Secure Access Service Edge – SASE

As the cloud environment is evolving at faster pace, there has been constant focus on the upgrading the security solutions and make it more flexible to cater the business requirements. Gartner says, The legacy “data center as the center of the universe” network and network security architecture is obsolete and has become an inhibitor to the needs of digital business.“

As per Gartner Report, the traditional security models developed to secure access is not quite helpful now with the change in the business operating model. To better understand we can take a look on the below shifts.

• Employees have gone more mobile and they are off enterprise than on enterprise for majority of the work duration.
• Cloud adoption is happening at a very faster pace for infrastructure workloads. They are being shifted on cloud from the on premise infrastructure.
• SaaS offerings are replacing the enterprise applications.
• Network traffic is bound to public cloud services rather than on premise data center.

Considering above shift, In a modern cloud-oriented digital business, users, devices and the networked capabilities they require secure access to are everywhere. As a result, secure access service need to be implemented which can perform it’s job wherever required.
It is a kind of burden to route network traffic to and from the enterprise data center when very little of what a user needs remains in the data center. Also, we impact user productivity, user experience and costs by restricting access to Saas citing security policies only, if a user is on the enterprise network or has used a VPN, or requiring different agents for Security Web Gateway(SWG), Cloud Access Security Broker(CASB) and VPN, which creates agent bloat and user confusion. Additionally, branch-office traffic is also forced through the data center for inspection when users access any cloud-based resource, increasing latency and the cost associated with dedicated MPLS circuits.

Secure Access Service Edge can be described as a service offering which combines WAN capabilities with network security functions like Zero Trust Network, Firewall as a Service, Cloud Access Security broker etc.
Let’s understand each components.

Zero Trust Network goes with the principle never trust, always verify, the strategic security initiative try to decouple the concept of assumed trust from the security architecture. In traditional security model, everything inside network is deemed to be trusted.As per John Kindervag, this is an outdated model, where an assumption used to be made that identities are not compromised and all users will act responsibly and hence can be trusted. Zero Trust network (ZTN) involves identifying an unique protect surface based on organization’s data, assets, applications and services (DAAS). This is always a known surface and smaller compared to an attack surface. Once you have the protect surface identified, you analyze the dependencies between DAAS, users and infrastructure. We create a micro-perimeter around the protect surface and deploy the controls. The deployed controls are tightly coupled with the protect surface.The segmentation gateway(Next-Gen Firewall) can provide deep insight by inspecting the traffic at application layer(layer 7) supported by Kipling Method, which defines Zero Trust policy based on who, what, when, where, why and how. The Zero Trust policy determines who can transit the micro-perimeter at any point in time, preventing access to your protect surface by unauthorized users and preventing the ex-filtration of sensitive data. Zero Trust is only possible at Layer 7. Zero Trust requires consistent visibility, enforcement and control that can be delivered directly on the device or through the cloud. A software-defined perimeter provides secure user access and prevents data loss, regardless of where the users are, which devices are being used, or where your workloads and data are hosted.

Secure Web Gateway solutions are designed to protect the devices from web surfing threats and enforce the corporate policies.A secure web gateway inspects web traffic in real-time, analyzing content against corporate policies and ensuring any content that is inappropriate or which contravenes company policy is blocked. The majority of secure web gateway solutions allow administrators to enforce common security policy templates straight off the shelf and also configure policies that are suited to their business model or compliance requirements.A secure web gateway allows roaming users to authenticate seamlessly and to have the same security policies applies to their devices as they would if they were in the office. The result is a protected connection no matter where they are working and total peace of mind that all internet traffic is secure.From detecting common business terms such as payment card industry (PCI) number patterns and phrases or personally identifiable information, a web security gateway coupled with data leak prevention software can be a very robust line of defense from both internal and external threats.

Cloud Access Security Broker is another important security techonology which places itself in between of Cloud Service provider and Cloud Consumer. With the help of proper integration with the services like Secure Web Gateway, Data Loss Prevention, SaaS offerings etc., can provide visibility to shadow data. The enhanced visibility of data can help us to address compliance(PCI-DSS, HIPAA, GDPR etc.) requirements. Security policies can be written for CASB to alarm security team in case any violation is raised.

SD-WAN is a software[virtual] defined methodology to manage Wide Area Network. This helps enterprises to leverage any combination of transport services – including MPLS, LTE and broadband internet services – to securely connect users to applications.Traditional WANs based on conventional routers are not cloud-friendly. They typically require rerouting all traffic – including that destined to the cloud – from branch offices to a hub or headquarters data center where advanced security inspection services can be applied. The delay caused by rerouting impairs application performance resulting in a poor user experience and lost productivity. Unlike the traditional router-centric WAN architecture, the SD-WAN model is designed to fully support applications hosted in on-premise data centers, public or private clouds and SaaS solutions.It uses software and a centralized control function to more intelligently steer or direct traffic across the WAN.It handles traffic based on priority, quality of service and security requirements in accordance with business needs. The conventional router-centric model distributes the control function across all devices in the network – routers simply route traffic based on TCP/IP addresses and ACLs. Sending SaaS and IaaS traffic directly across the internet delivers the best application Quality of Experience for end users. However, not all cloud-bound or web traffic is created equal. Many cloud applications – and their providers – natively apply robust security measures. Accessing these “trusted” applications directly from the branch, across the internet provides the needed security to protect the enterprise from threats. A few examples include Salesforce, Office365, ServiceNow, Box, and Dropbox. A sample security policy might be:

• Send known, trusted business SaaS traffic directly across the internet.
• Send “home from work” applications like Facebook, YouTube and Netflix to a cloud-based security service.
• Backhaul untrusted, unknown or suspicious traffic such as peer-to-peer applications or traffic to or from a foreign country back to a headquarters-based next generation firewall.

The intelligence and ability to identify applications provides an application-driven way to route traffic across the WAN instead of simply using TCP/IP addresses and ACLs. This software-driven approach delivers a much better quality of experience than possible with router-centric WAN model.

The identity of the user/device/service is one of the most significant pieces of context that can be factored into the policy that is applied. However, there are other relevant sources of context that should be available for input into policy application. These include the location of the identity, time of day, risk/trust assessment of the device the user is accessing from, and the sensitivity of the application and/or data being accessed. The enterprise data center is still there, but it is not the center of the architecture. It is just one of many of the internet-based services that users and devices will need access to.
These entities need access to an ever-increasing number of cloud-based services, but how they are connected and the types of network security policies applied will vary based on regulatory requirements, enterprise policies and a given business leader’s risk appetite. Much like an intelligent switchboard, identities are connected to networked capabilities via the SASE vendor’s worldwide fabric of secure access capabilities.

• Core Components: SD-WAN, SWG, CASB, ZTNA and FWaaS, all with the ability to identify sensitive data/malware and all with the ability to encrypt/decrypt content at line speed, at scale with continuous monitoring of sessions for risk/trust levels.
• Recommended Capabilities: Web application and API protection, remote browser isolation, recursive DNS, network sandbox, API-based access to SaaS for data context, and support for managed and unmanaged devices.
• Optional Capabilities: Wi-Fi hot spot protection, network obfuscation/dispersion, legacy VPN, and edge computing protection (offline/cached protection)

As highlighted by Gartner in the report, The enterprise perimeter is no longer a location; it is a set of dynamic edge capabilities delivered when needed as a service from the cloud. The result is the dynamic creation of a policy-based, secure access service edge, regardless of the location of the entities requesting the capabilities and regardless of the location of the networked capabilities they are requesting access to. Instead of the security perimeter being entombed in a box at the data center edge, the perimeter is now everywhere an enterprise needs it to be — a dynamically created, policy-based secure access service edge.
For an example,if we consider below scenarios:

• Connections to Office 365 that are not inspected, but routed with lowest latency.
• A connection to Facebook where the chat sessions are inspected for sensitive data, but where latency is not a factor.
• A connection to Salesforce where the session is monitored for sensitive data and malware.
• A connection to an enterprise’s private application in the data center that is monitored.
• A connection to the user’s personal internet banking application, which is not inspected.

SASE brings lot of benefits to an organization which can be listed below:

• With a cloud-based infrastructure, you can implement and deliver security services such as threat prevention, web filtering, sand boxing, DNS security, credential theft prevention, data loss prevention and next-generation firewall policies.
• A Zero Trust approach to the cloud removes trust assumptions when users, devices and applications connect. A SASE solution will provide complete session protection, regardless of whether a user is on or off the corporate network.
• With full content inspection integrated into a SASE solution, you benefit from more security and visibility into your network.
• SASE allows cloud-based centralized management of policy with distributed enforcement points logically close to the entity and including local decision making where needed.
• SASE services will enable enterprises to make their applications, services, APIs and data securely accessible to partners and contractors, without the bulk risk exposure of legacy VPN and legacy demilitarized zone (DMZ) architectures.

This article was written to introduce the basic concept of SASE. To further deep dive, please refer gartner report discussing various risks, benefits, alternative as well as implementation guideline. The reference can be made to various vendors(Cisco, Palo Alto, Cato Network, ZScaler etc.) providing SASE tools to understand the features being provided by them.

Reference

• Zero Trust Network
• Secure Web Gateway
• CASB
• SASE Gartner
• SASE Cyberpedia