SASE - Where to start?
What’s SASE? Is it Security or Networking? Why do I need it? Haven’t I got it? If any of these sound familiar, you’re in the right place. Before we delve into the technicalities of what SASE is, let’s start with a simple summary -
SASE is all the networking and security layers an organisation needs to have in place, it’s just moving everything towards Cloud and SaaS.
People love buzzwords. It makes us feel special, on the inside, an expert. By the same token it can create a false aura of expertise. For example, all the TLA’s for new starters in a company can slow down onboarding and limit dialogue and growth. It’s not always a positive.
The same theory can be applied to SASE. Secure Access Service Edge, pronounced ‘SASSY’, is a framework coined by Garter in late 2019 and has been rapidly picked up by every security and network vendor. There are a couple of reasons vendors love it. Primarily, it creates a perception gap between what you have in your organisation and what the vendors are selling, i.e. it creates a need. ‘You don’t have SASE, oops!’; ‘So what’s your SASE strategy, how are you going to get there?’.
Secondly, SASE brings Networking and Security into a single framework, preferably all from a single vendor which has resulted in Networking vendors suddenly becoming Security vendors and vice versa. That’s a great way to grow your market; selling new solutions into your existing customers is easier than finding new customers and displacing competitors.
Vendors love it and Gartner created it - is it all hype? Well no, it’s a logical progression of Security services into cloud first architecture to support increasing cloud-centric application delivery. It does make sense and can help build a roadmap for security and network services.
So, what is SASE?
At a fundamental level, SASE is a framework, and with any framework, it’s just a guide or a template for building out a networking and security stack. Look at SASE as a template for building a complete security and network architecture to meet the needs of your organisation.
Technology is moving away from on-prem solutions to Cloud. But with apps delivered as SaaS or hosted in the cloud, it’s harder to balance the user experience with security.
This is where SASE is focused. SASE is end user centric, connecting the user or the site to cloud security services rather than backhauling all traffic through security solutions in the datacentre. SASE is simultaneously moving us toward cloud services and away from the datacentre. Another way to describe this is ‘Thin Branch, Heavy Cloud’ where the branch edge device (SD-WAN) routes applications to where they need to go and through cloud based security services where needed (Heavy Cloud).
The network has evolved from physical to virtual with SD-WAN which provides more security, flexibility and intelligent routing for security solutions. SD-WAN operates as the foundation of SASE and enables the other layers.
So to summarise, what is SASE?
SASE is a framework for building your organisation’s Network & Security services. You can go to Cloud now or in the future and you’ll need SD-WAN to move traffic to the right place and simplify the journey. That’s it!
Is SASE Security or Networking?
Simply put, it’s both. SASE consolidates networking and security into one framework – network security.
Here at Edge7 Networks, we specialise in SD-WAN. We work with some of the best security vendors, and we’ve been supporting and designing enterprise networking solutions and firewall deployments for years, so we know our security stack. In reality, it’s hard to separate security from networking so SASE makes perfect sense to us.
As we focus on Citrix SD-WAN for the choice and versatility it offers, and think the Citrix approach to SASE is also practical; let’s use the Citrix diagram here to expand on the SASE stack. Citrix have also deployed a really strong security offering called Secure Internet Access (SIA) which delivers all the core components of a SASE solution, it’s well worth a look and we have another Blog specifically about it coming soon.
At its most basic, we’ve got a framework with a network layer at the bottom and a security layer sitting on top.
The Security layer contains the necessary components of a security envelope to protect the enterprise, Firewall, SWG, CASB, DLP, Remote Access, etc. All the tools you need to protect your organisation. Some you will have and some may be integrated into other tools, functionality, etc.
What services do you need to protect your organisation?
That depends on what your business function is, the nature of data activity and your products and services. A software company has a different set of requirements to a manufacturing company, who has a different set to a financial services firm.
However, most will need a core set of services:
Firewall: To protect ingress and egress of traffic from the enterprise. Traditional firewalls were physical boxes with a fixed set of rules. Now available as both Physical, Virtual or SaaS based, next generation firewalls provide a full suite of intelligence and most will cover much of the full SASE stack as add on services (SaaS delivered).
Web filtering: The on-prem name or Secure Web Gateway (SWG) in the cloud, SWG secures internet traffic protecting the organisation and users from inappropriate content and browser based attacks.
Date Leakage Protection (DLP): DLP services work to protect valuable data from leaving the organisation through email, file hosting and other means.
Cloud Access Security Brokers (CASB): Helps monitor, secure and manage access to sanctioned and unsanctioned SaaS applications. CASB capabilities are built around the following four pillars:
Visibility: Consolidated view into all applications, including unsanctioned shadow IT applications, being used by enterprise users
Data Security: Mitigate unauthorised access to and exfiltration of sensitive data
Threat Protection: Leverage inline proxy architectures, native or integrated threat feeds and behavioural analysis to identify and limit damage from malware and compromised users
Compliance: Visibility and reporting to show that industry regulations and data residency policies are being met
Zero-trust Network Access (ZTNA) aims to eliminate “excessive trust” by providing “just in time” and “just enough” access between authorised users and sanctioned applications. Unlike traditional VPN solutions which allow a user with a specific IP address to access the entire corporate network, ZTNA allows precise, adaptive, identity- and context-aware access. ZTNA solutions are replacing VPN’s which are now seen as more open and hence risky for use.
Firewalls (as a Service) act as gatekeepers or filters between the enterprise network and the Internet, by offering bidirectional (ingress and egress) controls to only allow trusted, secure traffic to passthrough. Firewalls typically offer capabilities such as Intrusion Detection/Prevention, Anti-malware Protection, Logging and Reporting capabilities. In addition, most modern firewalls also offer Sandboxing, Geolocation and Signatureless (anomaly-based)Threat Detection.
These functions or variations of them can be provided by a number of providers. SASE in its purest form involves getting all these from a single vendor hence the increasing consolidation in the vendor ecosystem as security and networking companies build up their portfolio of services through acquisitions.
How, and where do I start?
At Edge7 Networks, we believe the best approach to SASE is to first take a good look at your own environment and requirements, then build a strategy for migrating on-prem functions to SaaS over time, aligning to licence/hardware refreshes and addressing any high risks first. SD-WAN is a prerequisite for moving forward and will bring many other benefits in terms of availability, performance and UX.
We work with Citrix, Checkpoint and Palo Alto to build SASE solutions and roadmaps for our customers. We always begin with an assessment of the customer environment and identify core security requirements. From there, we build out short, medium and long term building blocks to enhance the security landscape in a measured and practical manner. Moving to SASE is easy when it’s an evolution of the current environment.
To help, we’ve outlined a number of recommendations for SASE deployment:
Don’t go down a technical cul-de-sac.
Make sure that the security and network services you’re looking to deploy will give you choice and flexibility. You may go full SASE and get all your services from a single vendor but don’t get stuck, ensure compatibility with your preferred vendors and solutions and the vendors you choose can work together if needed.
Get the plumbing right
If you’re not looking at SD-WAN, that’s the place to start. SD-WAN will give you a high performing, next generation, application aware network. It’s also the building block to consuming cloud-based security services and moving away from a datacentre centric architecture. We also believe SD-WAN should reduce your WAN costs, so it’s sort of free….
Watch out for consolidation and SASE washing
There’s been a lot of acquisitions as vendors build out their SASE capability, but there’s a lot of minnows been acquired, and their tech is just not as robust. Also, when a vendor is acquired, it normally takes 12-18 months to integrate into the new parent and first iterations can be patchy. SASE washing is everyone suddenly becoming a SASE expert or vendor.
Build a roadmap for the next 2-5 years
Stocktake the components you have today, Assess what components you need (NIST assessment), Identify your preferred partners/vendors and build a roadmap for deployment based on priorities, refresh cycle of current assets and business requirements. You can revisit but having a plan to sell to internal stakeholders and finance will help a lot.
You’ve already got most of the tools in place, if the SASE framework helps to identify some gaps, plan the solutions but the roadmap will help. It’s a space in constant flux so the end line will always be moving.
Edge7 Networks are experts in SD-WAN since 2016 so we’ve got a great head start in helping enterprises build out their SASE frameworks (the security add-ons).
Get in touch if you would like some fair and pragmatic assistance on the journey.