To secure today’s complex network infrastructures, the solution is in the cloud: SASE effectively deals with extremely distributed, cloud-based networks.
With the rise of distributed workforces, mobile devices, and software-as-a-service (SaaS), today’s computing infrastructure is incredibly complicated—so much so that it’s got cyber security professionals scratching their heads.
It’s not like the old days when an IT engineer could simply protect a single on-premise mainframe, and the “perimeter” lay no further than the office walls. Today, there is hardly any “perimeter” to speak of. The increased use of public clouds like AWS and Azure has made the scope of network protection more obscure.
Meanwhile, the threat of cyber attacks is only growing. In 2021, the number of cyber attacks in the Asia-Pacific (APAC) rose 168% year-on-year. With so much data being pilfered and corrupted, governments are now increasing the stakes for enterprises that are unable to meet data protection requirements. Singapore, for example, is increasing the data breach penalty to 10% of an organisation’s local annual turnover, for organisations whose turnover exceeds S$10 million, starting October 1.
As such, enterprises need to find ways to overcome the hurdles of today’s complex network infrastructures.
This is where SASE comes in—a new framework that effectively deals with extremely distributed, cloud-based networks.
Pronounced “sassy,” Secure Access Service Edge (SASE) is a framework for network architecture that combines a wide area network (WAN) with cloud-native technologies like Cloud Access Security Brokers (CASBs), Firewall as a Service (FWaaS), and Zero Trust into a single service model. This effectively connects users, systems, and endpoints to applications and services anywhere, both on-prem and cloud.
In other words, it’s a cloud-based cyber security solution that supports the needs of today’s digital enterprise, no matter where its users are.
SASE was first described by Gartner in 2019. It revolutionised the cloud security paradigm by unifying traditional wide area network (WAN) management and security capabilities with cloud-native architectures, responding to the limitation of conventional networking and security architectures in dealing with edge-centric trends in mobility, cloud, software-defined WAN (SD-WAN), and the Internet of Things (IoT).
SASE responds to the shortcomings of conventional networking architectures, which are often over-reliant on physical infrastructure and manual processes; suffer from tool proliferation, solutions silos, and lack of automation; or use a hub-and-spoke model that routes all endpoints through a central data centre. These shortcomings are easily overcome by the core components that make up the SASE security model:
Conventional WAN routes all remote traffic through a data centre firewall, which results in latency and bottlenecks that impede the performance of the network and applications. SD-WAN, on the other hand, is a cloud-based service that efficiently routes traffic via strategically placed points-of-presence (PoPs).
These PoPs are distributed across the SASE network near devices, branch offices, and data centres, routing user traffic directly to the cloud, thereby improving network speed, security, and performance. Organisations can also add network security features onto SD-WANs, instead of implementing them separately at each branch or data centre on the network edge, streamlining processes and saving significant time and costs.
Conventional firewalls filter network traffic through physical firewall devices or hardware, which would not be scaleable for cloud-based operations. But because of SASE’s ability to extend networking and security abilities beyond where they are typically available, organisations are then able to leverage FWaaS.
FWaaS offers all the typical firewall functions as well as next-generation firewall (NGFW) capabilities such as Intrusion Detection System (IDS) and Intrusion Prevention System (IPS), Advanced Threat Protection (ATP), and Domain Name System (DNS) security.
A CASB, like T-Systems’ Cloud Protect Pro, is basically a software gatekeeper that sits between on-premise infrastructure and cloud-based infrastructure, and is specifically helpful in an era of cloud and bring-your-own-devices. This is because CASBs offer a data-centric approach to security, as opposed to the control-oriented approach of web proxies and firewalls. After all, organisations have no control over a user’s device or the cloud applications they use. So instead, CASBs focuses on providing deep visibility over cloud usage to inform risk-based policies, control access, and detect threats. In other words, CASBs protects organisations through a combination of prevention, monitoring, and mitigation.
The ZTNA security model does exactly what it says: it assumes no trust from all users, whether inside or outside the network edge. Users must verify or authenticate themselves before accessing any sensitive data. This allows organisations to provide remote users a reliable connection without putting security at risk.
One key difference between ZTNA and VPN, which was what most remote users used to use to connect to enterprise networks, is that it only grants access to required applications and services to complete a task, to limit attacks. By contrast, VPN offers users full access to a network’s resources, as if they were on premise.
Of course, the core components mentioned are among the minimum requirements for a strong SASE network. But these all serve to fill in the gaps of today’s cloud security problems in three important ways:
First, it allows organisations next-level security over their network infrastructure, right to the edge and without sacrificing performance. Enterprises are quickly finding that their increasing edge network usage has left them increasingly vulnerable to attack; SASE offers an effective response to these threats.
Second, it simplifies cyber security by bundling all of its functions on a single cloud platform that can be easily and centrally administered. This is in contrast to the typical spaghetti-like tangle of systems that enterprises navigate, which also include security for third-party vendors that can also be seen as a key weak point.
Lastly, it strengthens compliance: organisations can install security policies once, and comply with them at every point in the network. With so many privacy-related regulations adding more pressure on enterprises to manage data, having a simple and manageable platform for perfect protection and compliance is a welcome change.
In addition, SASE frees up time and enables users and IT management to focus on being productive and adding value to the company.
Given the growing complexity of computing infrastructure and the rising costs necessary to maintain them, enterprises are expected to ensure their cyber security solutions can keep up. And the alarming rate of cyber attacks coupled with increasingly stringent regulations means that companies have much to lose if they don’t comply.
A partner like T-Systems can help you in formulating and implementing suitable SASE frameworks (among other frameworks) for your cyber security. Discover how we can help you protect your cloud-based IT infrastructure, from on-premise all the way to the cloud’s furthest edge.