The 2020 pandemic has forever shifted the way businesses operate. As businesses continue to reopen, hybrid workforces are now the new normal, requiring access to business services, applications, and data from any location. Organisations are still transforming their networks to provide uninterrupted connectivity while maintaining security to those working in offices, at home or on the road.
Prior to the pandemic, organisations were already facing the challenges that legacy network and network security technologies presented, dramatically limiting their ability to manage new traffic patterns and security threats. Organisations were forced to adopt multiple point products to address changing business requirements, such as fire- walls, secure web gateways, cloud access security broker solutions, and SD-WAN. The pandemic exacerbated these challenges, as businesses were now forced to rapidly support global remote working while ensuring privacy and security.
The concept of a secure access service edge (SASE) came to fruition in 2019. Coined by Gartner, SASE (pronounced “sassy”) is designed to help organisations embrace cloud and mobility by providing network and network security services from a common cloud-delivered architecture. A SASE solution must provide consistent security services, and access to all types of cloud applications (e.g., public cloud, private cloud, SaaS) delivered through a common framework.
An effective SASE solution must converge SD-WAN and security into a single, integrated offering that delivers consistent protection with a high-performance experience for all users, regardless of location. Many vendors and providers are using a 'single SASE vendor' marketing approach in the market whereby a solution from one vendor is a better choice than a hybrid or stacked approach. In reality, this can't always happen - and if it is feasible, it's rarely an immediate transition. Security and Connectivity have always gone hand-in-hand for Edge7 Networks. We offer a unique position to this side of SASE as we can act as your single vendor solution provider by creating a hybrid technology stack to deliver you a complete SASE solution that works for you.
But first, let's take a look at the 10 components of an effective secure access service edge:
SASE is the convergence of networking and security; thus, an effective SASE solution integrates SD-WAN with consistent policies as part of a cohesive platform.
Companies have embraced the software-defined wide area network (SD-WAN) to connect branch offices to the corporate network and provide local internet breakout as an alternative to costly MPLS connections. In a SASE solution, the branch architecture is completely cloud-delivered. Organisations can enable branch services, including security and networking, to be completely delivered from the cloud, simplifying WAN management and increasing ROI. Your SD-WAN solution should be application-defined rather than packet-based for better application visibility, enabling app SLAs that include SaaS, cloud, and UCaaS.
“By 2024, more than 70% of software-defined wide-area network (SD-WAN) customers will have implemented a secure access service edge (SASE) architecture, compared with 40% in 2021.” –Gartner
2. Zero Trust Network Access
Companies still stuck in legacy virtual private network (VPN) architectures lack the necessary security protections and policies needed to keep their users and data safe. Zero Trust Network Access (ZTNA) requires users who want to connect to an application to first authenticate through a gateway before gaining access. This provides security administrators the ability to identify users and create policies to restrict access, minimise data loss, and quickly mitigate potential threats.
A SASE solution should incorporate continuous threat assessment and trust validation into ZTNA for protecting applications as well as apply other security services for the consistent enforcement of data loss prevention (DLP) and threat prevention policies. This is because access controls, in of themselves, are useful for establishing who the person is, but other security controls are necessary to ensure their behaviours and actions are not harmful to the organisation. It is also necessary to extend the same controls across access to all applications.
3. Cloud Access Security Broker (CASB)
Today’s digital businesses with hybrid workforces struggle to keep up with the explosion of SaaS application usage across their organisation. Their sensitive data is increasingly exposed across multiple applications while cloud-based threats continue increasing in volume and sophistication.
CASB is a core component of SASE, creating a single platform for administrators to manage security controls for all application types. A SASE solution with integrated CASB helps you understand which SaaS apps are being used and where sensitive data is going, no matter where users are located.
Current CASB solutions only solve part of the problem as they fail to provide adequate visibility and control along with robust security to help organisations monitor SaaS usage, protect their sensitive data, and prevent SaaS application risks. Also, they are disjointed from the security infrastructure and are quite complex to deploy and manage.
Your SASE solution should be able to automatically keep pace with the explosion of SaaS applications—including modern collaboration applications—by incorporating both inline and API-based SaaS controls for governance, access controls, and data protection. To provide superior visibility, management, security, and zero- day protection against emerging threats, SASE should also deliver comprehensive cloud-delivered enterprise DLP that utilises ML for more accurate detection and real-time protection of sensitive data across the entire enterprise.
4. Firewall as a Service
Physical or virtual firewalls are required anywhere applications or users exist, whether headquarters, branch offices, data centres or the cloud. With the explosion of remote users and apps everywhere, organisations struggle to man- age dozens to hundreds of firewalls.
Firewall as a service (FWaaS) is a deployment method for delivering firewall functionality as a cloud-based service, and good FWaaS offerings will provide the same features as a next-generation firewall.
A SASE solution incorporates FWaaS into its unified platform, providing the same services as a next-generation firewall but as a cloud- delivered service. By encompassing the FWaaS service model within a SASE framework, organisations can easily manage their deployments from a single platform.
It is important to ensure your SASE solution does not only provide basic port blocking or minimal firewall protections. You need the same features a next-generation firewall embodies and the features cloud-based security offers, such as threat prevention services and DNS security.
5: Secure Web Gateway
As enterprises continue to adopt hybrid cloud strategies and offer flexible work-from-anywhere options for their employees, they need a security solution that can secure all their apps. Traditionally, organisations relied on secure web gateway (SWG) products to protect users and devices from accessing malicious or inappropriate websites. SWG with DNS security can be used to block inappropriate content (e.g., pornography, gambling) or websites that businesses simply don’t want users accessing while at work, such as streaming services (like Netflix).
A SASE solution needs to include SWG security to enable complete visibility and control over all traffic, regardless of where a user may be located, to ensure the secure use of cloud-based apps and other web services. As organisations grow and add more and more remote users, the SWG should have the ability scale to support organisational growth.
6: Digital Experience Monitoring
User experience is critical for employee satisfaction and productivity. A digital experience is now necessary as employees need to work from anywhere. IT teams struggle with visibility challenges on the application, network and device side of things like Wi-Fi, often requiring manual and labor-intensive troubleshooting sessions to solve any remediation issues.
Autonomous Digital Experience Management (ADEM) provides end-to-end visibility and insights to create a seamless digital user experience. Encompassed with SASE, ADEM provides segment-wise insights across the entire service delivery path, allowing real and synthetic traffic analysis that enables organisations to proactively drive remediation of digital experience problems.
Optimising the user experience is crucial now that employees are working from anywhere. To benefit both the user and IT teams, your SASE solution should incorporate ADEM for comprehensive visibility, faster remediation, and detailed performance insights into endpoint devices, Wi-Fi, network paths, and applications.
7: Threat Prevention
In today’s world of small- to large-scale breaches, where ransomware attacks occur on a daily basis, threat prevention is key to protecting your organisation’s data and employees.
Stopping exploits and malware by using the latest threat intelligence as well as advanced machine learning and artificial intelligence is crucial to protecting your employees and data. Your SASE solution should incorporate threat prevention tools into its framework so you can react quickly and swiftly to remediate threats. Inline machine learning should also be incorporated so unknown file- and web-based threats are instantly prevented. Additionally, automated policy recommendations can save time and reduce the chance of human error.
8: Internet of Things
Organisations are adopting IoT devices as older technology transforms into future tech, like smart thermostats and smart lighting systems. It is not just smartphones and watches as well as laptops that need to be protected when on the corporate network.
Internet of Things (IoT) devices are often unmanaged by an organisation but connected to the corporate network. This introduces security gaps, as these devices often have vulnerabilities, rely on users to install updates, and offer limited visibility to IT teams in what they are accessing.
A SASE solution should incorporate machine learning and AI, allowing organisations with greater autonomy to quickly identify and remediate threats. With SASE, IoT security should be integrated into the platform to secure remote branches, sites, and workers from the cloud. Part of a SASE solution includes the ability to accurately detect devices for full visibility and enforce policies to ensure security across the network, eliminating the need for additional IoT security solutions.
9: Data Loss Prevention
DLP is a necessary tool to protect sensitive data and ensure compliance throughout the organisation. To this end, the SASE solution must include this core capability. With SASE, DLP is an embedded, cloud-delivered service used to accurately and consistently identify, monitor, and protect sensitive data everywhere— across networks, clouds, and users.
Data loss prevention (DLP) tools protect sensitive data and ensure it is not lost, stolen, or misused. DLP is a composite solution that monitors data within the environments where it is deployed (such as network, endpoints, and cloud) and through their egress points. Due to compliance requirements from HIPAA to PCI DSS, GDPR, etc., DLP is a crucial solution needed for data security and compliance.
Legacy DLPs rely on old core technology initially designed for on-premises perimeters and subsequently extended and adapted to cloud applications. Loaded with features, disjointed policies, configurations, and workarounds, DLPs have become very complex, difficult to deploy at scale, and too expensive.
Through the SASE approach, DLP becomes one cloud-delivered solution centred around the data itself, everywhere. The same policies are consistently applied to sensitive data, at rest, in motion, and in use, regardless of its location. In the SASE architecture, DLP is not a stand-alone solution anymore but is embedded in the organisation’s existing control points, thus eliminating the need to deploy and maintain multiple tools.
10: Platform Extensibility
Organisations are embracing the cloud, but adding and integrating multiple cloud-based services from different vendors can be complex. It is difficult to find one tool that solves every single challenge, so it is important to have solutions that can talk to each other to eliminate security gaps. Unfortunately, not many cloud solutions are designed to elegantly integrate with third-party services, and vendors often don’t want to help organisations along that journey.
A SASE solution should embrace the integration of third-party services and simplify the process for administrators by providing a platform that easily integrates these services. By providing a platform for integration, organisations can quickly add the services they need with the full support of their SASE provider.
With an extensible SASE solution, organisations can easily add services to the platform, addressing all possible use cases. Without the deterrent of point solutions that are not integrated with each other, organisations can increase their capabilities and functionality with their existing third-party services to satisfy their needs.
How can Edge7 Networks help?
Organisations can embrace their remote workforces, knowing they can provide broad security and connectivity for their remote users and branch locations. Rather than creating single-purpose technology overlays that are normally associated with point products, Edge7 Networks work with you to design a cloud-based infrastructure that delivers multiple types of security services and combines networking services to provide a complete solution. We partner with industry leading network and security vendors in order to provide complete SASE solutions to organisations no matter where on the journey they are. Network and Security have always been cohesive to us, and our customers have been working within a SASE framework before the name came about.