Secure Access Service Edge (SASE) is a component of zero trust architecture that protects network elements inside and outside a traditional network boundary. With the digital transformation of businesses, increased remote working, and the use of cloud services to run applications, security is moving to the cloud, and SASE is providing that security.
Computer networks once consisted of an office network and a data center specific to an enterprise. An employee would go into the office and log onto a computer, accessing applications running in the data center. All company transactions occurred within the network perimeter.
This traditional network security approach established a firewall around the network. Once a user was inside the firewall, the security protocol would trust that computer, not checking the further activities of the user on the network.
Digital transformation has drastically changed how employees work. Many employees access applications at the office or remotely that are housed on the internet outside the safeguards of the corporate data center. For example, an employee accessing Salesforce could be on a laptop at a kitchen table. The application could be resident on the internet, or the employee could remotely access the application housed in the company data center.
In today's work world, the network perimeter we used to protect no longer exists because there are access points everywhere, and the internet is now our vehicle for transferring information. The challenge in this environment is to protect the gateways back into the enterprise environment, the "edges."
To bolster inadequate perimeter security protocols in this dispersed environment, IT teams have ended up with many vendors, policies, and consoles trying and not entirely succeeding in protecting data. SASE is a new solution to reduce cybersecurity complexity and improve effectiveness for dispersed-access environments.
The SASE security model
SASE is a collection of technologies that combines network (SD-WAN, VPN) and security (SWG, CASB, FWaaS, ZTNA) functions. Such technologies are traditionally delivered in siloed point solutions. SASE – or Zero Trust Edge – combines these into a single, integrated cloud service.
SD-WAN optimizes network traffic by dynamically selecting the most efficient path, enhancing performance and reliability. It integrates with SASE to ensure secure, high-performance connectivity for remote users.
VPNs create secure tunnels for remote access but lack the granular control of newer technologies. Within SASE, VPNs are enhanced with additional security measures to provide more robust remote access management.
SWGs secure internet-bound traffic by filtering harmful content and enforcing compliance. In the SASE framework, they provide protection against online threats and ensure safe browsing.
CASBs manage and secure cloud access, offering visibility and control over data transfer between users and cloud services. They are crucial in SASE for protecting cloud-based applications and data.
FWaaS offers cloud-based firewall capabilities, providing centralized management and security. Integrated into SASE, it protects against external threats while supporting a distributed, cloud-centric network environment.
ZTNA restricts access to applications based on user identity and context, reducing the risk of unauthorized access. Within SASE, ZTNA provides a secure, adaptive approach to remote access.
Organizations looking to advance their user-centric network and network management security protocols are adopting SASE architecture to enable zero-trust network access. The zero trust model is about never trusting, always verifying, and assuming compromise until a machine is proven trustworthy. The internet connects everything, and no device is inherently trustworthy because it is an open information platform.
SASE is an essential element in zero trust architecture. Much of SASE is not one new technology but a combination of new and existing technology. SASE delivers security controls to the user, device, or edge computing location. Previous cybersecurity protocols established firewall protection for a data center, but SASE authenticates based on digital identity, real-time context, and company policies.
There are three critical components of SASE:
SASE consolidates security functions into a cloud-based service, cutting down on hardware expenses and reducing management costs.
By unifying multiple security solutions, SASE simplifies management, reducing the complexity associated with handling various tools and vendors.
SASE ensures consistent enforcement of network and security policies across all environments, enhancing overall security.
With integrated security controls, SASE improves threat detection and response, lowering the likelihood of successful attacks.
SASE offers secure, high-speed access to applications from anywhere, enhancing productivity and user experience for remote and hybrid workforces.
An SWG controls internet access and manages what a user can and cannot access. If a user tries to access or download something from a suspect website or attempts to access a forbidden destination such as a gambling site, the gateway blocks it.
Cyber-attacks have become very sophisticated. Just when we began to recognize the old style of a phishing email with misspelled words and awkward language, bad actors became more sophisticated. Now it is nearly impossible to tell which emails are legitimate and which are from hackers, even for knowledgeable users.
Internal cybersecurity training is integral to establishing more robust protection, but users make mistakes even with training. SWG is another tool your security team can use to see all traffic to and from your network. If there is a threat, the security team can use SWG to mitigate it.
CASB returns visibility to SaaS applications. As a user connects to Salesforce, Office 365, or another app, your security team can see what data your users are transferring, which files are uploaded or downloaded from OneDrive or SharePoint, who did it, and at what time.
CASB is software located on-site or in the cloud. It mediates between users and cloud services with security policies for cloud access and tracks actions on the network.
The starting point for CASB reporting is configuring the options for each user group within the organization. One group may be authorized to upload but not download. Another group may edit documents, and another may only be able to view documents. The enterprise sets the policy.
The enterprise also sets the action to be taken if a prohibited action occurs. Your security team can set protocols to automatically block the activity or allow it to happen and report the event to the event viewer.
ZTNA gateways are the new element of SASE. ZTNA is a security architecture that only grants access to traffic between authenticated users, devices, and applications. No traffic is trusted, and all end devices are suspected of having malicious intent until proven otherwise. ZTNA is replacing VPNs for authenticating users remotely.
VPN is the technology enterprises traditionally used to connect remote users to the corporate network. VPN has several issues: it is costly and often establishes an unstable connection. In addition, ineffective remote connections cause workers to struggle to do their jobs, costing the enterprise money in loss of productivity.
The biggest issue with VPN is that it offers remote access with few security controls. A user accessing a corporate network via VPN from a home network authenticates and has full access to the network's front and back end. The user proceeds with work in the application's front end. If a piece of malware finds its way to the computer from the internet, it can go to the back end of the same application and grab all the data, causing a data breach.
ZTNA removes the malware's ability to move around inside the network because ZTNA individually authenticates each user, device, and application as trusted on the network.
VPN vulnerabilities:
The first step toward zero trust is for the organization to commit to adopting the architecture. Over time, IT and security teams can gradually implement technologies from different product groups to increase maturity.
A starting point is to understand the problems in your environment that affect the organization daily. For example, if internet access is out of control – everyone can access everything, and users are unwittingly downloading malware – SWG could be your initial zero trust technology.
The next step could be determining what SaaS apps employees use and who can access what. It makes sense to increase your security team's visibility, so they can adequately grant access for authorized activities and ensure users stay within the policy framework.
Even with SASE security parameters in place, your network is still not entirely zero trust; you are moving toward it. Zero Trust is a journey over time to increase your network's security, and if you continue the path, security will iteratively get better.
Protecting a physical asset, like a laptop or server, or a digital asset like a user account or application is not the primary goal of cybersecurity. It is about protecting the data used by business operations, including usernames, passwords, proprietary corporate data, confidential material, and payment information.