As the number of users, devices, applications, and services move out of the corporate data center and into the cloud, enterprises must consider a change in their security architecture. Some are looking to employ security-as-a-service capabilities as part of a cloud-delivered secure access service edge (SASE).
Security Access by Identity
SASE solutions deliver cloud-based services using the identity of users/endpoints. Identities can be associated with internal and external people, collaboration sessions, devices, applications, Internet of Things (IoT) systems, or edge computing. In addition, SASE solutions enforce security/compliance policies and evaluate risk/trust assessments during sessions. This enforcement is independent of the identity location requesting the service.
In the Gartner report “
Hype Cycle for Cloud Security, 2019,” SASE was located on the far left of the Hype Cycle at the post-trigger 20% position. It is expected that it will take a few years before SASE becomes mainstream. The Gartner report also stated that comprehensive SASE offerings are emerging; enterprises are slowly implementing them, with adoption rates at about 1% into the near future.
Endpoint identities (devices and people) need access to resources in various Internet-connected networks and sites. Digital businesses require secure access decisions. These decisions can be based on the identity of the device or person, or both.
Endpoint identity needs to be factored into security policy. Other identity sources include location, time of day, the risk and trust of the user’s device, and the application and data sensitivity being accessed. These sources expand the ability to block intrusions while supporting approved users.
Connectivity Drivers
Users access and work with multiple applications and resources simultaneously for adherence to security policies. It is common for a user/endpoint to have more than one session operating at the same time. For example:
- The user may be working with one or more internal applications that need to be monitored.
- As part of the internal application use, the user is participating in a collaboration session with screen sharing that requires monitoring and low latency.
- A user may be working with Google docs that do not require low latency.
- A Facebook connection with chat sessions needs to be analyzed for sensitive data but where low latency is not required.
- When Salesforce is employed, the session must be monitored for malware and the use of sensitive data.
- The user may also be accessing personal Internet-based financial accounts that do not need inspection.
SD-WAN vs. SASE
As noted above, SASE is offered as network security as a service. This compares to SD-WAN, which is offered in the network-as-a-service model. These are complementary, not competitive. SD-WAN and SASE together in a single market and a single provider allows the enterprise to continue the use of SD-WAN services while deploying SASE. This capability will improve sensitive data awareness, secure the data, and also provide threat detection. SD-WAN security control is data center focused. The cloud service is the security focus with SASE.
SASE Benefits
Benefits of SASE include:
- Improved security supports content inspection, looking for and locating sensitive data and malware.
- Operational overhead will be reduced because the SASE service will support new capabilities without requiring the enterprise to invest in new hardware and software.
- SASE will block new threats as they emerge without requiring new deployments and foster early adoption of new capabilities.
- Zero trust networking is based on the user, device, and the application identity, which can simplify security policy management. SASE supports end-to-end session encryption with optional web application and API protection that can be extended to Wi-Fi networks.
- SASE will reduce the cost and complexity through a single service provider.
- Security service transparency will reduce the number of software agents required on a device to a single agent.
- SASE delivers centralized policy management with local enforcement employing distributed enforcement points.
SASE Significance
Traditional network and network security architectures were designed for the centralized data center and are limited. They do not serve dynamic secure access requirements. Business digital transformation needs the deployment of SaaS, especially for real-time applications, edge computing, IoT, and other cloud-based services. This has stimulated enterprises to reverse their thinking by looking from the network edge rather looking from the center out.
