Building a better SASE

By John Smith, Founder, and CTO at LiveAction.

As businesses embrace digital transformation, there is more need to secure cloud-based resources. The rise of Secure Access Service Edge (SASE) promises a network architecture that combines VPN and SD-WAN capabilities with cloud-native security functions, such as secure web gateways, cloud access security brokers, firewalls, and zero-trust network access. Yet SASE deployments can be incredibly complex and make end-to-end visibility challenging for IT.

Growing need

Why SASE has quickly become an important technology and enjoyed a recent surge in demand requires an understanding of a chain of related factors. The starting point is the massive growth in cloud adoption, especially during the pandemic. Having fast, reliable access to cloud resources has become critical for employees, partners, and customers - with a particular focus on helping work from home (WFH) users access critical applications operating in a hybrid cloud.

Recent studies have shown that the remote workforce has more than quadrupled. Nearly 65% of enterprise employees are regularly working from home, compared to just 14% prior to the pandemic. This shift to remote work has transformed the requirements of the Wide Area Network (WAN) to deliver a more dynamic experience able to adapt to varied use cases – which in turn has driven more adoption of Software Defined WAN.

SD-WAN drivers

SD-WAN is a methodology and technology stack that completely changes how traffic is routed. A traditional direct connection or hub-and-spoke model likely has robust connections that are easy to track. But SD-WAN may use alternate paths, and if there are poor centralized policies, traffic could be routed through a branch office that was not meant to be a transit site or a host of other resource constrained processes such as encryption/decryption and content inspection. The result is a poor network experience for the remote worker. This can get even more complex if an organisation is cataloguing hundreds or thousands of sites – and mixing traditional WAN and SD-WAN – and tracking how they are communicating with each other.

SASE growth but still few deployments

With the context of more cloud demand and growth in SD-WAN, the need for SASE has never been more necessary. SASE is a relatively recent technology that integrates SD-WAN, secure remote access, and cloud-based security into a single solution. If done well, it can offer increased flexibility for cloud infrastructure, lower costs, reduced complexity, improved performance, and better protection for enterprise users, devices, and data. While many SD-WAN and security vendors have begun to offer SASE solutions, few have delivered a complete approach. According to a recent EMA WAN Transformation Report, 10% of organisations report they’ve

completed a SASE deployment and 28% claim partial implementation. Given that there are so few complete solutions available, EMA believes overmarketing by SD-WAN vendors is actually inflating these numbers.

At any rate, SASE offers incredible benefits for enterprises and the future is bright for this innovative technology category. In fact, the increased need for remote user support during the pandemic has spurred much of the sudden acceleration around SASE deployments. EMA’s report showed that a massive 51% of respondents have accelerated their SASE projects over the last year alone. In addition, Gartner predicts that by 2024, at least 40% of enterprises will have strategies in place to adopt SASE, up from less than 1% at the end of 2018.

Understanding SASE

There are many vital elements to consider when adopting a SASE strategy, but let’s explore a couple of key criteria outside of the obvious cyber security requirements. The first is integrated operational visibility. It’s important to have network and security visibility across all the ways users access applications and resources throughout the enterprise. This means remote, public cloud and traditional network environments, and everywhere in between. Respondents ranked this attribute as the most important in EMA’s WAN Transformation Report. Next, we have secure remote access. This has become an increasingly urgent priority during the COVID-19 crisis, and a primary element in supporting business continuity for the modern enterprise. Whether accessing cloud applications for work, such as Salesforce or Office365, or accessing proprietary applications such as call center systems, having secure access for WFH employees has become essential alongside the need for robust security controls.

Visibility and SASE

SASE deployments can be incredibly complex and make end-to-end visibility challenging for IT. There are many components at work, and if something goes wrong, isolating it down to a single source or domain can be tough. Is it the local network, SD-WAN device, cloud presence, security device, etc.? Is it a problem with network traffic, applications, and users? Today, enterprises are using analytics platforms that work alongside SASE to provide a vendor-neutral view into deployments with the ability to analyse telemetry for network, security, and compliance purposes. These solutions also offer end-to-end views once the traffic exits SASE into the branch, data center, colocation, or public and private cloud.

Granular visibility allows IT to better understand network and application traffic and verify that policies and their intent are working as designed. It also enables troubleshooting and the remediation of network and/or security issues. So as issues arise, IT can identify the root cause and understand the most appropriate remedial action to take. Finally, establishing comprehensive, end-to-end network visibility allows IT to understand how application traffic and data flow through the SASE system.

SASE starting point

Due to the fact that SASE solutions are the product of multiple integrated technology categories, we’re seeing many network security, cloud-based security, and SD-WAN vendors entering the space. You often hear grand

promises and phrases like “silver bullet” and “single solution.” In reality, you’ll need to work with at least two solutions, and sometimes more, to deploy SASE today. Deciding how to build your SASE is the single biggest challenge and when selecting, consider the following questions:

· Is the technology mature? – Are the network or security features fully baked? Is it completely integrated, or separate, or does it allow integration with other solutions?

· What is the management setup? – Is all of the functionality easily managed through a centralized cloud-based service? If so, how is this done? This can be important for reducing the complexity and management of a SASE solution.

· Do the cloud integration capabilities suffice? – Does it easily provide access to the public cloud and offer private cloud connectivity through colocation and remote sites? This is important as more applications live in a hybrid cloud model.

· Is there scalable, secure remote access? – Does it include a scaled approach to remote user access with respect to points of presence that allow for better performance from various locations mapping to customer needs?

Security Policies

The heart of SASE is the ability to implement new security policies across the SD-WAN and connected devices that are more unified than the legacy network it replaces. For instance, SD-WANs allow encryption as traffic moves from one site to another and network segmentation for layered protection. Thus, everything from employee and guest access to creating DMZs to internet access to architecting site-to-site connectivity may need review. Moreover, it will be important to ensure that you’re capturing audit data and performing policy validations to ensure the network is operating as intended from a security and performance perspective. Understanding the key obstacles and having the proper tools to help circumvent those challenges is vital to success.

By Richard Melick, Director, Product Marketing for Endpoint Security at Zimperium.
By James Hunnybourne, Cloud Solutions Director, Ultima
By Chris Vaughan, Area VP and Technical Account Management, EMEA at Tanium
By Zachary Malone, Systems Engineering Manager at Palo Alto Networks.
By Dominic Trott, UK product manager, Orange Cyberdefense
By Tim Wallen, Regional Director UK&I at Logpoint
By Gal Singer, Security Researcher at Aqua Security
By Dave Russell, VP, Enterprise Strategy, Veeam