focus on security can be seen across the industry as more and more partnerships and integrations between respective vendors and platforms are announced.
Recognising this trend early, Gartner, in 2019, defined the Secure Access Service Edge and coined the term SASE (pronounced sassy) tying together SD-WAN, managed security and edge compute in a single architecture.
The motivation for this as outlined by Gartner is straightforward:
Digital transformation and adoption of mobile, cloud and edge deployment models fundamentally change network traffic patterns, rendering existing network and security models obsolete
The change in network traffic patterns is essentially the inversion of network access requirements with more users, devices, applications, services and data now located outside of the enterprise than inside. Legacy networking and network security architectures were designed for a world that has been turned inside out with more user work performed off the enterprise network than on the enterprise network and more traffic from branch sites and remote offices heading to public clouds than to the enterprise HQ.
The requirement to reduce both complexity and latency is driving the need to decrypt and inspect encrypted traffic once only. In turn this is increasing demand for consolidation of networking and security-as-a-service capabilities into a cloud-delivered secure access service edge.
Secure access service edge (SASE) is a network architecture that combines WAN capabilities with cloud-native security functions such as secure web gateways (SWG), cloud access security brokers (CASB), firewalls and zero-trust network access (ZTNA).
In a nutshell – SASE combines SD-WAN and security functionalities into one cloud-based service.
Secure Access – The Importance of Identity
A SASE architecture enables end-to-end security whether the source is a remote worker, a branch location, or a HQ unit. Threat prevention capabilities inherent to SASE include encryption of all communications, firewalls, URL filtering, anti-malware and intrusion prevention systems (IPS).
Secure access is a key element of SASE architecture and in a SASE world “identity” is king.
SASE capabilities are delivered, and access privileges enforced by policies based on user identities, context, enterprise security/compliance policies and continuous assessment of risk/trust during sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations. As a result, identities are the new network perimeter. The network perimeter is no longer a specific location but instead its definition is expanded to encompass network users or devices irrespective of their whereabouts, i.e. identities are where network connectivity and security services are delivered from the cloud.
SASE implementations will still require an on-premises equipment footprint – the core SD-WAN component of SASE – but it will be a smaller footprint resulting in the transition to the thin branch. Furthermore, with the migration to uCPE this on premises equipment will be hardware neutral.
Gartner have segmented SASE components into three categories:
- Core Components: SD-WAN, SWG, CASB, ZTNA and FWaaS, all with the ability to identify sensitive data/malware and all with the ability to encrypt/decrypt content at line speed, at scale with continuous monitoring of sessions for risk/trust levels.
- Recommended Capabilities: Web application and API protection, remote browser isolation, recursive DNS, network sandbox, API-based access to SaaS for data context, and support for managed and unmanaged devices.
- Optional Capabilities: Wi-Fi hot spot protection, network obfuscation/dispersion, legacy VPN, and edge computing protection (offline/cached protection).
SASE facilitates the delivery of a rich set of secure network security services in a consistent and integrated manner to support the needs of digital business transformation, edge computing and workforce mobility giving rise to the following benefits:
- Reduction in complexity and lower operational expenses due to cloud first thin edge architecture and the convergence of technology stacks – organisations can reduce the cost and complexity of deploying multiple network and security appliances across the entire enterprise network
- Enablement of new digital business scenarios, e.g. allowing enterprises to make their applications, services, APIs and data securely accessible to partners and contractors, without the risk exposure of legacy VPN and legacy demilitarised zone (DMZ) architectures
- Improvement in performance/latency due to latency optimised routing across global PoPs
- Ease of use/transparency for users by reducing the number of agents required on a device or the amount of CPE at a branch and a consistent access experience, regardless of where the users are, what they are accessing and where it is located
- Improved security – any access session can be inspected, and the same set of policies applied consistently regardless of where the user/device is located
- Enablement of zero trust network access (ZTNA): – one of the principles of a zero trust networking approach is that network access is based on the identity of the user, the device and the application — not on the IP address or physical location of the device
- Centralised policy with local enforcement – SASE allows cloud-based centralised management of policy with distributed enforcement points logically close to the entity and including local decision making where needed.
SD-WAN Managed Service – the on-ramp to SASE
SASE adoption will be driven by
- Digital transformation in general
- Network upgrades, specifically WAN modernisation (SD-WAN) projects
- Network security refresh cycles
- Secure access projects to connect to SaaS applications
SASE is a network architecture that integrates SD-WAN capabilities with cloud-native security functions. By combining SD-WAN and Security, SASE delivers the optimal mix of performance, availability, usability and cost. SASE, in essence, is the combination of Managed SD-WAN and Security as a Service making SD-WAN the logical and essential starting point for SASE implementation journeys.