The SASE Architecture was Built for the Post COVID World

I've said it before only to be proven wrong…but I believe the end of the pandemic phase of COVID-19 is near. We seem to be entering the endemic phase where we learn to live with COVID-19 long term. The same is true for some of the changes that Covid has foist upon us. Specifically, that of the hybrid remote worker. Gone are the days of the Monday through Friday office commute for many in the aftertimes. According to a recent Info-Tech Research poll, 79% percent of companies survey said they would maintain a mix of in-office and home office workers long term. For many employees this is a long-overdue and welcome shift.

However, organizations have been struggling to adapt their security systems to this new work model. The security footprint of the organization has grown exponentially to include the residences of many of their employees. The traditional method of granting access to the corporate network involved providing the employee a VPN connection. This provided the "tunnel" by which remote workers could access internal resources such as databases, files shares, and other applications. Security was provided at the edge of the corporate network. In recent years many organization implemented a "Next Generation" Firewall at the corporate edge as well. The NG Firewall converged many technologies such as Web-filtering, anti-malware, Data Loss Prevention (DLP), and SD-WAN into a single device. As the gatekeeper before most internal resources and end users this was an appropriate approach.

However, as more and more internal resources are moving to the cloud and the dramatic increase in remote work, enforcing security at the corporate edge begins to make less sense. Given that most traffic now travels directly to the cloud rather than via the corporate network it would make more sense to implement security at the edge of the cloud instead.

Enter the Secure Access Service Edge (SASE - pronounced "sassy") architecture.  SASE is a cloud service that combines several existing technologies to provide an integrated, highly comprehensive approach to both network architecture and security systems. In fact, SASE represents the convergence of several Network as a Service and Security as a Service technologies. In order for it to make sense to deploy SASE, an organization should have more that 50% of its resources based in the cloud.

It is important to understand that SASE is an architecture, not a single product or technology. SASE can include several networking technologies and many security technologies. For instance, SASE networking components can include SD-WAN, VPN, Bandwidth Aggregation, and various edge equipment. Security components commonly found in SASE implementation include Cloud Access Security Brokers, Firewall as a Service (FWaaS), secure web gateways, Zero-Trust Networking, remote browser isolation, single sign-on, Data Loss Prevention, and DNS filtering.

A SASE solution can be purchased as an all-in-one service from a single vendor or it can be assembled with several best-of-breed components. The simplest approach would be to source the package through a single vendor. Many major networking and security companies now offer a SASE solution including Cisco, Fortinet, VMWare, Palo Alto, and more. 

In a SASE-based model, end users gain access to corporate resources by first connecting to a SASE cloud service via Points-of-Presence (POP) to authenticate and be given access to resources. The assignment and redirection of cloud resources is handled by a Cloud Access Security Broker (CASB) in connection with a Single Sign-On(SSO) service. The user authenticates to the CASB and is provided access to those cloud resources that are authorized to the user. For example, Office 365 and Salesforce, but not Quickbooks on-line. Once the connection is established, additional security measures can be enforced such as endpoint interrogation, web-filtering, DLP, Remote browser isolation, etc. It is up to the organization to determine which services to enable. This is usually a balance of risk tolerance versus potential negative impact on the organization.

The technology can be deployed via an agent loaded on the endpoint or in an agentless manner. Most likely, larger organizations will choose a combination of the two as some use cases won’t support the agent based approach. The CASB can also be configured through APIs to broker access to services, however, this is an advanced approach and should only be done if a particular circumstance demands it.

Perhaps the biggest challenge to implementing the SASE model comes from one of its strengths. Because SASE incorporates both networking technologies and Security technologies in a converged architecture, the skills required to implement it properly often exist in separate teams. In larger organizations whose teams tend to operate separately and involves different mindsets. The SASE models forces those teams to work together to ensure the optimal implementation.

Finally, by deploying a SASE architecture, organizations:

• Extend the secure perimeter of the corporate "network" to the remote endpoint.

• Combine several "point solutions" into a single pane of glass

• Improve the control over remote worker experience

• Provide more granular control over access to cloud-based resources. Zero-Trust access can be applied

• Allow for inline inspection of network traffic to and from the remote endpoint. Prevents data loss

• Improve regulatory compliance where necessary

As we continue to put the pandemic behind us, we will need to embrace some the paradigm shift it has placed on the work environment. SASE will become a crucial part of the evolution of the distributed network.