SASE – A new security framework that addresses the challenges of digital transformation

Mahmoud Samy, Vice President & Managing Director – EMEA Emerging Markets & Eastern Europe, Forcepoint, explains how SASE addresses the challenges that arise due to the migration to the cloud.

SASE (Secure Access Service Edge), a concept first formulated by Gartner, moves the IT network and security to the Cloud. Future SASE platforms will provide comprehensive connectivity and security technologies.

Companies are moving more and more applications and data to the cloud. Some are opting to do this in order to benefit from the classic benefits of the cloud, such as flexibility, scalability or location-independent access. Large software vendors such as Microsoft, SAP or Salesforce are also driving this trend by gradually discontinuing support for their on-premise solutions, often leaving companies with no choice but to use their cloud offerings. The trend towards the cloud is now irreversible and will continue to grow in the future.

As a result, some companies’ traditional IT security architectures are becoming increasingly obsolete: they are still based on the assumption that applications and data live within the company, and therefore are designed to only protect the network from threats from outside. This has caused a growing discrepancy between where the risk factors actually reside and where the security tools to counter them are located.

The concept of Secure Access Service Edge (SASE) is going to eliminate this discrepancy. It has been developed with the aim of bringing the network and its security back to where applications and data really are: the cloud. Many vendors have already started developing products and solutions to support SASE-based architectures to prepare for the future.

Avoid a detour through the data center

SASE architecture offers numerous advantages. It provides support to the ever-growing number of users who access cloud applications from outside the corporate network: employees who work from their “home office”, those travelling or those working in branches without their own data centers. This entire workforce can be connected directly to the cloud via a SASE architecture.

With SASE, data that flows through the data centre at the company’s headquarters to the local office no longer needs to go through security precautions. Weak performance, high latencies and termination of connections are now a thing of the past. Covid-19 has shown how important fast and secure connections are for employees working remotely – and this trend will continue in the coming years. Many of the upheavals caused by the pandemic will define the future. One of these is that it’s likely more and more people will be working outside of their corporate headquarters.

As data flow for cloud applications no longer needs to be redirected through a central data center, there will be significantly fewer traffic flows through expensive MPLS lines that usually connect branches to the company headquarters. Thanks to SASE, companies can incorporate local internet connections and an SD-WAN approach into their network architecture, meaning significant cost savings.

Adopting SASE principles offers a unique opportunity to simplify IT security again. In the past 20-25 years, companies have developed a real proliferation of security tools, turning to many suppliers. For security administrators, this meant various challenges including multiple contracts and update cycles and having to manage these tools with different management interfaces. In the future, when tools can be used for security in a holistic and uniform way, from a single source, and when SASE supporting cloud solutions are integrated, IT security management will be much easier.

Combination of connectivity and security

Architectures based on SASE principles will unite two principles: connectivity and security. They will need to provide secure and encrypted connections from individual employees, first to the cloud platform itself and from there to the desired cloud applications. This can be accomplished with a client-to-site VPN, site-to-site VPN or Zero Trust Network Access (ZTNA) technologies. They can also use SD-WAN technologies to ensure that the best connection path for the application is always selected when accessing cloud applications.

To ensure complete security, SASE architecture must also provide all centrally important modules, including:

• A Secure Web Gateway (SWG) to protect users from internet threats and apply safe browsing policies;

• Firewall-as-a-Service for continuous inspection of incoming and outgoing data traffic, including data decryption;

• A Cloud Access Security Broker (CASB) that monitors and records the communication between the user and the cloud application;

• Advanced Malware Detection (AMD), which tests suspicious attachments in an isolated sandbox to detect malware;

• Data Loss Prevention (DLP), which monitors and, if necessary, blocks data transactions to prevent unwanted data loss;

• Technologies for establishing and protecting connections.

To be truly innovative, any convergent network and security platform should also be controlled based on user behaviour. The cloud environments of companies should be kept as open as possible so as to allow their employees flexible access from anywhere and allow the rapid integration of partners or service providers. This openness, however, requires not only greater reliance on login credentials, but also to understand exactly the behaviour of users who log in and react automatically to risks. This is made possible by the processing – anonymous and therefore compliant with data protection – of the behaviour models. For example, a behaviour model may reveal that a particular user always accesses a specific cloud application from the same IP range, typically around the same time of day, and performs the same tasks and opens documents every time.

By constantly comparing this model with actual behaviour, possible cyber attacks can be detected – for example, when the user suddenly logs on from a completely different IP range, accesses folders they would never normally open, or tries to gain unauthorised access to files. Ideally, a behaviour-centered solution can dynamically react to user behaviour and initiate different and staggered measures depending on the type and frequency of inconsistencies. The security operator checking the data, completely anonymous, could then request a further two-factor authentication or continue to limit access and monitor the users desktop, or even withdraw access rights until all inconsistencies have been investigated and clarified.

Support hybrid architectures

The future of business applications and data lies in the cloud and the future of security therefore belongs to SASE architecture, and companies should begin to address this topic.

When relying on a partner that offers solutions based on the SASE model, there are some aspects to consider. For example, although the vendor can offer all the architectural features, if there are integrations of multiple third-party products in the platform, different cloud services may have to be connected to each other. This may consequently cause latencies and added management complexities, as different administration interfaces may be used.

The same effect occurs when the partner is a cloud-only provider with no on-premise security solutions. Companies will continue to keep applications and data in their data centers for the next few years, which will need to be protected with on-premise security tools. Hybrid security architectures will therefore be necessary, at least for the transition period. If the chosen partner is able to offer both on-premise and cloud solutions, companies will have the ability to holistically control both worlds within a centralised management console.

Finally, anyone offering a SASE architecture should provide proven technology that has a successful distribution track record; and the technology should be continually developed to ensure its quality.