IT Focus Area: security
March 12, 2021
SASE Converges Cloud, Network and Security
Corporate data centers have served as the communications hub for organizations since the development of network technologies. Transmissions from employees, customers and vendors all enter the corporate network for access and management to reach their final destination.
Cybersecurity has evolved and now plays a significant role in the management of these electronic transmissions.
The corporate data center as traffic control
Before cloud-based services appeared on the scene, most network traffic came from internal users—primarily an organization’s employees. Over the last five years, the amount of outside traffic accessing corporate networks has multiplied dramatically. As cloud services, cloud processing and remote users grow, network access requests are increasingly coming from unmanaged devices and unverified users.
Until recently, no one questioned the status quo of using the corporate network as the communications hub. But world events and innovation continue to challenge the norm.
The transition to cloud-based data processing from providers such as Azure, AWS and Google is just one driver of this digital transformation. Software-as-a-Service (SaaS) offerings have experienced dynamic adoption led by popular services such as Salesforce, Office 365 and Dropbox—shifting many day-to-day administrative tools online. Advanced mobile technologies such as smartphones, laptops and tablets have freed employees from physically managed corporate networks. Cloud access means it’s no longer an 8-to-5 world.
Organizations experienced an intense, high-speed impact on their electronic communications at the start of the global pandemic in 2020. Technology advances had made an effective home-based workforce feasible, and the pandemic made it essential.
Before 2020, remote work had been slowly gaining acceptance, but the pandemic accelerated adoption at an astounding rate. Today over 42% of employees work from home full-time using unmanaged devices with unknown security to access corporate networks.
An IDG report found that the organizations surveyed see their SaaS applications growing to 36% of their total applications vs. on-premises over the next 18 months. They also predicted that 46% of new applications will be cloud-native.
Securing this cloud-resident application workload is now an industry focus, and the inherent challenges will only increase over time.
The Internet is now the de facto source for information, entertainment and access—creating tremendous pressure on network and security management. Because the corporate network is managing this traffic, employee access to unsanctioned websites exposes the corporate data center to a vast range of risks.
Quick-turn cloud traffic burdens the data center
The nature of today’s Internet traffic flow causes duplicate traffic patterns that stress network operations.
Each transmission requires network management from origination to destination and then for the return trip. When combined with employee and third-party access requests to corporate information, an organization may face daily user requests that number in the tens of thousands.
Applying security to each of these requests is necessary to validate user access permissions and to detect any malicious code that may be embedded. In a recent report by one of the cloud security leaders, it was estimated that more than 50% of all network traffic is to a cloud destination.
This U-turn traffic creates a significant burden on data center infrastructure, tools and staff. Over the last three to five years, investment in network equipment and security solutions has grown to handle this increased cloud traffic. Network and security architectures are now more complex, and the day-to-day operations staff is feeling the strain.
Securing workloads outpaces the data center’s capabilities
This strain on corporate data centers isn’t going unnoticed by cybercriminals. Evolving technologies also mean evolving threat landscapes, and hackers are taking advantage.
Before mobile and cloud users became pervasive, organizations could effectively secure their network with firewalls, network security and endpoint solutions. With the move to cloud-first adoption, the concept of a centralized communications hub is disappearing. Maintaining your security posture by relying solely on layered defense in the data center no longer works.
If the effectiveness of perimeter defenses and defense in layers has been marginalized, what are the alternatives? Technology and nature dislike a vacuum. If there is a need, innovative entrepreneurs work to fill the void and move the industry forward.
SASE provides cloud-first security
Advances in Network as a Service and Security as a Service have given rise to the secure access service edge, identified and named by Gartner in 2019. While descriptive, the name is generally shortened to the acronym SASE and pronounced “sassy.”
SASE represents the convergence of network management and in-line security capabilities delivered in a cloud-based architecture.
While Gartner did not invent SASE, it did recognize that the combination of these technologies into a single solution to handle difficult security issues had come of age. Currently, several technology firms are investing, innovating and driving towards a SASE solution today. These offerings will have a commonality of function based on the SASE concept—delivering aspects of network access, destination management and bandwidth aggregation alongside security capabilities that may include cloud access security brokers (CASB), virtual firewalls, secure web gateways, and others.
SASE solutions provide comprehensive, flexible network management and security in the cloud. Eventually, all user access requests for an organization will first be directed to the SASE cloud where network management and security are more efficiently and effectively applied—removing the burden and risk from the corporate data center.
The remote access revolution
When a remote user access request is directed to the SASE cloud, security is initially applied. The user is validated and access permissions verified. The traffic is also inspected for any malicious code.
The network management capabilities of SASE then direct the transaction to the cloud or the corporate data center, depending on the user’s access request and credentials. On fulfillment, the return response travels back through the SASE cloud, where the appropriate security is again applied forwarding to the originating user.
SASE provides organizational and IT gains
Utilizing a cloud-first access traffic model replaces the data center and network as the hub, removing the burden of the internet backhaul traffic. With SASE, the corporate network will only receive and manage validated, secure traffic approved for data center application access.
The decrease in the data center traffic burden can’t be known until SASE is widely available and adopted, but solution providers estimate reductions from 20% up to 50%.
SASE’s flexible, cost-effective architecture also provides other benefits:
- Accelerates digital transformation and cloud-first strategies, improving agility and speed without dependency on major architectural investments
- Improves compliance enforcement and management with zero-trust clouds configured with the organization’s policies and regulatory requirements, such as HIPPA, PCI and state regulations
- Improves security posture with cloud security management outside of the data center perimeter
- Reduces investment and drain on IT resources by decreasing router and switch capacity, network management, and load balancing needs
- Scales down security tool inventory through reduced traffic throughput
- Reduces requirements for expensive VPN and MPLS by utilizing the direct capabilities of SASE
- Reduces costs through subscription-based bundle pricing versus independently purchasing each solution needed to deliver cloud access security
- Offers integrated compatibility with on-prem, cloud or hybrid data processing—whether from a data center or a branch location
Why now is the right time for SASE
Anticipated by Gartner in their 2019 publication The Future of Network Security in the Cloud, SASE technologies are coming of age. Gartner forecast that by 2023, 20% of all enterprises will have some basic level of SASE function live and in production.
Next-gen security architecture
Moving from on-prem network and security architecture to a cloud-first SASE solution will be a driver of the next generation of security enterprise architecture—which will be functionally cloud-based.
With SASE replacing the data center as the hub, the SASE cloud will manage all user and device access. Other required security synergies, such as identity and access management, security information event management, email security and endpoint management, are also moving to a cloud-first security posture.
Security for high-risk users
Higher-risk users—such as IoT, customers, vendors, third parties and remote workers—mostly operate from undetermined, unmanaged devices. These user categories are growing, increasing risk to the organization.
A dedicated SASE cloud configured with zero-trust features can be used to manage security for high-risk traffic. The flexibility of a SASE, zero-trust cloud allows different security levels to be applied to each user based on type. When compared to on-prem offerings, security in the cloud is more cost-effective.
Challenging security use cases:
- Internet of Things (IoT) devices can be challenging to secure due to limited processing capacity
- Business-to-business and business-to-consumer customers using undetermined devices from undetermined locations
- Trusted third parties needing access to the organization’s data and applications
- Mobile and home-based employees using unmanaged endpoints
- Branch and retail access operational challenges in managing remote network and security devices can be reduced
- Security compliance and regulations generally monitored and managed manually
The zero-trust methodology ascribes to a “trust no one” policy. Until recently, zero-trust has been costly and cumbersome to implement and manage. SASE solutions offer cost-effective, flexible options that make a zero-trust network easier to facilitate by using SASE architecture as the platform
Business use cases for immediate impact
Rather than moving directly to an enterprise-level SASE implementation, many organizations are likely to implement SASE solutions incrementally. Organizations that focus on business use cases with expensive, complex security issues are expected to benefit quickly.
Quick-return use cases can include:
- Home-based workforce: This high-risk group can be secured through a SASE cloud instead of through increased investment in firewalls or other security capabilities in the data center. Managing the external threats related to this group outside of the data center improves implementation, management and security posture.
- Trusted third parties: This group includes professional service firms such as lawyers, accountants, architects and engineers, insurance agents, web developers and others who interact directly with their customers electronically. Securing this segment while assuring regulatory compliance has traditionally been challenging and staff-resource intensive. SASE eases these pain points.
- Branch and retail locations: This user group uses corporate-managed devices but securing usage generally requires additional investment in firewalls, security solutions and remote management. Using a SASE cloud to secure these users also eliminates the issues around remote hardware and software management.
- Telemedicine: Using telemedicine to connect doctors and patients online has grown dramatically. During the global pandemic, it became a vital link to healthcare for many. By isolating this usage in a HIPPA-enabled SASE cloud configured with zero-trust methods, doctor and patient transmissions can be assured of compliance—solving an issue that would otherwise require significant investment.
Transforming security, disrupting the industry
SASE will directly impact how organizations look at and plan their security posture strategies. By substantially reducing the traffic load on corporate networks, SASE provides an opportunity for organizations to re-architect their networks and data centers over time, reducing the investment, complexity and capacity needed to secure the network.
Other solution providers will also innovate their solutions to integrate with SASE and provide cloud-first protection. Data center firewalls and endpoint security will continue to play critical roles, and the adoption of SaaS offerings such as email and IAM solutions in the cloud will accelerate.
As this SASE methodology continues to evolve, cost optimization opportunities will accelerate its adoption. It provides a flexible, cost-effective solution for security challenges that up until now have been investment-intensive and difficult to manage. With SASE, solutions are on the horizon where there were previously only challenges.