Subscribe
About

Tackling cyber security threats with SASE

Secure access service edge brings trustworthy security to the modern enterprise networking landscape, as its capabilities extend far beyond legacy security architectures.
Andre Kannemeyer
By Andre Kannemeyer, National chief technical officer (CTO) at specialist distributor Duxbury Networking.
Johannesburg, 17 May 2021

The unprecedented expansion of applications and users, combined with deepening security vulnerabilities, calls for an innovative method of connecting and protecting with cloud economies of scale. Micro-segmentation of network, security, applications and users is no longer acceptable alone for ensuring data, asset and application security.

To meet these challenges, enterprises must be able to provide network services that are as diverse and as spread out geographically as the applications and users who rely on them. Fortunately, comprehensive and integrated security, networking and visibility via the cloud are possible today with the same scale and performance that were once available only in on-premises solutions.

Organisations must adopt a new IT model to eliminate the inefficiencies of traditional wide area network (WAN) architectures, enable a work from anywhere (WFA) workforce and protect against a weak security posture. SASE can help them do that. Secure access services edge (SASE) is an architectural framework and implementation introduced by Gartner to address security solutions for the client-to-cloud era.

SASE offers a way to bring trustworthy security to the peril-fraught modern enterprise networking landscape. Its capabilities extend far beyond legacy security architectures, incorporating identity, trust and context regardless of the connection, user, device, or application. SASE also enables policies to be delivered pervasively, consistently and ubiquitously, as well as meet security, networking, application, user and business requirements.

SASE is not just one technology but an entire package of technologies, including:

  • Software-defined WANs (SD-WANs)
  • Secure web gateways (SWGs)
  • Cloud access security brokers
  • Zero-trust network access
  • Firewall as a service

Deployed together, SASE technologies can help networks meet the demand for robust security without compromising on technology, flexibility, or features.

Today’s WFA workforce accesses applications from anywhere at any time. Enterprises are embracing SaaS for business-critical applications and migrating their workloads from private to multi-cloud architectures to meet speed, agility and economic needs.

In the current client-to-cloud era, the old fixed-network perimeter has dissolved into a fluid, amorphous edge. IT must deliver a secure, reliable and dynamic user, customer and application experience that can be enhanced, measured, monitored and diagnosed.

Understanding what SASE requires

SASE embraces dynamic, contextual security based on identity, and delivers it primarily as a cloud service. A leading SASE solution must meet a certain minimum set of requirements. This is a summary of what is needed:

Hardware neutrality

Traditional branch and site-to-site hardware architectures have served enterprises well, but they have resulted in stacks of single-purpose appliances at each corporate office. This appliance sprawl lacks agility, requires multiple touch points for changes, needs staff skilled on various vendors’ products, and uses excessive space and power. It also ties the enterprise to a proprietary architecture and reduces the ability to easily change technologies.

Deployed together, SASE technologies can help networks meet the demand for robust security without compromising on technology, flexibility, or features.

In contrast, a single-stack software solution deployed on a bare metal appliance − as a VM or as a container − saves space, power, time and effort, while providing much improved scalability, performance and manageability. The solution integrates:

  • Application awareness
  • Full-security stack
  • SWG
  • SD-WAN and application-based traffic steering
  • Routing
  • Quality of service
  • Compression
  • Encryption
  • WAN optimisation

Single-pass execution

An environment with discrete single-service appliances hands off packets from one product to the next. Each one copies the packet into memory, unpacks the content, analyses the data and context, applies a decision or policy, repacks the packet, and transmits it to the next device in the chain.

Each device must decompress / decrypt the packet if necessary and redo these actions before transmission. This process is time-intensive and significantly impairs performance.

A single-pass, flow-based architecture with internal service chaining like the one shown above optimises performance by executing each action only once:

  • It unpacks (and decrypts) the packet into memory.
  • It makes content and context available to all security, routing, policies, filtering and other functions.
  • It repacks (and encrypts) the packet for transmission.

Elastic scale-out

A single-pass processing architecture dramatically lowers latency, significantly improves performance, mitigates security exposure, and saves space, power and specially-skilled IT staffing. It is efficient and scales horizontally by leveraging multiple underlying cores or memory.

The ability to run the integrated software-only solution on a bare metal server, VM, or container makes it deployable as a cloud-based service that provides additional flexibility and agility.

Containers and microservices

A microservice is a service-oriented application, strongly encapsulated, loosely coupled, independently deployable and independently scalable. Each service is responsible for a discrete task and communicates with other services through simple APIs to solve a larger, complex business problem.

A cloud-native SASE solution based on a microservices design has a fluid architecture that can run on public or private clouds, making horizontal scaling both easy and flexible.

The benefits of a microservices architecture are its isolation, resilience and scalability.

Global distribution

Globally distributed SASE-capable points of presence (POPs) offered through co-location facilities, service provider POPs, and infrastructure as a service (IaaS) should be used to reduce latency and improve performance for network security services.

A SASE solution must offer distributed POPs that align with the digital enterprise’s access latency and data residency requirements. This is also critical for maximising localised end-user experiences.

Inline encryption

Encryption is paramount to protect transactions and data in transit. SASE providers must be able to terminate and inspect encrypted sessions, where required, based on policy with a scalable (ideally, software-based) architecture.

SASE offerings must be able to deliver inline encrypted traffic inspection (decryption and subsequent re-encryption) at scale, ideally delivered from the cloud and without the use of proprietary hardware.

SASE solutions must include line-rate encryption capabilities (hardware or software) to provide acceptable user quality of experience.

Segmentation with multitenancy

SASE delivers security by isolating and segmenting traffic. Cloud-native SASE architectures are multitenant with multiple customers sharing the underlying data plane compared to single tenancy, which results in lower densities and potentially higher costs.

A multitenant architecture completely separates each tenant’s operating environment, configurations, profiles, privileges, policies and traffic handling, thereby ensuring complete security between each tenant’s partition of a shared resource. Multitenant partitioning enables reliability, availability and scalability, while enabling cost savings, flexibility and security to IT organisations.

A multitenant platform scales easily to handle increasing demand. It is imperative that the multitenant architecture encompasses all of each tenant’s environments − the management, control and data planes. Multitenancy support is required on any shared SASE or cloud resource, such as gateways, controllers and orchestration platforms.

Deploying a SASE solution

A leading SASE solution must support flexible models for on-premises, in the cloud and combined premises-and-cloud deployments. It must also deliver consistent security, networking and business policies on-premises and in the cloud for users and traffic anywhere in the world.

A truly flexible SASE solution offers a global cloud-native architecture, deploying cloud instances with a simple point and click, regardless of whether it’s a public, hybrid, or on-premises cloud, or a combination thereof.

A SASE solution attaches and anchors a SASE client to the most optimal SASE gateway by taking into consideration the distance between the SASE client and SASE gateway, as well as the service load on the SASE gateways.

SASE infrastructure eliminates multi-cloud interconnectivity challenges by seamlessly establishing dynamic secure overlay connectivity for both the data and control planes to each cloud.

* In my Industry Insight article next month, I will discuss how SD-WAN technology forms the foundation of SASE by providing the required features.

Share