Increasingly, the data centre is no longer the focus of the next architecture planning, but in many new concepts the internet replaces own WAN lines and applications and data are found in the cloud.
In the future, more users, devices and data will communicate with each other that are no longer located within the company headquarters but outside of it. Typical drivers are the increasing number of home office users, the rapidly growing number of OT/IOT devices and the migration to modern cloud apps. This shift results in new requirements for the IT landscape, such as encryption of data, latency-free access paths or secure verification of identity and release of data access only after verification of the security status. These requirements can no longer be implemented as usual at the perimeter and it would therefore make sense to combine the new network and security services in one service.
An important design requirement is to offer this new universal service as close to the user as possible. It is not the user who has to follow the service, but the service must follow the user. Therefore, a worldwide service is set up, which has many dial-in nodes and thus accepts, processes and forwards all requests there if desired. It is important that the data is not first forwarded to a central location and processed there, but that this is done directly at the dial-up node (SASE EDGE node).
In most cases, the new service is a pure software solution that runs at a cloud provider. This therefore requires neither a central HW appliance, nor one at the edge, nor one at the customer's branch office for service provision. This results in advantages such as high agility in the area of throughput and security performance and rapid provision of new security functions such as machine learning.
Currently, the SASE market is nascent, but there are already some solution providers that can demonstrate advantages over a best-of-bread approach today. We therefore recommend not to contractually commit to one SASE provider, but to remain flexible in order to be able to react to possible market changes.
The core components of a SASE solution are:
- SWG- Secure Web Gateway - Securing internet access via a proxy with the proven functions of session control, malware detection, url blocking.
- CASB-Cloud Access Security Broker - Control of access to SaaS cloud services such as Office365, Salesforce, Dropbox & Co. and granular assessment of risks.
- ZTNA-Zero Trust Network Access - the successor to the standard VPN remote access solution, whereby access control here takes place at the application level and not on the basis of IP addresses.
- SD-WAN- Software-defined WAN - enables central management and monitoring of local transition devices at the edge into the Internet and enables local breakout concepts, replacement of expensive MPLS lines and improved performance thanks to traffic routing and protocol optimisation.
These SASE services can optionally be extended by:
- WAF-Web Application Firewall - protection of web services access through SASE
- API protection - protection against access to e.g. REST APIs
- Remote Browser Isolation - sensitive workstations or exposed users can be better protected against malware in web content, thus preventing infiltration and spread of malicious code such as ransomware.
- DNS Security - granular examination of DNS traffic for anomalies or data theft.
- Sandbox- enables advanced inspection of objects for malicious code by running on a controlled environment.
Controlware has already carried out several SASE projects together with our customers and can support them in the early planning phase, conception, evaluation, implementation as well as in operation or through a fully managed service.
In many cases, our SASE Strategy Workshop guarantees a smooth start in order to uncover all important boundary conditions and specifications, but also to bring all affected departments together at an early stage.
If you are an IT manager, CISO, security or WAN specialist and want to check your WAN structure for cost savings, renew your security modules such as proxy and firewall or make the connection of cloud applications and home office users more performant and fail-safe? Then this is exactly the right time to talk to us about SASE approaches, so that in the medium term you can also obtain your network and security services more conveniently and cheaply from a single provider and thus create the platform for your company at an early stage, on which all future digitalisation initiatives can be based.