The perimeter-less, cloud-based working environment was always inevitable, but most thought leaders scheduled this revolution for sometime around 2025. With the advent of remote work, and with the prospect that no one will quickly return to the office, it’s clear that changes to the corporate network will now become permanent.
The enterprise data center concept is rapidly becoming dated, though companies still rely on it as a sort of pass-through. Employees are supposed to use VPN to connect to the data center, which connects them to their data and applications in turn. Traditional firewalls protect the data center from malicious traffic.
What companies are quickly discovering, however, is that VPNs weren’t designed to support the entire company working from home at once. Meanwhile, traditional firewalls don’t stop attackers from taking over user endpoints or stealing their login credentials. By entrenching the data center using their customer tools, administrators create a complex edifice which requires effort to maintain—and which doesn’t fully satisfy security requirements for a new cloud era.
Introducing the Secure Access Service Edge—SASE
Although administrators would prefer that their employees use remote networks as designed, the reality is that up to one third of personnel don’t use VPNs to connect to the corporate network while working remotely. Users access their SaaS applications without using VPN, they place their sensitive data in the public cloud outside of enterprise infrastructure, and they do so on devices that administrators didn’t provide or configure.
Most users prefer working this way—as many are genuinely more productive working in this manner. Rather than clinging to the how things used to be, administrators need to extend security to their users in a way that protects them no matter where they’re located or what device they’re using.
SASE (pronounced “sassy”) is one way to get this done. Using SASE, administrators combine security technologies such as Zero Trust Network Access and Firewall as a Service (FWaaS) with network technologies such as SD-WAN. This produces a flexible network that can create secure connections between users, defended by a security implementation that’s both lightweight and powerful.
In a recent report The Future of Network Security Is in the Cloud, Gartner states, “By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.”
>> Read Now: How to Overcome Packet Capture Challenges
in the Cloud [Free Whitepaper]
Understanding the Benefits of SASE
Under SASE, you’ll notice security is often consumed as a service and managed (at least in part) by vendors. There’s no lengthy implementation period and little physical hardware to install. Much of it is agentless and browser based. On the user side, activating powerful security tools may be as simple as navigating to a specific URL before continuing to work as normal. Meanwhile, administrators can consolidate their network and security vendors, reducing their workload in terms of maintenance and easing budgets in terms of capital expenditures.Because users no longer need to route their connectivity through the data center to access their tools—something that they resisted doing anyway—they can gain an advantage in terms of reduced latency and thus increased productivity. On a related note, there’s much less danger that your employees will reject or neglect their security tools. While up to 90% of users ignore warnings under a traditional security model, SASE runs in the background, providing unobtrusive security that’s easier to use.
Although security under SASE may be simpler, it’s no less effective. Zero Trust Network Access (ZTNA) is a collection of technologies that sternly enforces least privilege. Not only can users only access the tools and data they need to do their job, other resources on the network aren’t even visible. A logged-in malicious insider would be unable to perform reconnaissance, making it much harder for them to discover valuable information. What’s more, it’s nearly impossible for attackers to detect the corporate network from outside. Outbound-only connections and hidden IP addresses make the network’s attack surface almost invisible.
The only sticking point with ZTNA is that as mentioned, it’s not a single technology—it’s a combination of technologies, much in the same way that SASE is also a combination of technologies. There’s no single rulebook when it comes to putting these technologies together in a way that achieves maximum visibility, nor is there a single vendor that provides them.
Providing the framework for SASE Visibility within the Cloud
For SASE to work, it requires a staggering amount of visibility. Remember, we’re talking about creating a security infrastructure on users’ devices without relying on them to install traditional security tools such as firewalls and antivirus. Monitoring tools replace these solutions instead.
What this means is that monitoring tools in a SASE implementation need to be incredibly sensitive. If a user’s configuration changes, if their behavior pattern changes, if they start trying to access materials they aren't allowed to access, or if they log in from a new device, it could mean that they’re compromised. Any SASE solution needs to be sensitive enough to pick up on these changes and alert on them when necessary.
Lastly, much of a SASE implementation bypasses the enterprise data center, so it isn’t obvious how to even collect the data you need in the first place.
Garland Prisms is a cloud-native visibility solution that is designed to provide deep insights to SASE implementations and their administrators—without high costs or overhead. Garland Prisms is specifically designed for cloud deployments, virtual infrastructure, and SASE environments, letting you mirror traffic from containers, virtual machines, and any kind of cloud.
Although circumstances may have forced you to begin creating a SASE implementation far sooner than you ever planned, Garland Prisms give you the ability to fully instrument your SASE implementation as soon as you can get it up and running.
Looking to add visibility to your cloud SASE deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!
