Today, enterprise networking and security face a growing challenge stemming from an ever-expanding attack surface and company perimeter (every user and every application is a company perimeter). The front line is everywhere! With the majority of employees working off site, and the majority your enterprise data is off site in the cloud/in SaaS applications etc., each of these factors produce data leaks, resulting in a “perfect storm” for data security.
Our collective goal is to keep data and customers secure. That said, attackers know there is an “attack surface explosion” today. Consequently, zero-day malware (unknown malware) has also exploded in volume. In 2019, companies like Palo Alto Networks mitigated two billion pieces of zero-day malware daily. Two years later in calendar Q2 2022, that figure jumped to 224 billion daily (also fully mitigated).
Companies have more borders and perimeters than what meets the eye. There are:
- Cloud-based SaaS applications containing your internal data and intellectual property.
- Increasingly more mobile users globally.
- Headquarters, data centers and branches with legacy Internet and WAN edge appliances.
- Networking and security point products (one firewall stack, one routing layer, one decryption appliance, one IPS appliance, one proxy service, one URL filtering appliance, etc.), all managed separately, none of them correlating threat intel with each other in real time. All are either becoming or are completely obsolete by the minute.
All of these items render the legacy networking and security architectures and solutions more and more obsolete in record time, causing enterprises to react versus being more proactive to fill security gaps.
The future of enterprise networking and security depends on how well the features are delivered. Features must excel in a way that is real time, automated/cloud-delivered, reliable, scalable, and flexible versus solving networking and security issues with point products (each one with its own specific targeted use case). When deploying point products, they can be complicated by themselves and complex to manage many of them simultaneously.
What replaces the old ways of doing things? SASE! An acronym which stands for Secure Access Service Edge, SASE is the convergence of networking and security, which is why people in the industry call SASE “Networking 2.0”.
Watch: WEI Cyber Warfare & Beyond Roundtable Discussion
According to Gartner, “Secure access service edge (SASE) delivers converged network and security as a service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch office, remote worker, and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”
Gartner identifies the key components of SASE, which are:
- SD-WAN: Flexibly optimize WAN performance across several branches and data centers.
- Security as a Service: Includes Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and SaaS Security.
- Firewall as a Service (FWaaS)
- IAM (Identity and Access Management): Authentication and authorization so that only legitimate users and devices can access internal data resources.
- Data Loss/Leak Prevention: Prevent sensitive data from being leaked or improperly accessed.
- ZTNA 2.0: All security services are built on the pillars of ZTNA 2.0.
Gartner also specifies that all of these components are managed easily, via unified management/next-gen security/scalable performance for remote work/cloud adoption/branch connectivity requirements.
SASE is a single “as a service” subscription-based product, combining the WAN (Wide Area Network) edge device functionality (on prem SD-WAN edge devices, bandwidth aggregation, visibility into traffic, guaranteed SLA for traffic, WAN optimization, remote branch segmentation, etc.) with next-gen L3-L7 “security as a service” (Firewall as a Service, SWG, URL Filtering, Client VPN, remote branch networking, Advanced Threat Prevention powered by AI, CASB and sometimes Explicit Proxy functionality).
SASE is cloud delivered and globally deployed, meaning your service, with all the same capabilities, is available globally, is self-healing, scalable, and elastic. SASE is designed to handle more users and more capacity automatically, eliminating backhauling of traffic and users to one HQ, data center, or branch hub, as opposed to point product appliances in one or two specific places (which the admin also must manage and maintain). These point products can be prone to oversubscription. SASE is built on the architecture/pillars of ZTNA 2.0, which is also simple to deploy, manage, and is globally available. This means the flexible service is always close to the user and branch, is simple to configure, and decreases latency (users to applications, users to data centers, users to branches, etc.).
Let’s Also keep In Mind—What SASE Is NOT:
It is not “just” an SD-WAN, not “just” a VPN and not “just” a traditional firewall at one or many locations.
- It is not an SD-WAN deployed, then an SSE (secure service edge or security as a service) deployed, and the two solutions either do not interoperate with each other or are not configured to interoperate with each other (like two ships passing in the night or two point solutions).
- It is not traditional hardware, a "castle and moat” network perimeter protection strategy, and does not perform daisy-chaining for on-prem point security solutions to form an “offensive line” of security.
- It is not a series of on-prem "boxes” forming a full mesh over a public or private WAN.
- It is not a creatively packaged telco bundle.
- It is not rigid, stagnant, complicated, or limited (visibility, changes)
- It is not simply cloud delivered SSE deployed without SD-WAN at the customer WAN edge. There are leaders in the SSE space, but a company cannot be a leader in the SASE space without delivering a “secure service edge” and SD-WAN, according to Gartner.
- It is not a one-size-fits-all total replacement for all security solutions for every single enterprise. Most companies could really use a SASE solution, while other companies do not have a fit or a need for it today. All of that is okay!
It helps to think of SASE as broken up into two layers, similar to how we’ve used the OSI model to make sense of networking in the past:
- The “Secure Access” Layer: How users and remote sites connect to the SASE service.
- The “Service Edge” Layer: Once the users and remote sites are connected to the SASE service, how do they route to each other and how is data secured, especially against known and unknown malware as well as data loss prevention, as data moves from site to site or to the Internet?
Below is a user-friendly representation of this:
Despite the SASE "as a service” product, which a customer might be using, the general idea for most SASE Service vendors is that users (connecting via VPN clients, clientless VPN, SDP (software defined perimeter) or Explicit Proxy if the vendor offers this) and branches (via IPSEC capable devices such as firewalls/routers/SD-WAN edge devices) connect to or “securely access” the nearest SASE Service “POP” (point of presence, whether this is a physical POP or a POP within a public cloud like Amazon Web Services (AWS) or Google Cloud Platform (GCP)), wherever they happen to be located globally.
Once connected, they all receive the same next-gen security, “5 9’s uptime” availability of the service, and service capacity–globally. The admin only needs to worry about the configuration of the same policies for every user and every branch (versus managing many products, upgrades of equipment, worrying about scalability, maintaining hardware, power, cooling, etc.). This is the “Secure Access Layer”.
Once connected, the user and branch are integrated with the SASE service, which is inline with all data traversal, also providing location independent, globally deployed and distributed/centrally managed and simple/low latency/scalable and elastic/flexible cloud hosted “next-gen” ZTNA 2.0 focused security features (while also mitigating known and unknown malware) such as:
- Secure Web Gateway (SWG)
- URL Filtering to prevent users from going to unsafe web sites
- Cloud Access Security Broker (CASB)
- Next-Gen Firewall (NGFW), which includes flow state tracking, packet inspection to detect malicious content within packet payloads/IPS (signature-based detection, anomaly-based detection, monitoring network traffic and blocks/reset connections containing malicious content and threats)/anti-virus/deep packet inspection/optimal routing/data and packet filtering/malware prevention/network access control to block unauthorized entities from accessing data/secure remote access (client VPN, clientless VPN, explicit proxy in some products)/DNS Security and Phishing Prevention to prevent unsafe domains and prevent users from clicking unsafe links/encryption of data/TLS decryption to safely exchange sensitive data across a network and, lastly, Digital Experience Management/Monitoring (DEM) to gain visibility into user application experience/latency/jitter/delay/packet loss.
Once the user and branch are connected to the SASE service, they have pervasive, location independent, globally deployed and distributed/security as a Service with real-time intelligence to detect anomalous flow and protection for all traffic against known and unknown threats and vulnerabilities at line speed. This is possible within scalable/centrally managed and simple/low latency/scalable and elastic features. This is the “Security as a Service” layer.
In short, SASE is a cloud delivered networking and security as a service, removing complexity and simplifying networking and security, all in one “as a service” globally available product, based on the pillars of ZTNA 2.0. It is taking your network from technologies that worked well in the 1990’s, the 2000’s, the 2010’s and earlier in the 2020’s, then systematically transforming your WAN edge and security, to arrive at the goal of arriving at and keeping your network security built within the ZTNA 2.0 framework.
What is ZTNA 2.0?
Let’s now deep dive into ZTNA, which is a framework for security, not a product. If we boil ZTNA down to one phrase, it is Zero Trust with NO Exceptions.
If we look at client VPN and site-to-site branch connectivity prior to SASE, we typically could not enforce any secure granularity as to which people or networks could access which applications and then what they could do with applications. There was virtually no data inspection. Users and attackers had free access, data could leak out, there could be exploit attempts that we were unaware of, etc. Attackers had free access if they were on your network!
Traditional networks and VPNs were designed to grant full network access, without security for the most part, while most resources were on-prem. This caused many security issues such as:
- Uninhibited Access: You need strict access controls while classifying applications. You don’t want too much access, especially for applications that use dynamic ports or IP addresses.
- Allowed And Ignored Access: Once access to an application is granted, that communication is then trusted forever. You don’t want to assume that the user and the application will always behave in a trustworthy manner. This is a complete handoff of a connection with no more traffic inspection happening. Now, there’s no way to fend off known or unknown attacks
- Too Little Security: Security for all applications, including applications using dynamic ports like voice and video applications, SaaS applications have been completely overlooked. What about server-initiated applications like HelpDesk and patching systems?
Legacy network architectures completely ignored strict access control and, as a result, most people and corporations still have little to no visibility or control over data. Legacy network architectures fall prey to security issues when it comes time for legacy VPN/SWG replacement, SaaS Security and even with branch transformation, only to discover it doesn’t live up to their needs/expectations.
Why should you care about this and why is this important? Work is no longer a place we go, but an activity we perform despite our location. During and after the Covid-19 pandemic, many businesses scrambled to scale their client and site-to-site VPN infrastructure.
So, the ideal situation would be to perform strict authentication, but also restrict which users can access which applications, continuously inspect traffic inline. So, enter ZTNA 2.0!
Modern networks require next-gen security. SASE is a solution which delivers network access and security based on the five pillars of ZTNA 2.0, which are:
- Least Privilege Access: Enabling precise access control at the application and sub-application levels, independent of things like IP and port numbers. Continuously evaluated “Trust”/MFA Integration/Users connect to resources through the SASE Service/session is authenticated/Identify applications users require access to/Secure Application access granted per user or by group (example being security by user(s) accessing which application(s) via posture-assessed trusted device.)
- Continuous Trust Verification: Once access to an application is granted, trust is continually assessed based on changes in device posture during the life of the connection, user behavior and application behavior. An example is continual device posture checks to continually assess any changes in endpoint posture, enforce authorization, ensuring proper user and application behavior, blocking inappropriate user, application, or traffic behavior
- Continuous Security Inspection: Providing deep and ongoing inspection of all traffic, even for allowed connections, to prevent all threats including zero-day threats and block inappropriate application behavior. What if, during an application connection data starts flowing to some unknown destination? An example is if the adversary takes over a connection or was there all the time, the SASE Service will inspect the connections for misbehavior, see exploits, vulnerabilities and stop code executions. This is performed all in real time, whether the malware was previously known or is a true “zero day” unknown piece of malware code or campaign, because anomaly and threat prevention (depending on SASE vendor implementations) should use AI, deep learning and machine learning to stop threats in real time to out-pace the attackers.
- Protection of All Data: Prevent data loss and loss of your intellectual property! It is your data. Take control of it! The SASE Service takes control of data across all applications in the enterprise, including private applications and SaaS applications, all with a single DLP policy.
- Security for All Applications: Safeguarding all applications (not just web-based or DNS based applications) used across the enterprise, including modern cloud-native applications, legacy private applications and SaaS applications. This includes applications using dynamic ports and applications that leverage server-initiated connections.
What do all 5 pillars of ZTNA have in common?
- Trust is a vulnerability. Shift your mindset!
- These five key capabilities overcome the limitations of ZTNA 1.0 solutions especially today when work is an activity rather than a destination, the security needs to be centered around the user and the applications in today’s environment of hybrid businesses with hybrid workforces and the volume of attacks are increasing daily.
- The core of ZTNA is identity and continuous inline inspection and prevention of known and unknown zero-day malware! Controlling user access. Continuously inspecting traffic.
- If you’re not answering all of these questions, you might not be using a product that does true ZTNA.
Why Do You Need SASE?
To mitigate the aforementioned attack surface explosion, you need flexible, consistent security as a service everywhere, wherever your company is, wherever your employees are, to do one thing: transform your network and security while keeping your data secure. This security as a service also needs to be:
- Inline with all of your data traversing it
- Cost effective
- Quick and easy to deploy and administer
- Must be one service and one environment everywhere globally with elastic hyper-redundant scale with “5 9’s uptime”
- No unnecessary latency due to backhauling data from across the globe to a corporate headquarters
- All of this functionality in one cloud delivered service
The SASE service needs to mitigate zero-day malware natively using mechanisms such as AI/machine learning/deep learning. It needs to replace legacy site to site and client VPN solutions that were implemented years ago. It needs to include and support SD-WAN. It needs to be a Firewall as a service, SWG, CASB, provide security for public and private SaaS applications, potentially be an explicit proxy (vendor dependent), provide deep visibility into all data traversing this SASE service, needs to perform SSL Decryption at scale, all without oversubscription of resources. It needs to be one unified product with security efficacy and security without compromise built upon the 5 pillars of ZTNA 2.0.
Let’s dive into the details of SASE features:
- Ask yourself: Does my organization have consistent security posture everywhere? Or inconsistent security throughout the network? Which product is the weakest link? Can you apply the same security policies throughout the enterprise? Security needs to be consistent throughout any organization. Can my on-prem security product adjust quickly to new unknown threats, without downtime, without having to patch multiple appliances? How many resources do you currently invest (in appliances, Op-Ex, man-hours etc.) in maintaining your current on-prem security?
- One cloud-delivered converged product with one unified console for consistent next-gen security and WAN edge networking versus a “conga line” of multiple point products with multiple consoles. The multiple products are all managed separately with the goal of plugging specific holes, via separate policies and are prone to human error with inconsistent policy creation. None of these products natively interoperate or coordinate threat IOC’s and intel, all of which need to be maintained. Hardware, software patching, power, and cooling all need more admins and more resources, making it difficult to manage and troubleshoot.
- Why cloud-native and cloud-delivered? Customers need a simple/powerful//highly available/scalable/resilient/elastic/reliable/low maintenance (customer only has to maintain configuration!), global (geographically dispersed, no need to worry about placing appliances in certain locations) product to deliver ZTNA 2.0 via the same policies to all users and branches everywhere globally. This also includes to any application by one product being inline for all traffic globally and not bound to one location or capacity strained, with cloud-delivered next-gen security while cutting costs (sun-setting expensive provider based WAN links like MPLS, etc.). Wholistic, scalable, automated, simplicity, reliable, flexible, resilient, global security delivered to all “edges” to reduce the attack surface!
- The SASE product needs to support all SASE features natively, including Security as a Service and SD-WAN, across a global backbone.
- The SASE product must be deployed globally, to extend all features to all users and branches everywhere in the world, eliminate backhauling of traffic to regional corporate hubs while also being able to optimize WAN and Internet traffic.
- SD-WAN, SWG, CASB, Firewall as a Service, Threat Prevention (AntiVirus, Anti-Spyware, DNS Security, URL Filtering, sandboxing etc.), security for SaaS applications (with DLP), encryption/decryption, visibility of all traffic, in one service based on the pillars of ZTNA 2.0.
- Secure mobile user connectivity
- Secure remote branch connectivity
- VPN replacement (mobile user client VPN, branch to branch VPN, branch to data center VPN)
- Remote Browser Isolation, aka secure enterprise web browsing (vendor dependent)
- User edge/branch edge/data center edge/public and private SaaS] application edge policy converged in one unified architecture.
- A single pane of glass, via one console to manage all with one single unified policy for all, with simplicity!
- Deep traffic visibility (with digital experience monitoring or “DEM”), analytics, and reporting!
- SASE is business enablement. All data is seen and processed, the product is always on everywhere for everyone for everything wherever they are, security without compromise, all with simplicity! Work remotely without compromising on security and performance!
Contact the WEI cybersecurity team to learn more about SASE and why it could make sense for your business operations.
Next steps: WEI's recent webinar focused on Prisma Cloud by Palo Alto Networks. Ben Nicholson reviews Prisma Cloud's capabilities in attack path analysis, identifying the source of risk, attack surface management, and much more. View the full webinar below!
Webinar: Cloud App Protection Using Code To Cloud Intelligence With Prisma Cloud