SASE: An Enabler for a Secure, Reliable Employee Remote Access – Part 1
by Dominik Ogrodnik and Michał Mordawski, Solution Architects at Amartus
In the wake of the unprecedented shift to tele- and hybrid work arrangements, companies worldwide seek to secure remote workforce and branches. To protect all users and devices, regardless of where they reside, they need to rethink their network security strategies. Is Secure Access Service Edge (SASE) the answer?
Last year has changed the working landscape forever. When the coronavirus pandemic struck, businesses worldwide faced an urgent need to adjust their workspace and embrace remote work almost overnight.
For many organizations that had already been in the throes of digital transformation pre-pandemic, the transition to telework went quite smoothly. But a lot of businesses were caught unawares by the lockdown. Even with a corporate VPN deployed, they couldn’t handle the strain caused by the massive traffic peaks.
Worse still, the increased demand for network resilience and extra bandwidth isn’t the only challenge today’s businesses need to address to support remote work. As cloud adoption accelerates and distributed workers connect through their own devices, new security challenges arise.
Understanding complexities of securing a remote workforce
In a common scenario, a user accesses services located in enterprise data centers and public, multi-cloud environments. While a VPN connection is usually sufficient to ensure a secure connection to the data center from the HQ or a branch location, access to multi-cloud is a different beast.
Cloud providers have baked-in security and compliance solutions, but they’re only meant to protect their own products. And who will assume responsibility for the security of data traveling back and forth to the cloud? Backhauling the traffic from a remote user through VPN to the enterprise data center is one option; however, it’s hardly cost-optimal and adds an increased layer of complexity to the security management.
“Cloud providers have baked-in security and compliance solutions, but they’re only meant to protect their own services.”
In a corporate setting, real-time enforcement of cloud security policies is essential to protect the network, data, and users from violations. For these policies to be effective, they must be based on the user identity (WHO is trying to access?) and the context of the session (WHERE is the user located; WHEN is s/he trying to access; Is the DEVICE KNOWN/RECOGNIZED?). Granular policy enforcement and role-based access control (essential components of zero-trust network access) are also instrumental in ensuring that each user can only perform actions he or she is authorized to.
This is theory. But in real life, setting up and managing the security perimeter for a distributed workforce is extremely complex. Merging it into a “security cloud” makes this task much easier for enterprise IT departments, and here’s why.
Resolving enterprise security challenges in the new normal
Without centralized security, managing identity and access control in the cloud/multi-cloud environment can be a nightmare. The plethora of users, devices, and applications can quickly become impossible to secure cost-effectively. Remote work arrangement adds to the problem, exposing businesses to unforeseen threats as home-based employees access sensitive corporate data and applications in the public cloud.
In response to the growing complexity of distributed networks and multi-cloud environments, centralized cloud security has emerged. It provides an adaptable and resilient solution to securely connect remote employees to enterprise resources through customizable security policies that can be centrally enforced and orchestrated as a service. IT departments benefit from a unified security environment that is easier to manage, while remote employees access all tools and platforms they need for their job.
And how does this work in detail? Meet SASE.
What is SASE?
SASE (Secure Access Service Edge) delivers security as a cloud service to network endpoints (such as employee devices, offices, edge computing locations, etc.) instead of centralizing them in corporate data centers. It combines cloud-based centralized policy management with local policy enforcement and decision-making to provide simplified, scalable network security management and policy monitoring.
The term was coined by Gartner in a report which suggests that enterprise data center is no longer the central access point for users and devices. Factors like ongoing business transformation and growing SaaS and cloud adoption call for an update in the access and resource architecture.
This may come in the shape of SASE, a new security model, primarily delivered as a cloud-based service, which converges network services (like SD-WAN) and network security services, listed below:
- Zero-Trust Network Access (ZTNA): Instead of granting access to resources from a network (subnet), the service applies a least-privileged access strategy to provide complete session protection.
- Secure Web Gateway (SWG): This component prevents data leakage, blocks unauthorized behavior, and enforces policies for web access by filtering unwanted content and implementing corporate policies.
- Cloud Access Security Broker (CASB) – While SWG is responsible for outbound user traffic, CASB secures cloud-based services, including data loss prevention, control of collaboration and sharing, malware detection, etc.
- Firewall-as-a-Service (FWaaS) – The firewalls allow to apply uniform application firewall rules across all network connections to protect the platforms, infrastructure, and apps from cyber threats.
Companies can also centralize most of the above functions in a corporate data center to allow distributed employees to access the intranet from their homes via VPN. However, the downside of the VPN strategy is that it backhauls all traffic through limited resources on the data center side, triggering reduced availability.
SASE eliminates this problem by shifting the center of gravity from the corporate data center to the cloud edge. The SD-WAN traffic distribution and scalable networking connections make the SASE model a perfect fit for remote work scenarios.
- What are the other benefits of using SASE for securing your organization in the work-from-anywhere future?
- What are the key factors that will make SASE the right choice for your business?
- What is Amartus’ SASE-related experience?
We will answer these questions in the second part of this blog post that will be published next month.