by Gene Ballard | May 27th, 2021 | Blog

Understanding SASE

Secure Access Service Edge

As we know, today our corporate applications, data and users are everywhere.  The applications and data required to do business are largely no longer on=prem sitting in the datacenter.  While the digital transformation from on-prem to SaaS/cloud is not new, due to the global pandemic in 2020 we were forced to look at how we securely connect our users to the applications/data they need to do business, no matter where they are or what device they are on.

Traditionally we have addressed providing secure remote access to our networks/applications/data through a VPN.  We would give our remote users a managed device and drive all traffic back to the corporate network over a full-tunnel VPN.  This ensured that all traffic, even destined for the Internet or a SaaS application/data, would go through the corporate security controls first providing traffic inspection, policy enforcement, threat detection, logging, analytics, etc……. hair-pinning the traffic back through the datacenter.

This approach worked (sort of) for a long time, but it is no longer a viable approach.  During 2020 we watched as companies scrambled to address their entire workforce leaving the building, now required to work remote.  They rapidly upgraded their firewall/VPN gateways, increased licensing, and added bandwidth.  They tweaked their infosec policies to allow for BYOD where they previously required managed devices for remote access.  All of this just to address connectivity quickly….. connecting users to applications/data in a legacy way that was originally intended for a limited small group of users, and usually for on-prem resources. 

Although this approach may have worked for connectivity in the short-term, it does not address the long-term dynamic needs of providing secure access to your applications/data… no matter where the applications/data reside, where the user is, or what device they are using.  Today we must ensure that users can access corporate applications/data on any network (on-prem, SaaS, IaaS), from anywhere on any device, while enforcing security policy, improving network performance, and reducing cost/complexity.

So, what is the answer?  SASE.

 

What is SASE?

SASE stands for Secure Access Service Edge…… pronounced “Sassy”.  In a nutshell SASE is a framework of technologies/services that provide network access, delivered as a cloud service while enforcing identity-based security for users wherever they are; dynamically protecting your applications and data.  Costs are typically usage-based, and the service allows you to easily scale-up and scale-down as needed on demand.

To deliver such agile dynamic access to your applications/data while enforcing security policy, there are a number of technologies/services involved.  A mature SASE solution includes technologies/services such as:

  • Secure Web Gateway (SWG)
  • Cloud Access Service Broker (CASB)
  • Firewall as a Service (FWaaS)
  • Data Loss Prevention (DLP)
  • Advanced Threat Prevention (ATP)
  • Software Defined Perimeter and Zero Trust Network Access (SDP, ZTNA)
  • Remote Browser Isolation (RBI)
  • Integration and sharing of threat intelligence with SIEM/SOAR/EDR/etc
  • Continuous security and compliance assessment
  • SD-WAN for Datacenter and Branch Office connectivity
  • Carrier-grade SASE cloud connectivity via global POPs/datacenters 

 These technologies/services are usually provided by a single SASE Provider.  Today almost every security/networking company is hopping on the SASE train.  Unfortunately, not everyone is providing the same level/quality of service; not all companies are providing SASE at the same level of maturity.  Many are trying to bolt together existing products/services or have acquired capabilities through acquisition where integration is slow.  However, there are a number of players in the SASE space that have already been at it for a long time providing tight integration of technologies, high-speed dedicated networks/connections; providing extremely redundant and highly available SASE cloud services that can be centrally managed.

SASE is a huge topic that requires additional discussion/understanding well beyond the overview provided in this blog.  However, let me try to paint a picture and provide a graphic to help visualize a little better for now.

Imagine……. get rid of legacy VPN connectivity for branch offices and remote users.  Connect everything to the SASE cloud……. the datacenter, corporate offices, branch offices, users, your SaaS applications, cloud infrastructures, etc.  When a user needs access to applications/data, no matter where those resources reside or where the user is, they can securely connect and gain access directly to the resources needed.  This all happens dynamically while enforcing security policy at the user level, based on the individual user’s identity with access/authorization specific to their identity, with ongoing real-time inspection/protection.

When a remote user authenticates with the SASE cloud and needs to go to O365, their traffic no longer needs to backhaul across the corporate network on VPN just to hairpin through security controls.  Their traffic goes directly to O365 via the SASE cloud, ensuring all security policies/controls are enforced and real-time inspection/detection is occurring. 

If their traffic is destined for a public cloud or just to the internet it is the same thing….. traffic goes directly to the desired application/data via the SASE cloud, ensuring all security policies/controls are enforced and real-time inspection/detection is occurring.  

If their traffic is destined for on-prem resources in the datacenter it is still the same thing….. traffic goes directly to the on-prem application/data via the SASE cloud, ensuring all security policies/controls are enforced and real-time inspection/detection is occurring.

 

What does this mean?

This means you are dynamically providing secure access directly to applications/data regardless of where the application/data resides, where the user is, or what device they are using, all while enforcing security at the user-level based on the user’s identity. 

This means you have controls in place to protect access and data, to deal with advanced threats, to provide real-time detections and analytics.  This means your user experience is consistent and effortless.   

This means you are reducing the day-to-day complexity and resources required to provide secure access to applications/data across your enterprise.  No longer requiring changes to datacenter infrastructure when adding sites/users.  No patching/updating of the underlying infrastructure.  Less administrative overhead all the way around.

This means you are moving your business into the future with secure connectivity to applications/data that is agile and dynamic!!  This means you are enabling and transforming the business while reducing risk/cost/complexity.

 

Ready to Talk SASE?

Are you ready to discuss how SASE can enable and transform your business, all while reducing risk/cost/complexity?  PEAK Resources is here to help!  

At PEAK Resources we partner and work with the best, most mature SASE providers in the industry.  We would love the opportunity to discuss SASE with you further and show how it can enable and transform your business all while reducing risk/cost/complexity.

ABOUT THE AUTHOR

Gene Ballard is PEAK’s Enterprise Security Architect and has been with PEAK Resources for over 2 years.  Gene has over 28 years of experience in Information Security and IT; holding positions such as Information Security Manager/Architect/Engineer/Analyst, IT Manager, and Systems Engineer/Architect.  He has worked in numerous verticals, holds a B.S. in Management of Information Systems, and has numerous industry certifications. 

Gene Ballard

Gene Ballard

Enterprise Security Architect