As modern corporate networks expand beyond the traditional network perimeter, companies require security solutions designed for these new networks. Secure Access Service Edge (SASE) provides the capabilities that these companies require. However, not all SASE vendors are created equal, making it vital to select the right one to take full advantage of the benefits that SASE provides.
Legacy Network Solutions Were Designed for Legacy Networks
In the past, most of an organization’s computing resources were directly connected to the corporate network. Many companies operated on-site data centers and servers and had employees working from on-site workstations. This made it possible to apply a perimeter-based security model, which differentiated between the “trusted” internal network and the “untrusted” public Internet.
The modern network is focused much more on the corporate wide area network (WAN) than the corporate local area network (LAN). While some corporate assets may be located on-site, a growing percentage of the company’s digital assets are outside the traditional network perimeter. The growth of cloud computing, mobile devices, remote work, and the Internet of Things have transformed the enterprise network and how it is used.
However, many organizations are still attempting to use legacy security models and solutions to secure these networks. A traditional security infrastructure – which uses virtual private networks (VPNs) to securely connect users to the corporate network where security inspection and content filtering is performed – does not meet the needs of the modern enterprise. Attempting to protect a modern network with a legacy security solution negatively impacts both network performance and security.
SASE Is Designed the Modern WAN
SASE is hailed by Gartner as “the future of network security”. Instead of centralizing the organization’s security resources at the network perimeter, SASE moves networking and security functionality to the cloud.
This is accomplished by deploying an array of cloud-based SASE points of presence (PoPs) that integrate both networking and security functionality. Traffic enters the corporate WAN through one of these PoPs, where corporate security inspection and policies are applied, and flows encrypted through the network until it exits via the PoP most convenient to its destination.
This cloud-based model for network security eliminates the focus on the (increasingly irrelevant) network perimeter and provides a number of advantages to users of the corporate WAN.
A major disadvantage of legacy network security solutions is the centralization of networking and security functionality on the corporate LAN. Any business traffic that the organization wishes to have visibility into and enforce security policies for must travel through the enterprise security stack. For traffic that both originates and terminates outside of the corporate LAN, this requires a significant detour that increases network latency and overloads the organization’s infrastructure.
SASE uses a network of globally-distributed cloud-based PoPs to achieve the same objectives as the traditional on-site security stack. This minimizes the impact on network performance while providing an organization with the same level of network visibility and security as routing all business traffic through the corporate network for scanning.
Companies are facing the dual challenges of a rapidly expanding attack surface and an evolving threat landscape. Digital transformation initiatives – and external pressures such as COVID-19 – have inspired the deployment of new technologies. At the same time, cyberattacks are becoming more common and sophisticated.
These two pressures drive many organizations to deploy specialized security solutions to address them. Companies may have standalone products that work only in certain environments (cloud, mobile, IoT, et.c) or address particular security risks. However, these standalone solutions often lack integration, making security monitoring and management complex.
SASE helps to alleviate organizations’ security burdens by offering integrated security. Unlike VPNs, which require additional solutions to provide security, SASE contains several crucial security tools, including a next-generation firewall (NGFW) and secure web gateway (SWG), bundled into a single cloud-based solution. Since these solutions operate at the network level, they can protect an organization’s entire network environment, regardless of the variety of endpoints that it contains.
Global Visibility and Policy Enforcement
Relying on VPN-based solutions for secure networking dramatically limits an organization’s visibility into its WAN. Each VPN connection is point-to-point, meaning that organizations must monitor and manage an array of independent connections. Additionally, solutions designed to improve the scalability and performance of VPN-based architectures, such as the use of split-tunnel VPNs, mean that some of an organization’s traffic may not be monitored or secured.
With SASE, all of an organization’s business traffic flows over an integrated corporate WAN. Traffic enters and leaves the network through identical PoPs, making it easy to achieve comprehensive network visibility and to apply new security configurations and policies. Additionally, the scalability and easy accessibility of a SASE-based WAN means that users have no reason to avoid use of the WAN for performance reasons.
Selecting the Right SASE Solution
SASE is dubbed the “future of network security” because it is designed to meet the needs of the modern enterprise and the businesses of the future. However, as a next-generation technology, it is also in its infancy.
When selecting a SASE vendor, it is important to choose one that implements the capabilities of SASE in an integrated fashion. Some vendors implement SASE features using service chaining, which degrades performance and usability. SASE should be a fully-integrated standalone solution deployed in a globally distributed network of several PoPs.