The adoption of multi-cloud environments that span public, private, and hybrid IT infrastructures have revolutionized the way companies do business, enabling them to cut costs, improve efficiencies and increase agility.
In the process, this cloud revolution has turned traditional data center-based security on its head, as more users, devices, apps, services, and data now reside outside the data center, than inside it. A report from Coalfire noted that 90 percent of enterprises are in the cloud to some degree.
The traditional enterprise security model, which requires cloud traffic to be back-hauled through the data center for security inspection and policy enforcement and uses virtual private networks (VPNs) on endpoints, is broken. This approach is not only slow and expensive but riddled with potential problems, such as users bypassing VPNs.
A better approach places security functionality closer to users.
Gartner Research describes the model as a Secure Access Service Edge (SASE). It provides a multi-layered security defense that is seamless and non intrusive to users, while making it difficult for bad actors, including bots, to breach the network.
In this eWEEK Data Points article, Ken Ammon, Chief Strategy Officer for OPAQ, a former U.S. Air Force security officer and and an industry expert in managed security, network security and government security, offers a primer on this new-gen approach.
eWEEK’s resident networking and security analyst, Zeus Kerravala, has written entensively about SASE here on this site.
Data Point No. 1: Defining SASE
Gartner says SASE creates a policy-based, secure access service edge, regardless of the location of the entities requesting the networked capabilities or the location of those capabilities.
Instead of the security perimeter being enforced in the data center, SASE extends the perimeter everywhere an enterprise needs it to be.
Data Point No. 2: SASE Components
The key building blocks for deploying SASE are secure web gateways (SWGs); firewall-as-a-service (FWaaS); advanced endpoint protection; micro-segmentation; and cloud access security brokers (CASBs).
- SWGs blend URL filtering, advanced threat defense, and malware protection to shield users from internet-based threats, and to help enterprises enforce internet policy compliance. SWGs can be installed as on-premises appliances or cloud-based services, or in hybrid mode.
- FWaaS replaces physical firewall devices at each site with a cloud-delivered alternative. It reduces capital expenditure on equipment, management overhead and security operations complexity.
- Advanced endpoint protection is particularly important for devices in motion which are often exposed to untrusted networks, and provides an additional layer of granular security that reduces the workstation attack surface while preventing lateral movement (e.g., via ransomware) inside the enterprise.
- Micro-segmentation enables an enterprise to segment all cloud-to-cloud traffic and data from one cloud environment to another — and to separate cloud apps from the data center.
- CASBs interface between an enterprise’s on-premises infrastructure and cloud providers, enabling an enterprise to extend and enforce on-premise security policies to cloud resources including SaaS, IaaS and PaaS.
Data Point No. 3: Key benefits of SASE in a data center
SASE eliminates the cost and complexity of deploying, managing and maintaining multiple security physical and/or virtual appliances and software agents.
It delivers superior security since all access sessions are inspected and protected by requisite security policies. For example, access to Salesforce, Facebook, and cloud-hosted applications can be protected via a consistent policy applied to devices and users, regardless of their location.
SASE also allows an enterprise to centrally create and manage security policies and to enforce them locally — on endpoints close to the entities where local decision-making can be made.
Data Point No. 4: What SASE brings to the IT table
One of the biggest advantages afforded by SASE is its ability to provide the underlying infrastructure for implementing Zero Trust network access.
For example, SASE enables an enterprise to treat cloud resources as an extension of the data center, while keeping cloud apps segmented from the network data center, and vice-versa. In addition, SASE encrypts all network communications, and segments lateral traffic, thereby reducing workstation-to workstation, and endpoint-to-endpoint takeovers.
The SASE architecture also provides visibility into traffic flows, including where connections are being made. This intelligence can be used to address performance issues and fine tune security policy enforcement to improve agility.
Data Point No. 5: Summary
Finally, SASE makes it easier to restrict access to both on-premise and cloud resources to only those who require it. Permissions can be managed on a granular basis such as by developer, by user, by business need, and by IT resource.
Ultimately, SASE enables organizations to extend what is left of the network perimeter out to the edge, where security controls can mitigate threats, reduce the enterprise attack surface and enforce workstation security to prevent breaches that can spread into the corporate IT infrastructure.
If you have a suggestion for an eWEEK Data Points article, email cpreimesberger@eweek.com.