10 minute read
TOWARDS PERVASIVE SECURITY
SASE redefines network security through, enabling organizations to deliver and manage network and security services with more agility and scalability
– By R. Narayan
Advertisement
SASE or Secure Access Service Edge, a term coined by Gartner in 2019, has been redefining the market’s approach to network security in the cloud era, where the limitations of conventional network security have been exposed. In the wake of traditional network perimeters disappearing and the need to secure the edge of the networks, SASE converges elements of networking and security into a unified whole.
Leading vendors seem to have embraced this approach and while the approaches seem to vary from vendor to vendor, yet there are features in common to the solutions that endorses SASE as the direction ahead. SASE is about delivering pervasive security in a cloud delivered model across distributed networks. SASE vendors come from different backgrounds of the network and security spectrum, from SD WAN vendors to Firewall vendors, SDN vendors etc.
According to Patrick Grillo, Senior Director, Solutions Marketing at Fortinet, “At its core, SASE is all about converging networking and security. This means that there would be pre-defined and consistent security for user connections to applications regardless of where the user or the application is located.”
SASE tries to answer the need of organizations and individuals for secure access from anywhere anytime. Especially in these times that are witnessing an increased used of cloud services and remote working, SASE addresses the need to look at security in a holistic perspective, resolving the limitations of conventional security.
Ahmed El Saadi, Regional Director of Sales - Middle East, Turkey & Africa at VMware says “SASE, is a relatively new term, first used by Gartner in 2019 to describe the convergence of wide area networking capabilities with network security services. A typical SASE service combines SD-WAN with security services such as zero trust network access (ZTNA), secure web gateway (SWG) and cloud security access broker (CASB) solutions, and Firewall as a Service (FWaaS).”
He adds, “The emergence of SASE was a response to demand for secure, advanced network services at scale in the cloud, and the key way for vendors to provide this was to modify and combine existing services into a new comprehensive package that address all of the customers’ networking needs in the cloud. The SASE model redefines networking security as it has generally been known, by making security an integral part of the SD-WAN service model.”
Delivering security wherever required, SASE resolves the challenges of performance issues at the edge and gives precedence to the developments in edge networking such as with IoT, mobility, SD-WAN and Cloud.
Tarek Abbas, Systems Engineering Director MEA at Palo Alto Networks, Middle East and Africa says, “Over the past decade, there has been a rapid technological advancement and digital transformation. Keeping this in mind, the existing network approach does not provide the security and access control organisations need. Organisations now require immediate, uninterrupted access for their users in any remote location. Secure Access Service Edge (SASE) in simpler terms, allows organisations to ensure secure access no matter where their users, applications or devices are located. “
APPROACHES AND OBJECTIVES Since a single standard is not defined, the approaches will vary from vendor to vendor but the core deliverables for a SASE solution remain the same. For instance, Fortinet still advises on the need for SASE to have a ’full stack of security that spans both physical and cloud-based scenarios’ with the physical.
Patrick adds, “SASE is defined as a cloud service from which the different security functions can be applied to the individual connections. However, since SASE is a concept and not a product, how it is offered will vary from one provider to the next which Patrick Grillo Senior Director, Solutions Marketing, Fortinet
will determine whether if, and what kind, any physical devices are needed at the customer location.”
He adds, “Fortinet is a leading advocate of integrating networking with security. In fact, it is one of our founding principles and referred to as Security-Driven Networking.”
Fortinet acquired OPAQ, a US-based provider of cloud delivered security earlier in 2020. The acquisition of OPAQ is to be the foundation of Fortinet’s SASE service that will deliver all of the necessary services to support both remote users as well as remote office.
Since what goes into a SASE solution will vary from vendor to vendor, hence customers need to have good understanding of what the solution offers and what it doesn’t. They also need to be sure of the interoperability of the various elements of the SASE solution.
“The major constituents of SASE will depend on the provider of the SASE service. As SASE is in its very early days, providers have largely rebranded their existing service portfolio as SASE even though they may not offer all of services. The framework
defined by Gartner calls out three levels of services – Core, Recommended and Optional. The Core services – SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA) should be part of any provider’s SASE offering, “ adds Patrick.
Along with CASB (Cloud Access Security Broker) SASE emphasizes zero trust security, a decade old network security model that allows for the delivery of high-security, enterprise-wide network services virtually, and on a subscription basis for small and mid-market to large enterprises.
Tarek says, “SASE is designed to deliver security everywhere, helping secure your organisation and benefit many aspects of the business. One of the key objectives of SASE is the zero trust approach to the cloud, providing complete protection if the user is on or off the corporate network – in times such as the COVID-19 pandemic which altered the way of working and living, this was an essential for most organisations.”
He adds “SASE solutions offer much higher flexibility to implement many security services including web filtering or even next-generation firewall policies through a common framework – which removes the burden of costs and complexity. Along with increased performance, the solutions ensure high data protection, threat prevention and visibility into your network. SASE is usually classified as a cloud-delivered service, but it can be a combination of both cloud-based and physical solutions, as per the business requirement.”
Palo Alto Networks provides solutions for SASE, such as Prisma Access, to solve networking and security needs in an architecture designed for all traffic, applications, and users.
“The focus is prioritized towards business agility and speed, where we embrace digital transformation using cloud-based network and modern security infrastructure. This helps organisations on a global level and capitalise on new initiatives,” says Tarek.
Through its approach Palo Alto Networks delivers a reduced complexity with elimination of unnecessary point products, avoiding logistical issues with shipping, installing, and upgrading hardware. The vendor also ensures a consistent security policy to stop cyberattacks, protecting users in any location.
Ahmed elaborates on what a SASE solution is expected to perform. As a key deliverable, the solution gives the freedom to the customer to allow secured edge networking access to remote working employees and the ability to provision and scale access to applications as required in real time.
He says, “The major objective of a SASE solution is to give the customer, especially organizations with a pan-regional or global presence, a flexible, secure and efficient network that allows them to add on a variety of services and applications, from distributed working solutions for their employees, to the rapid provisioning and deployment of applications specific to the needs of their customers and partners. It also gives the organization far greater visibility of their network and will increasingly be viewed as a pillar of digital transformation strategies. SASE is purely cloud-based for the customer and the only hardware requirements are on the provider’s side."
He adds however that VMware was already on this path even before a term was formally coined for it and calls the SASE approach as an endorsement of their strategy.
“We’ve been delivering SASE since before the term was coined, combining network services with network security as a service. Our footprint of gateways that are globally distributed at all the important points of presence allows us to add new services in a secure fashion. At VMware are committed to building security into every part of the network, an aspect of our solution we refer to as Intrinsic Security. The emergence of SASE as a term is real-
ly an endorsement of this philosophy.”
VMware’s SASE Platform converges cloud networking, cloud security and zero trust network access with best in class web security to deliver flexibility, agility, and scalability for enterprises of all sizes. It is a cloud-first offering that delivers application quality assurance, intrinsic security, and operational simplicity, and is ideal for organizations that are supporting a work from anywhere workforce.
In the context of remote working, VMware also recently launched Future Ready Workforce solutions that combine VMware Secure Access Service Edge (SASE), Digital Workspace and Endpoint Security capabilities to help IT manage and optimize more secure access to any app, on any cloud, from any device while providing a simple, high performance, and a safer user experience for the distributed workforce.
SASE IN THE REMOTE ERA SASE assumes more significance in an era when remote working continues to rise and may well be a lasting trend. Its rapid emergence to the foreground of the security landscape is being accentuated by the need for a more dynamic approach to security as more workers are now no longer working within the conventional networks within the office premises but rather are accessing corporate network assets from different locations.
Patrick says, “The remote user, or teleworker, is really the key use case for SASE at the moment. By using a SASE service, a remote user can be assured of consistent security profile applied to their connection regardless of where or how they are connected to the SASE service and regardless of their destination. This is in sharp contrast to the centralized, VPN oriented methodology used today in most remote access environments.”
A shift to SASE is required for organizations looking to accelerate on the digital transformation journey to unleash all benefits in terms of access from everywhere but in a secure manner.
Ahmed says, “Organizations are navigating one of the most significant disruptions of our generation. These challenges will accelerate a shift to cloud-centric strategies, like SASE, that address the requirements of enabling people to work from anywhere. Organizations increasingly want a future-proof, comprehensive networking solution that allows them to scale up and down instantly, and to progress their digital transformation journey without any issues around compatibility or security. This is what SASE provides, and its ability to enable secure remote working is just one of the perks.”
SECURING SD-WAN SASE secures SD WAN as with all different distributed networks. Fortinet mentions that SASE is an option for securing SD WAN but this would need to be decided on basis of customer requirements at the remote site where a locally deployed next generation firewall appliance may be a viable option as well.
Patrick says, “SASE is another option to adding security to an SD-WAN connection. However, depending upon the requireTarek Abbas Systems Engineering Director, Palo Alto Networks, MEA
ments of the remote location it may be more appropriate to implement security locally. Being able to offer both options, based on individual customer requirements, will be a key differentiator for any SASE provider.”
Fortinet’s SASE offering will be complemented by it’s Secure SD-WAN solution, allowing organizations the flexibility of how and where security will be applied to the SD-WAN connection – locally in the FortiGate Next Generation Firewall (NGFW) or in the SASE cloud. In either case, the SD-WAN functionality is a no-cost feature of the FortiGate NGFW.
Adding a different perspective, Tarek says that with a SASE solution, SD-WAN devices can be easily connected to a cloud-based infrastructure rather than a physical SD-WAN hub, which can be located in data centers or co-location facilities.
He adds, “This enables better interconnectivity between branch offices without the need to deploy and manage physical SD-WAN hubs, creates a unified framework and simplified management solution for better protection. “
In the final analysis, organizations looking to deploy a SASE solution must keep in mind that there are several ways of deploying it but most importantly, it should be tailored to the enterprise and its future needs. It should achieve the objectives of simplifying network complexity and management. By enabling an SASE platform, an enterprise will be able to better secure its invaluable digital assets and its employees as well in a borderless network era.