When they were introduced, SD-WANs represented a quantum leap, since they made it much more efficient to use networks. However, there was no transformation – the data center was still a key element for corporate security. A secure paradigm shift is now taking place with Secure Access Service Edge: The transformation should take into account the fact that users and services are increasingly mobile and that external use is also taking place. Companies that want to use the SASE model should first of all be aware that:
there are several ways to implement Secure Access Service Edge;
a SASE model should be adapted to future business needs and legacy networks.
The term Secure Access Service Edge was coined by the analyst house Gartner. Accordingly, SASE represents a model that defines security as network functionality and delivers it as a cloud service.
However, since the IT reality in many companies looks different, SASE could also be defined as a managed service package: in other words, as a security architecture for which the infrastructure is managed via the cloud.
A key challenge of SD-WANs is that the technology brings with it new security problems. SD-WANs, for example, make it easier to configure a VPN split tunnel for individual branches or branch offices, so that users can access the cloud directly and do not have to go through the corporate WAN and data center first. This improves the user experience and the efficiency of network use – but also creates new security holes.
These could be blocked, for example, by equipping each branch with its own firewall. On the one hand, this is expensive, on the other hand, it means an immense organizational effort to administrate dozens or even hundreds of firewalls at the same time and to keep them up to date. SASE addresses this problem by integrating security functionalities into the network in the form of a service. Security and network are managed via the cloud, so that administrators can make changes once and roll them out to all locations.
The integration of IT security and networking is not only a further development of the WAN, but also a transformation: branches and company locations can be connected and secured via traditional WANs as well as SD-WANs. Secure Access Service Edge enables companies to equip remote workers, IoT endpoints and everything else with secure connectivity.
Companies who want to rely on SASE in the future can choose from various reference models. The most important at a glance:
Cloud native SASE
According to Gartner’s definition, in the case of cloud-native SASE, all network and security services are made available via the cloud. The only on-premises infrastructure would therefore be a small hardware device that – much like a home router – connects to the cloud instance. Recently, some SASE providers have also started offering software clients that connect computers or IoT endpoints directly to the cloud, making additional hardware unnecessary.
The advantage of cloud-native Secure Access Service Edge: Every environment – including individual devices – can be provided with security and network services at the enterprise level. The disadvantage: SASE provides massive network traffic in larger environments because all security checks are carried out in the cloud. Cloud-native SASE is therefore best suited for distributed organizations with many small units, i.e. branches or branches – such as insurance companies or companies in the retail industry.
Cloud-managed on-premises SASE
The cloud train keeps rolling – but on-premises infrastructure still has a right to exist. Secure Access Service Edge can be managed from the cloud – while all operating units or branches continue to operate their own routers, firewalls, unified threat management systems and other security appliances. Their management via the cloud is critical to success because the usage barriers drop drastically. The great advantage of this model: Security checks run at the local level, which increases performance in extensive environments. The obvious disadvantage is having to equip each location with appropriate hardware.
You should not forget that an on-premises SASE managed from the cloud also protects investments to a certain extent: If your company has only recently built or modernized on-premises infrastructure, the willingness to do so will increase immediately Throwing board, keeping it within limits. A cloud-managed approach enables companies to continue using their newly acquired routers, firewalls and other devices.
Cloud-managed on-premises SASE is particularly suitable for companies in which hundreds or thousands of employees work in one environment – for example in industrial production or in the healthcare sector. Even companies that prefer a DIY approach work best with this model.
Secure Access Service Edge offers a lot of advantages, but also makes the WAN more complex: Network professionals have to deal with numerous questions – such as how security functions are rolled out or how user profiles have to be created. Not every company has the necessary in-house know-how for this.
Managed Secure Access Service Edge has the advantage that an experienced service provider configures and operates the network. The disadvantage is a loss of control. Some managed service providers (MSPs) now also offer co-managed services: Here companies decide which tasks they do themselves and which functions are outsourced to the MSP. Managed SASE is particularly recommended for companies that want to use Secure Access Service Edge as quickly as possible and are also willing to take the risk of losing control.
Quite a few companies – especially large ones – will choose a hybrid form and combine cloud-native with on-premises SASE. Imagine a globally operating law firm that has one or two offices with several hundred employees in each country: In this scenario, the company can use an on-premises security infrastructure for the physical offices, while remote workers have one Cloud-native service can be integrated. (fm)
This article is based on an article from our US sister publication Network World.