Secure Access Service Edge (SASE), according to SDX Central, brings together WAN capabilities and cloud-native security functions, providing a “cloud-first” approach to WAN security. SASE network architecture has evolved in response to the growing security needs of SD-WAN services, as cloud migration and the remotely connected workforce have gained ground.
SASE Meets the Need for Stronger WAN Security
SD-WAN services evolved to focus on what is important for organizations, namely, applications and policies. Rather than working with low-level networking constructs and functions such as IP packets and access control lists (ACLs), SD-WAN services enable network administrators to focus on creating policies for the specific applications used in their business, e.g., Office365, instead of its IP address. This change of focus also simplifies setting policies per application, such as which applications to allow or block; which ones to prioritize based on business importance; and readily identifying applications by application name rather than a nondescript, obscure IP address or port number.
Since an SD-WAN service typically uses the public Internet as one or more of its WAN connections, some basic security protection is required, such as a stateful firewall that provides functionality including IP port and protocol filtering, domain name filtering, and network and port address translation (NAT/PAT). This approach no longer provides sufficient protection for users, devices and applications for three key reasons:
- Application migration to the cloud
- Users connecting from anywhere
- Accelerating volume of threats
Application Migration to the Cloud
As part of an organization’s digital transformation, applications have steadily migrated from running in an organization’s on-premises data center to running in the cloud. This means that users will no longer predominantly connect to their applications in the data center via a private network, e.g., MPLS, but will more commonly connect to the cloud via a public Internet connection. According to the Gartner 2019 report “Future of Network Security Is in the Cloud,” more workloads (applications) are running in the cloud (via infrastructure-as-a-service or IaaS) or are consumed via software-as-a-service (SaaS) than are running or consumed in the organization’s internal data center.
Users Connecting from Anywhere
Users are now connecting from anywhere rather than within the confines of an organization’s office building. The network perimeter, from which users connect, has vastly expanded due to the COVID-19 pandemic, with many users connecting from home. This perimeter has been growing for several years as more and more users connect their laptops or smartphones remotely from the office. Furthermore, the number of users who use their own devices, a.k.a. Bring Your Own Device (BYOD), has also significantly increased over the past several years. Such devices, which are not owned by the organization, cannot be controlled; hence, the organization cannot limit which applications can be installed. This lack of control consequently introduces cybersecurity challenges. In sum, just as users are no longer required to connect to the network from the office, organizations must adapt to support user-owned devices connecting from other locations.
Accelerating Volume of Threats
Business is booming for threat actors, as we all have seen from the successful ransomware attacks that have shut down businesses and municipalities until payments have been made. While there have been several high-profile payment card breaches over the past few years, ransomware attacks have also increased, which have an immediate effect on business continuity. Organizations need to consider such breaches much as they do in the context of recovery from a natural disaster, through disaster recovery processes already in place. Organizations should have equivalent recovery processes in place for a cybersecurity attack.
An increasing number of tools are becoming available to automate attacks, and individual people are no longer needed to create and deliver them. Cyberattacks are now frequently mounted using artificial intelligence (AI) and machine learning (ML). Threat prevention must be continuous and adaptive, to both protect against known threats andagainst evolving, unknown threats.
Increasing Importance of Cybersecurity
When the network perimeter was confined to an organization’s office buildings, users, devices, and applications operated within the private network, and cybersecurity was manageable. Now that the perimeter is boundless, each organization’s cybersecurity policies, architectures and frameworks must become an integral part of their network architectures and implementations. The network can no longer be designed independently from cybersecurity considerations. Furthermore, cybersecurity can no longer be considered separately from organizational processes and technologies. Cybersecurity must be woven into the fabric of an organization. Hence the importance of SASE.
What is SASE?
SASE melds the comprehensive WAN capabilities of SD-WAN with a comprehensive set of cybersecurity functions to address the migration of applications to the cloud, users working from anywhere, and the volume of threats.
Typical SD-WAN Capabilities Provided by SASE Services
SASE services utilize capabilities commonly provided by the SD-WAN services listed below.
- Over-the-top (OTT) service
- Operates over any type of underlay connectivity (WAN) service, e.g. broadband, MPLS, LTE
- Inherent High Availability
- SD-WAN services typically deployed over two or more underlay connectivity services, e.g. MPLS + Broadband
- Secure Transport of Application Flows
- SD-WAN services encrypt all IP packets in transit over underlay connectivity services
- Supports Multiple Virtual Topologies
- Can construct unique topologies based on application requirements, e.g. hub and spoke, full mesh, etc.
- Application-aware networking
- SD-WAN services enable users to focus on business applications, e.g. Office365, Zoom conferencing, or Skype call. rather than IP packets
- Policy-based networking
- Provides intent-based policies and policy actions, e.g. allow, block, and prioritize, to determine how IP packets associated with each application are treated by the network rather than defining ACLs using low-level, obscure network constructs
- Encrypted Internet breakout to cloud-based applications and services
- Connects to public cloud services and SaaS applications via encrypted TLS (HTTPS) or IPsec VPN tunnels
- Application flow cybersecurity functions
- SD-WAN services typically provide an integral set of foundational cybersecurity functions. Such functions include:
- Stateful firewall
- Network/port address translation (NAT/PAT)
- IP Address, port number, and protocol filtering
- Domain name filtering (block known malicious domain names or quarantine those with a bad reputation)
- Security middlebox function to decrypt application flows to apply security policies and then re-encrypt
- SD-WAN services typically provide an integral set of foundational cybersecurity functions. Such functions include:
Note that some of the aforementioned cybersecurity functions are part of Secure Web Gateway (SWG) functionality, which provides protection against web-based threats. As SD-WAN services and solutions evolve to SASE, they continue to incorporate more cybersecurity functions.
Typical Cybersecurity Capabilities Provided by SASE Services
SASE services add additional cybersecurity functions to the aforementioned foundational cybersecurity functions provided by SD-WAN services.
- Security policy management
- Provides intent-based policies that define policy actions, e.g., Allow, Block, Quarantine, or Sandbox, to apply to IP packets associated with an application
- Malware detection and removal
- Identify, clean (then allow) or remove (block or quarantine) malware from application flows
- URL filtering
- Block or quarantine suspicious (or known to be malicious) URLs for a permitted domain name
- Data Loss Prevention (DLP)
- Identify and block application flows containing confidential, sensitive, privacy-related, and personally identifiable information (PII), such as social security number, driver license number, payment card number, biometric information, etc.
- Anti-phishing
- There are many types of phishing attacks, some of which may be addressed via other security function such as URL filtering, malware detection, and DLP
- A phishing attack uses social engineering to entice the user to click on a URL or submit PII via what appears to be a legitimate email
- Threat detection, prevention and response
- Using AI and machine learning, identify suspected threats based on anomalous behavioral patterns, block the threats or threat actors, and subsequently monitor and report them to a security information and event management (SIEM) system
- Note that this functionality appears under different names:
- EDR (Endpoint Detection and Response)
- NDR (Network Detection and Response)
- TDR (Threat Detection and Response)
- XDR (Extended/Cross-Layer Detection and Response)
- IDS/IPS (Intrusion Detection System/Intrusion Prevention System)
- Identity management
- Identify the users, devices and applications that want to access the network or networked resources for use by access control policies and mechanisms.
- An organization will often use several Identity Providers (IdPs) for identity management (IdM), either individually or via federated IdM. IdM may be performed internally and via external third-party IdPs.
- You must consider a federated approach to IdM to ensure security policies can be effectively managed and controlled when an organization uses multiple cloud providers
- Adaptive access control
- Ability to modify security policies that determine the amount of access a user, device, or application is granted ranging from full to partial to no access
- Continuous threat monitoring
- Continuous monitoring of application flows to identify anomalous behavior among users, devices, and applications wanting to access the network and networked resources
Note that the first six cybersecurity capabilities are commonly provided by a cloud access security broker (CASB) service and may also be provided by services using terms such as next -generation firewall (NGFW, UTM (unified threat management), and ATP (advanced threat prevention/protection). The last three functions listed are part of a Zero Trust Framework (ZTF), which provides least privilege access to users, devices and applications. Zero Trust cybersecurity functions play a key role in SASE services.
Cloud-Based SASE Security Services
There are many reasons to use cloud-based SASE security services versus using premises-based SASE security services.
- Easier and quicker to deploy
- Setting up a cloud-based SASE security service only requires you to do two things:
- Set up a primary and secondary IP VPN connection from your WAN router or SD-WAN Edge to the SASE security service
- Enter your SASE security service account credentials
- Setting up a cloud-based SASE security service only requires you to do two things:
- Simpler and more cost-effective to scale up or Down
- SASE security services leverage cloud infrastructure, so you can scale up or down just like you do with other cloud-based services such as AWS EC2 cloud compute services where you can, in minutes, add or remove compute capacity
- Stop Internet-based threats before they reach you
- A cloud-based SASE service sits between you and the Internet, protecting you from Internet-based threats before they reach your site, device or application
Premises-Based versus Cloud-Based SASE Services
Since a network perimeter continually changes as users now work from anywhere, you must ensure that the WAN and cybersecurity functionality is sufficiently flexible to support this new reality. Whether a user is connecting from an office, home, airport, or hotel, they need the same level of threat prevention wherever they connect. When away from the office, users will connect via the Internet, typically using broadband, Wi-Fi, or LTE/5G cellular data services. A cloud-based service enables a common approach for these use cases.
From the office, a user may connect to the organization’s data center via a private network connection, e.g. MPLS VPN, in addition to connecting to the public Internet. For the private network, premises-based SASE cybersecurity functions are sensible and could be centralized at the data center as well as distributed at each office. However, some organizations run all of their applications in a virtual private cloud or via a cloud-based SaaS offering all connected via the Internet in which case, a cloud-based SASE cybersecurity service may be more appropriate.
Some parts of SASE service require functions to be performed on-premises, specifically where the users are located. SASE services can be provided via software installed on a personal device, or by a SASE device on premises. Below are some examples that necessitate SASE functions to be located on premises.
- If your business location uses multiple WAN connections (since the WAN connections terminate on premises)
- If you need to provide threat prevention over the private network between business locations
- If you need to protect internal networked resources from threats that could be introduced by personal devices (BYOD)
The need for on-premises SASE services will diminish as more applications migrate from on-premises servers to the cloud and more users work from anywhere and connect via the Internet.
What Makes Up a SASE Service?
SASE services currently consist of both WAN and cybersecurity functionality, as previously discussed. However, SASE services are also evolving to support LANs, Wi-Fi, and endpoints (IoT devices, laptops, smartphones, etc.).
You might ask, “Is there a minimum amount of WAN and cybersecurity functionality for something to be called a SASE service?” Unfortunately, because of the lack of an industry-accepted or standardized SASE service definition, different offerings are referred to as SASE services. For example, is the WAN connectivity aspect of the service limited to a single IP VPN? Can it support multiple underlay connectivity services, such as Dedicated Internet Access (DIA) + MPLS or broadband + LTE, over which SD-WAN virtual connections (SWVCs) operate and provide additional network resiliency? Often the aforementioned cybersecurity functionality is packaged in different service offerings. Just as it took a few years (plus MEF Forum Standardization) before SD-WAN services had a well-defined baseline set of functions, achieving a baseline for SASE services will take a few more years.
The Need for Industry Clarity around SASE
While no industry standard exists for SASE, MEF Forum is developing a new standard, “MEF W117 SASE Service Attributes and Framework,” to augment its related standards work on SD-WAN and cybersecurity. Existing MEF Forum work in this area includes the industry’s first SD-WAN service standard, “MEF 70 SD-WAN Service Attributes and Services,” “MEF W88 Application Security for SD-WAN Services”, and “MEF W118 Zero Trust Framework and Service Attributes” – the latter two being under development. These standards will play a key role in providing clarity in the marketplace.
Conclusion
Many services and products use the term SASE to define their offerings without an industry standard, and capabilities vary widely. This lack of standardization makes it more challenging to evaluate different offerings and requires that you understand the different WAN and cybersecurity functions to ensure they address your organization’s business objectives for digital transformation. Given the many SD-WAN and cybersecurity options, don’t hesitate to reach out to industry experts to obtain guidance to help you make the optimal choices for your business. For more discussion around MEF Forum’s standardization work on SD-WAN security and SASE, view this interactive Webinar, MEF and LAYER 123: SD-WAN Security & SASE on BrightTalk.