In a Hybrid-Cloud World, Network and Security are One
Explaining SASE and its power to enable today’s distributed, heterogeneous IT environments.
Secure Access Service Edge, or SASE, is how Gartner a few years ago described essentially what a modern cloud-based network should be capable of doing. It combines SD-WAN with a variety of security capabilities, all hosted in the cloud and consumed as a service. It’s meant to reflect the dynamic, distributed nature of today’s organizations and the security threats they face.
The traditional centralized security models struggle in a world where IT environments tend to sprawl, requiring more and more additional tools to operate securely. As a result, while providing a lot of control, they suffer from complexity and scalability challenges. The approach enabled by SASE, which assumes decentralization as a fundamental principle, promotes flexibility.
The decision whether or not to implement a SASE-type architecture should start with an assessment of the organization’s specific requirements. This article describes the core features of SASE, an example implementation process and, finally, its implications for organizations operating in a hybrid multicloud world. (It’s worth mentioning that Gartner has also produced a related framework that unifies just the security functions in a single cloud service, calling it Secure Service Edge, or SSE. Here’s a good breakdown of the differences between SSE and SASE.)
Core Capabilities of SASE
SASE encapsulates a number of important networking and security functions, but it isn’t a singular solution or product. While there are several single-vendor SASE offerings on the market, SASE itself is more of a concept, a framework that integrates various components with the goal of forming a more agile network with a strong security architecture.
Here are the core building blocks of SASE. Together, they represent a fundamental rethinking of how a network and network security are designed, deployed and managed:
- Software-Defined WAN: SD-WAN technology allows organizations to create and manage high-performing, reliable and secure WAN connections. By leveraging a cloud-native architecture, SD-WAN offers flexible and scalable network solutions that adapt to the dynamic needs of modern businesses.
- Firewall as a Service: FWaaS delivers firewall capabilities through a cloud-based model, eliminating the need for traditional hardware. This provides centralized management and consistent policy enforcement across the network, as well as the ability to easily scale with business demand (traditional firewalls’ physical limitations are removed).
- Zero-Trust Network Access: ZTNA is a "never trust, always verify" philosophy, ensuring that no user or device is trusted implicitly, regardless of location. Taking into account the fact that any user or device, anywhere, can be compromised at any moment, this access control strategy constantly verifies all users and devices, reducing the risk of unauthorized access and potential breaches.
- Cloud Access Security Broker: CASB solutions act as gatekeepers between on-premises devices and cloud service providers. They enforce security policies and compliance requirements, ensuring that sensitive data is properly handled, and that unauthorized access is prevented.
- Secure Web Gateway and Secure Email Gateway: SWG solutions provide real-time Web threat protection by filtering unwanted content or malware coming from the internet and detecting malicious activity. SEGs protect against email threats such as phishing and malware.
Other Common Features
The Gartner model considers the five core features described above. However, implementations of what can be described as SASE tend to have a few additional characteristics, which are really features that are common across modern networks:
- Intrusion Detection and Prevention System, Unified Management: IDPS monitors network traffic for malicious activity, while Unified Management centralizes control of the various SASE components. Together, they provide an integrated approach to security, enhancing both efficiency and effectiveness.
- Software-Defined Perimeter, Data Loss Prevention: A Software-Defined Perimeter ensures that network resources are accessed only by authorized entities. DLP tools monitor and control data transfer, reducing the risk of sensitive information leaking outside the organization.
- Global Network of Edge PoPs: Cloud services that provide SASE capabilities are delivered using a worldwide network of Points of Presence (PoPs), enabling low-latency access from anywhere in the world.
- User and Device Context Awareness: This feature provides continuous insight into user behavior and device status, enabling more granular control and adaptive security measures.
- API and Integration Support: SASE solutions’ compatibility with various APIs ensures seamless integration with existing infrastructure and third-party applications. This fosters a unified ecosystem where all elements can work in harmony.
- Encrypted Traffic Inspection: Encrypted traffic inspection adds another layer of security by examining encrypted data packets. This ensures that hidden threats within encrypted channels are detected and mitigated.
- Identity and Access Management: IAM ensures that the right individuals have access to the right resources at the right times and for the right reasons. It plays a critical role in preventing unauthorized access and regulatory compliance.
The combination of these technologies and the core SASE capabilities is a responsive and scalable solution that meets the requirements of modern organizations.
SASE and AI
Recently, vendors have started adding AI capabilities to their SASE solutions. AI further changes the nature of network and security management, enabling things like proactive mitigation of security issues, automated incident response, routing optimization, false alarm volume reduction and more.
AI models’ superior pattern recognition ability can greatly improve threat detection and response processes. By continuously analyzing network behavior, a model can identify unusual patterns that indicate a threat even the most experienced human professionals might miss. This capability also enables instant response, either minimizing damage from an attack or repelling one altogether.
AI can optimize routing by applying machine learning to analyzing traffic patterns. This ensures optimal performance by dynamically adapting to network conditions, reducing latency and avoiding bottlenecks. Automating this is vastly different from the traditional way of manual network adjustments.
Policy management is another area ripe for switching from manual to automated management. Done manually, it’s a burden to operations teams—more so in complex and distributed environments. AI can assist by automating creation, deployment and enforcement of policies. Then it can adjust them in real time, ensuring that the policies are always aligned as the organization’s needs and compliance requirements change.
AI can also help with ZTNA (one of the core SASE capabilities) by monitoring user or device activity on the network. Most security incidents start with a breach of a user account. An AI-powered monitoring solution can quickly notice abnormal user activity and shut down that user’s access across the environment instantaneously, as opposed to waiting for a human (or several humans) to get a notification, investigate and take action.
Phased Implementation
SASE is an effective framework for the highly distributed hybrid multicloud environments of today. Implementing it, however, is challenging and doesn’t happen overnight. Here’s how an example hypothetical implementation might look like, split into four phases.
Phase 0: Planning
In the all-important planning phase, the team maps out which SASE components it will implement and evaluate vendors that will be used.
It’s crucial in this phase to get a firm handle on the current state of network and security architecture. The implementation of SASE is a great opportunity to improve any current technologies or processes and fix any known issues or weaknesses.
It’s also important to define what a successful SASE implementation will look like. This will be different for each organization, but a good rule of thumb is to pick components that will have the strongest positive impact on the environment’s security posture sooner. Showing tangible benefits early on can go a long way in keeping stakeholders and users on board and supportive as more elements of the framework are implemented.
Let’s say that in our example the organization decided that the first three SASE components will be SD-WAN, gateways and ZTNA. SD-WAN is a fundamental building block of SASE, so it’s a natural first thing to implement for any org that hasn’t yet done it. It will ensure the network is optimized and ready to support additional SASE components.
Next in line will be firewalls and secure Web and email gateways. The example org may have business units operating point Web and email gateway solutions, which are difficult to manage while also making compliance difficult. A unified cloud-based solution will lower the team’s operational burden and enable immediate threat mitigation.
The third phase, implementing ZTNA, will further secure the environment through unified access controls across the heterogeneous IT footprint at the individual-user level, while setting the stage for potential implementation of BYOD in the future.
Once the first three phases are complete, the implementation will be reviewed and the next set of technologies to adopt will be selected.
Phase 1: SD-WAN
For an organization that does not have an SD-WAN in place, this phase is likely the hardest. It’s important to ensure that the SD-WAN solution not only integrates with existing infrastructure but is also ready for the future of your environment.
Because this is such a critical phase, it calls for extra caution. Since SD-WAN is new to the organization, IT teams should be thoroughly trained on the selected solution to gain the skills needed for implementing, troubleshooting and operating it.
This phase should have a pilot component to test and ensure a smooth rollout, which can take several months, as integration kinks get ironed out.
Phase 2: Gateways and Firewalls
The big goals of this phase are achieving centralized management for all the components, no matter where they are located, and scale.
Again, the switch to a unified platform from multiple disparate solutions will require training before the implementation.
It’s important to track user experience when implementing gateways. Paying attention to how the changes impact users and how easily users adapt to them can be critical to further adoption of SASE by the organization.
There should be effective processes for collecting user feedback, so that the implementation teams can address problems and better understand the users’ pain points. These processes are also important to the next phase of the implementation.
Phase 3: ZTNA
Now, with the fundamentals in place, the organization can start implementing Zero Trust Network Access. ZTNA implementation can be very challenging, because it impacts all parts of the network and all the users. The feedback mechanisms established in the previous phase should be leveraged in the next one to avoid degradation of the user experience.
ZTNA means continuous verification of devices and users accessing networks and applications, so this phase of the implementation calls for special attention to the monitoring and alerting systems (an area where AI can be of great help).
Network Architecture for a Distributed, Multicloud World
In addition to implementing new tools, adoption of SASE has profound implications for an organization's operations and strategies.
The framework fundamentally enhances security posture in hybrid cloud deployments. It unifies various security functions, relying on cloud-native services and being managed centrally. This centralization enables consistent, uniform security policies across all endpoints, regardless of their location, be they on premises or in the cloud. It also provides deep visibility into network activity, enabling faster threat detection and response.
The architecture’s adaptability caters specifically to the needs of hybrid clouds. Its core capabilities (SD-WAN, FWaaS, ZTNA, CASB and SWG) enable unparalleled flexibility and scalability. Organizations can quickly adapt to shifting business needs without revamping their entire network infrastructure. Growth becomes more seamless, with the ability to quickly incorporate new services and users.
It also enhances an organization’s ability to support remote work via digital collaboration tools, ensuring that access remains secure anywhere, from any device. Consistency in policy enforcement and reporting mechanisms also helps with regulatory compliance.
SASE is a paradigm shift that fundamentally redefines networking and security, bringing them together in a single, comprehensive framework. This convergence is becoming increasingly crucial as organizations adapt to a decentralized, cloud-centric, interconnected world.