How is the security of an enterprise’s information infrastructure usually organized? In a traditional design, all access control, authentication and traffic filtering functions are concentrated in the data center, to which remote users and branches connect using a VPN. From the same centralized node, perimeter protection is administered, including account management, updating anti-virus databases and setting up a firewall. The described scheme generally worked effectively, at least until the protected perimeter as such disappeared in modern companies. No, it’s not that it disappeared completely, but rather lost its clear contours and became blurred: users working from home connect to the corporate network, cloud storage, virtual machines, containers, web applications, and all of these elements can work independently of each other . How to ensure safety in this case? To solve the problem, in 2019, Gartner proposed the SASE concept, which numerous researchers immediately dubbed the “trend of the future of cloud computing.” Let’s figure out what this trend is and why so much hope is placed on it.
SASE stands for Secure Access Service Edge, and is essentially a model for providing security as a service to customers. To the concept SaaS (software as a service) we all got used to it a long time ago, but what is “security as a service”?
SASE allows you to combine several independent tools into a single technical solution. The end consumer will only need to manage one service, instead of connecting and configuring a bunch of separate security components. As conceived by the authors of the concept, SASE should provide a simple and convenient mechanism for managing the entire enterprise security infrastructure with a single administrative panel and a standard agent running on client devices. In fact, the authors of the idea tried to unite a motley “zoo” of network security solutions within one cloud platform.
From a functional point of view, SASE consists of five elements.
The first of them is the cloud access security broker (CASB). It is a tool for implementing security policies between end users and cloud service providers, web applications and cloud storage services. CASB may include Identity and Access Management services (I.A.M.), systems for proactive detection of atypical threats and targeted attacks at EDR endpoints (Endpoint Detection & Response), as well as tools to prevent data loss and leaks (DLP).
The second component is the cloud firewall FWaaS, Firewal as a Service, provided to the end user as a service. Like a traditional firewall, FWaaS filters traffic according to rules configured by administrators, but can also include intrusion prevention and detection (IPS/IDS) and DNS security features. That is, FWaaS implements almost all the capabilities offered by modern firewalls of the new generation (Next-Generation Firewall, NGFW).
The next element of the SASE architecture is the Secure Web Gateway. S.W.G.), used to monitor, verify and log user traffic, as well as block malware. The same gateway can be used as an office control tool to block user access to unwanted sites and filter content by URL using black and white lists.
The fourth component is a zero trust network access strategy. ZTNA). It provides authentication at both the user and role level and at the device level, and also limits lateral movements within the network infrastructure in accordance with enterprise security policies.
Finally, the fifth element is the software-defined wide area network (SD-WAN), securely connecting branches, data centers and remote users. SD-WAN can work both on top of the regular Internet and using its own secure communication channels, for example, based on a corporate VPN. This technology also includes various intelligent traffic management and monitoring tools.
From a technical perspective, SASE uses a software-defined wide area network to create regionally distributed points of presence (PoPs) that implement cloud-based security features for nearby branches and remote users. In the article “The Future of Network Security in the Cloud,” where the term SASE first appeared, Gartner analysts explained the benefits of their concept as follows: “Instead of relying on the security of your data center, traffic from users’ devices is inspected at the nearest point of presence and sent from there to its destination. This provides more efficient access to applications and data, making it the best option for protecting remote workers and information in the cloud.“
In 2021, Gartner drew attention to the fact that in its original form, SASE can only benefit large enterprises, while smaller companies do not use the entire range of capabilities offered. In other words, SASE is needed by organizations that have both remote branches and employees working remotely. If a company uses only select cloud technologies, SD-WAN is usually not used in its infrastructure. Therefore, especially for them, the developers came up with the “light” option, removing the letter “A” from the SASE abbreviation. The resulting concept of SSE (Security Service Edge) – the perimeter of the secure access service – is, by and large, SASE without SD-WAN. SSE protects access to the Internet, cloud services and web applications, and its capabilities include access control, threat protection, data security, monitoring and traffic control based on network APIs. In addition, SSE can be deployed on top of an existing SD-WAN, significantly reducing the overhead of implementing new technology. This will be the first step for an enterprise towards convergence of network security tools used, and subsequently SD-WAN can be included in the created infrastructure, turning SSE into SASE.
In other words, SSE is a subset of SASE that eliminates SD-WAN but retains the functionality of CASB, FWaaS, SWG, and ZTNA. At the same time, in the SSE paradigm it is still possible to use secure corporate communication channels, but connected and controlled using ZTNA policies, and not through SD-WAN.
Despite the architectural complexity, from the point of view of the end user, SASE significantly simplifies the security management of an enterprise’s IT infrastructure. First of all, this concept provides much greater contextual awareness by correlating real-time security events with network data coming from users. In addition, SASE shifts the tasks of deploying, maintaining, optimizing and technical support of the security infrastructure from the company’s IT specialists to the shoulders of the supplier cloud services. From an economic point of view, this is a very important aspect that allows you to save the budget and resources of the enterprise, so the SASE concept is unlikely to go unnoticed. Perhaps this is why it is called the “trend of the future.” Gartner predictsthat by 2025, more than 60% of IT companies will either be on track to implement SASE or SSE, or at least have developed long-term plans to achieve this goal.
However, there are still some problems with the practical implementation of SASE. In the fall of 2022 CyberRisk Alliance (CRA) interviewed 300 IT professionals on converged cloud security. Only 10% of survey respondents said their organizations have implemented SASE or SSE. But at the same time, almost half (46%) admitted that they do not quite understand what these terms mean.
By and large, today SASE and SSE are just concepts, and even the authors themselves do not disclose any specific technical options for their implementation. By the way, this is why some cloud providers now offer their clients solutions under the “SASE” brand, which, by and large, are just a set of already existing technologies in various combinations. However, to sell “true SASE” to customers, providers will have to not just rethink, but actually build cloud security infrastructure from scratch.
In addition, the issue of protecting access to legacy applications remains unresolved within the framework of the SASE and SSE concepts. Organizations will also have to create their own solutions to connect their branches and data centers to the SASE service, especially if they use self-developed applications with their own API.
On the other hand, the transition from server racks installed directly in offices to “clouds“has long become a ubiquitous phenomenon and does not surprise anyone. Information security services, in particular antiviruses, have also been available by subscription for quite some time. A logical next step is the transition from local data protection systems based on physical equipment, which must be configured and maintained manually, to elastic cloud solutions. Moreover, many modern IT companies are gradually becoming “virtual” – their employees work remotely in different cities and even countries around the world, and the entire infrastructure is a set of web applications and cloud services with which the staff interacts. Will SASE be able to replace the traditional approach to organizing enterprise information security? Most likely yes, but it will take time.
The article is supported by the team Serverspace.
Serverspace is a cloud service provider that provides rental virtual servers with Linux and Windows OS from anywhere in the world in less than 1 minute. To build an IT infrastructure, the provider also offers: creation of networks, gateways, backups, CDN services, DNS, S3 object storage.