The enterprise IT landscape has changed dramatically since the arrival of cloud computing. Most organizations today have a cloud-first approach in their IT transformation efforts. Hence, enterprise applications are increasingly distributed across hybrid-cloud environments consisting of on-prem, colocation, edge and cloud datacenters. Pre-COVID, network managers had to worry about connecting users that were predominantly based in office locations to distributed applications. Post COVID-19, with most organizations embracing a hybrid-work model, network managers now have the new task of efficiently and securely connecting distributed workforces to distributed applications.
With enterprise applications hosted in hybrid environments and users based at home and at branch locations spread across the globe, the traditional branch networking method of backhauling traffic (from users and devices) to a centralized location for security scrubbing is highly inefficient and creates optimization challenges. Secure access service edge, or SASE, is a framework that addresses the need for a centralized, cloud-delivered, software-defined security architecture when the applications and users are highly distributed.
If networking can be software defined, why not security?
The enterprise WAN is evolving to a software-centric approach with software-defined networking (SDN), network function virtualization (NFV) and software-defined WAN (SD-WAN) technologies to support distributed users and applications. However, security has largely remained centralized. Traditional infrastructure-based security is not sufficient when your applications are deployed across multiple clouds. It is critical to apply security profiles at the user and application level and not the infrastructure level to respond quickly and efficiently to ever-increasing threats.
SASE combines network and security functions in one framework, which is software-defined and delivered from the cloud through distributed SASE points of presence (POPs). Users and devices connect to the nearest SASE POP (deployed in on-premises or third-party data centers, network POPs, security POPs or cloud POPs), which determines the optimal routing and security policies for the endpoint trying to access cloud (IaaS, SaaS, and PaaS) applications. The routing and security policies for each application are applied based on the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions.
Note that, since SASE is a new framework, offerings across vendor and service provider platforms are still evolving. Very few vendors today support the full breadth of features and functionalities defined in the SASE framework.
While the aim of SASE is to deliver a comprehensive set of virtual security services (typically deployed on-premises on a physical appliance at enterprise data centers) from the cloud, the critical components included in SASE consist of the following four key components.
- Software-defined WAN (SD-WAN)
An SD-WAN architecture uses SDN principles to separate the data plane from the control plane in the WAN. It abstracts the underlying transport networks (MPLS, ethernet, wireless, satellite) and shifts control intelligence from edge devices into a centralized, software-based controller. SD-WAN technology brings the much-needed agility and flexibility to connect hybrid IT deployments in an effective manner. For example, the SD-WAN appliance (deployed in physical or virtual format) can automatically route traffic bound to cloud on internet links and to corporate datacenter on private links, based on predefined policies by network administrators. Most organizations are familiar with SD-WAN technology today and are at varying stages of deployment. It is only prudent that businesses considering SD-WAN evaluate networking and security solutions in a holistic manner and in a manner that fits in their cloud strategy.
- Zero-trust network access (ZTNA)
ZTNA is an overall strategy and framework to prevent unauthorized access, contain breaches and reduce the risk of an attacker’s lateral movement through a network. With ZTNA, the network can make access decisions based on user identity and context, also called attribute-based access control (ABAC). These attributes include role, location, device type and security posture. Each user is mapped to a per-application policy that applies no matter where that application is hosted. There is a single set of policies for every user.
- Cloud web security (CWS)
CWS consists of two components: 1) secure web gateway (SWG) and 2) cloud access service broker (CASB). SWGs serve as barriers between internet traffic and the organization’s network, blocking suspicious or unknown data and allowing trusted and approved data to move smoothly in and out. CASB is software that acts as a security control point between users and cloud services. CASB offers additional layers of protection via malware protection and data encryption.
- Next-generation firewall (NGFW)
NGFWs perform a range of security functions, including stateful packet filtering, virtual private networking (VPN), application visibility/control, user identity-based control, intrusion detection/prevention, gateway anti-virus (AV), URL filtering, anti-spam, data leakage prevention and advanced malware sandbox inspections.
Three reasons your organization needs to pay attention to SASE now
- Agility: Most organizations have embraced cloud to varying degrees, and the trend is only growing to fast-track digital strategies post COVID-19. In the ISG Index™ call, for the Americas market, we saw that IaaS has gained more traction in the first half of 2021 and grew by 24 percent when compared to the last year, with the annual contract value (ACV) reaching to US$7.4 billion. ISG also observed that the SaaS market grew by 15% and reached to an ACV of US$3.7 billion, when compared to the growth in 1H20, which was 11%. While SD-WAN technology alone can address the agile connectivity needs of hybrid cloud environments, the increased usage of the internet increases security risks. With SASE, the network and security components are agile and flexible to keep up with the agility the cloud model offers. Based on predefined security policies for each application, the SD-WAN solution automatically makes routing decisions. For example, a remote user trying to access a SaaS-based application is routed to the nearest SWG to authenticate credentials, where as a user trying to access an ERP application hosted in a corporate private datacenter is routed to the nearest firewall.
- Efficiency: When it comes to security, there are only two types of organizations, those whose security has been breached and those whose security will be breached. Network and application security always ranks in the top three when it comes to technology priorities for organizations. The cloud characteristics of SASE dramatically reduces the number of appliances required to keep up with new security needs as threats mutate and security teams incorporate newer security encryptions. The cloud-native approach to security also enhances security monitoring and response efforts of the security team due to segmentation and control capabilities of SASE. The software-centric, centralized policy administration and provisioning further reduces security personnel time (and errors), thus allowing them to focus on other strategic activities.
- Visibility: As hybrid work becomes the new norm, it is critical for businesses to optimize and secure user connectivity to cloud-based applications. With SASE, since security policies are applied based on user identity and real-time context, the security policies follow the user as they move from office to home, or home to a café, to ensure identity and device-based access permissions. With the convergence of network and security, IT personnel are also able to manage all features and policies in a single interface, using a common terminology and gain deep visibility into network and security events.
SASE is both simple and complex at the same time
If you think about SASE, it is a simple concept of combining network and security and delivering it in a cloud-based delivery model, closer to where the applications and users are, rather than centralizing it. The distributed approach reduces unnecessary delays caused by the traditional hub-and-spoke model. However, it is also complex, because of the existing WAN and related security solutions in place already.
It is also true that enterprise security needs are too complex to depend solely on a cloud-based model. A hybrid model consisting of on-prem and cloud-delivered approach to networking and security is more ideal to address businesses’ needs. ISG is of the opinion that a true SASE solution falls on a spectrum, which allows enterprises to have an on-prem anchor and some cloud elements, and it can slide between the two.
In our experience advising enterprises in complex transformation deals, the biggest mistake we notice enterprises make is thinking of cloud, network and security transformations separately or in a linear fashion. Most often network and security teams are not even involved in the internal or external IT discussions. Unfortunately, the lack of a holistic approach to understanding the convergence and interworking of cloud, network and security means less-than-optimal results from your digital transformation investments. A truly integrated approach to digital transformation can help your organization address common objectives, enhance user experience and optimize technology costs.
ISG’s team of advisors across cloud, network and security transformation practices work in unison and collaborate to build a strategy and implementation roadmap that addresses all three capabilities to help you succeed in your transformation initiatives. Contact us to learn more.