A staggering 40% of businesses are expected to adopt Secure Access Service Edge (SASE – pronounced “sassy”) and Zero Trust by 2024. This is a stark contrast to 2018, where this number was less than 1%, indicating the importance and growth potential of the SASE market. The pandemic has brought about a seismic shift in how companies navigate employee working patterns, with most of the workforce working remotely. The expansion of the work environment has increased the need to expand the security surface covering devices and assets outside of their network perimeter, in turn increasing the possibility of unintentional information disclosure.
Businesses are facing the reality of not “if,” but “when” they will be faced with a security-related data breach. This has forced companies to give serious consideration to deploying “Zero Trust” security architecture, with only a few aware of SASE and the potential benefits it offers for their cloud security posture.
In this article, we will first look at what SASE is: its benefits, considerations, and relevance to recent changes in the security landscape. We conclude with how SASE can be leveraged to ensure your cloud security is keeping pace with today’s environmental threats.
Changes in the cloud security landscape
Let us consider the traditional networking model, where the security perimeter is centred around the main office network, remote workers connect via a Virtual Private Network (VPN) and branch offices use Wide Area Networks (WAN) to connect to the head office. The move to remote working has brought about a more flexible approach to network security and network management, requiring seamless connectivity and accessibility to applications from anywhere. IT security teams now have to consider an ever-expanding network and increasing endpoints, while maintaining consistent policy enforcement and a secure network environment, increasing complexity.
Security costs have ballooned over the last few years to manage the shift to more remote work, plus migration of 98% of organisations to public cloud services ranging from IaaS to PaaS. Palo Alto’s research has identified that approximately 60% of organisations leverage Zero Trust for specific uses within their business, with a plan to move away from VPN usage and expand their SASE strategy. Due to the relationship between Zero Trust Network Access (ZTNA) and SASE, more than one-third of businesses have begun to implement SASE as a means of kickstarting their network security modernisation. ZTNA emphasizes increased adherence to the principles of Zero Trust for applications. Enterprises are bringing SASE and Zero Trust principles together to achieve ZTNA to consistently apply and enforce security standards across their network perimeter.
What is SASE and how does it leverage Zero Trust?
SASE – a term conceived by Gartner in 2019 – leverages ZTNA in its 5 components to converge with:
- Software-defined WAN (SD-WAN);
- Cloud Access Security Broker (CASB);
- Secure Web Gateways (SWG); and
- Next-Generation Firewall (NGFW) / Firewall as a Service (FWaaS),
to provide a secure and seamless experience for users accessing corporate resources from any location and device.
- Zero Trust, also known as zero trust architecture or zero trust network access, is a security framework that eliminates implicit trust and implements continuous verification, regardless of whether the user and/or device has privileged network access. This can also be considered perimeter-less security.
- SD-WAN is a virtual WAN architecture, defined by software that moves away from the traditional WAN requirement to use physical routers to connect users to applications in data centres. SD-WAN simplifies traffic management across a network and supports applications hosted on-premise and in the cloud, using software to control networking hardware.
- CASBs are services that utilise the cloud to provide data protection, threat protection, and visibility for cloud workloads and applications.
- SWGs can be either on-premise or cloud network security services that prohibit malicious web traffic from accessing the corporate network. They sit between users and the public internet to filter internet and web traffic at layer 7.
- FWaaS refers to a cloud service that enables companies to provide hardware firewall capabilities like advanced threat prevention, intrusion prevention systems, DNS security, and web filtering, with the ability to scale to demand.
It is worth noting that there is also Secure Service Edge (SSE), a subset of SASE that focuses solely on the security framework. It can be thought of as SASE, minus the software-defined networking.
SASE: Benefits and Considerations
SASE allows organisations to move their security infrastructure to the cloud, which can be more cost-effective and easier to manage, with additional benefits:
- Scalability and flexibility: Security is delivered as a service and can be easily scaled up or down to meet changing needs. Security is no longer tied to a specific location or device, supporting remote work and other flexible work arrangements.
- Faster performance: By moving security functions to the cloud, SASE can reduce the amount of data that needs to be transmitted over the network, improving overall performance and reducing latency.
- Improved granularity: ZTNA and SASE enable dynamic access controls, providing access and visibility to individual resources for specific applications and users.
- Enhanced security: By applying Zero Trust, access is provided to an identity and is entirely contextual, only allowing access to specific resources and applications.
There are a few critical considerations for organisations considering SASE. One is the potential impact on existing security infrastructure and processes. Transitioning to a SASE model may require changes to how security is managed and configured and new training for IT staff. Another consideration is the level of control and visibility that an organisation has over its security infrastructure in a SASE model. Finally, organisations must carefully evaluate the security and compliance of the cloud provider they choose to work with.
SASE is an innovative approach to network security and access management that can provide organisations with a more flexible, cost-effective, and secure way to support remote work and other flexible work arrangements. While there are some important factors to consider, the potential benefits make SASE worth looking at for many organisations.
Leveraging SASE in a Hybrid / Multi-cloud Environment
Microsoft’s public cloud platform – Azure – provides a suite of services, some of which can leverage some of the SASE’s five pillars:
- Zero Trust Network Access (ZTNA) in Azure can be leveraged using various tools, including the use of least privilege access, just-in-time policies, identity management and policy configuration, traffic filtering and segmentation, strong authentication and device compliance.
- Azure Virtual WAN is a cloud-based SD-WAN that provides a rich suite of Azure first-party connectivity, routing, and security services. Azure Virtual WAN also is designed to enable seamless interconnection with premise-based SD-WAN and SASE technologies and services.
- Azure Firewall is a cloud-based, fully stateful firewall with high availability and scalability. It can centrally create, enforce, protect and log application and network connectivity policies across subscriptions and virtual networks. Combined with Network Security Groups (NSGs), Azure Defender and Web Application Firewalls (WAF), Azure can provide Firewall-as-a-Service (FWaaS) – one of the key pillars of SASE.
SASE SaaS Offerings
Although Cloud Service Providers (CSPs) such as Azure, GCP and AWS can implement some SASE elements, the implementation of SASE can also be executed with SaaS vendors, either by a single or multi-vendor approach. A single vendor focuses and delivers on a single pillar, whereas a multi-vendor provides a unified SASE solution. Arguably, with multi-vendors, every vendor can offer the advantages of a single vendor regarding expertise for each pillar. However, it may be easier if the vendor can understand how each networking and security component converges into one platform.
The following are some of the current leading third-party SASE providers. Most focus on more than one component, while some are able to deliver a full SASE architecture:
- CATO: Network security company that develops SSE technology.
- Netskope: Global cybersecurity leader, offering single vendor SASE solutions.
- Palo Alto: Focus on enterprise cybersecurity with offerings ranging from network security to endpoint protection.
- Zscaler: Cloud security company with various security offerings.
SASE offers businesses a robust cloud security framework with benefits including scalability, flexibility, enhanced security, improved network performance and reliability relative to traditional security implementations.
These five SASE pillars can be implemented in various ways: by single or multi-vendor SaaS offerings, or hybrid / multi public cloud platforms. Regardless of implementation method, SASE provides businesses with the tools required to kickstart their network security modernisation.
Need security advisory expertise?
If your business is considering fortifying its cloud security stance or wants advice on how to be “cloud security sassy,” get in touch. Our cloud security experts will guide you on your cloud transformation journey, employing best practices for leveraging cloud security.