How Security Access Service Edge (SASE) can improve the performance and security of hybrid workforces

Today’s business environments are more dispersed than ever: users access networks from point A to point B and everywhere in between.

This has left many cybersecurity teams scrambling to cover every point and user on the network and ensure gaps and silos don’t provide easy avenues for threat actors.

The expanded physical and virtual environment blurs visibility and loosens control, making it difficult to track sensitive data, comply with regulations, and retain secure profiles between office and VPN users.

To regain control in this complex landscape, more organizations are turning to security access service edge (SASE). This model seeks to reduce risk by moving security capabilities from the data center to the cloud and implementing a software-defined wide-area network (SD-WAN).

“The SASE architecture is designed to solve the problem of network performance and limited security visibility for distributed corporate business systems (infrastructure, platforms, and applications),” said Keith Thomas, Principal Architect, AT&T Cybersecurity.

“This approach provides better network performance, greater security visibility, and a better overall user experience.”

SASE defined

Gartner analysts coined the term SASE in 2019 and split it into its own Magic Quadrant in early 2022.

The firm identifies it as a “converged network” including SD-WAN, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Firewall as service (FWaaS) and data loss prevention (DLP).

“SASE supports branch office, remote worker, and secure on-premises access use cases,” according to Gartner. It is “primarily delivered as a service and enables zero-trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”

The global SASE market stood at $665.9 million in 2020, according to an estimate by Grand View Research; the firm anticipates that it will continue to expand through 2028 at a compound annual growth rate (CAGR) of 36.4%. Another projection from Markets and Markets says the market will reach $4.1 billion by 2026, representing a CAGR of nearly 27%.

Leading companies in the evolving space include Netskope, Zscaler, Palo Alto Networks, Fortinet, Cisco, Perimeter 81, Cato Networks, and Forcepoint.

“Since many users and applications no longer live or operate on a corporate network, access and security measures cannot rely on conventional hardware devices in the corporate data center,” said Robert Arandjelovic, director of solutions strategy at Netskope. .

With SASE, instead of sending traffic to a security device, users connect to the brokering service “to securely access and use web services, applications, and data with consistent security policy enforcement,” said.

Higher Security, Less Complexity

SASE architectures, Arandjelovic said, are typically based on a single-vendor offering that offers network and security capabilities together, or a two-vendor model that integrates an SSE offering with an SD-WAN offering.

And, while each vendor varies in how they provide SASE, they generally adhere to this process:

• Users wishing to access services, applications or data will connect to the nearest SASE Point of Presence (POP) and authenticate themselves.
• Depending on where the resource resides (on a website, in an application, in a private application hosted in a data center, or in an infrastructure as a service), the SASE architecture uses the appropriate built-in service and allows the user to access authorized resources. . .
• While this is happening, SASE applies consistent threat protection and data protection controls. Ideally, these take advantage of a “one-step” approach to minimize user disruption.

The best SASE tools, Arandjelovic said, ensure “fast and ubiquitous connectivity” while adhering to the principles of zero trust and least privileged access that adjust based on risk context.

Ultimately, SASE reduces cost and complexity through consolidation, he said, allowing companies to “end the cycle of regularly making large investments in separate security appliances and services.”

Important questions to consider

There are many questions to consider when evaluating SASE tools, said Bruce Johnson, Cradlepoint’s senior manager of product marketing. Being the keys:

• Will my current infrastructure support SASE?
• Do my current IT staff have the necessary training to implement, manage, and support a SASE environment?
• Does my environment include technologies like 5G that warrant additional capabilities?

He advised that testing and troubleshooting be done in a sandbox to protect the production environment before hybrid workforce devices are set up.

As he noted, “geography becomes a lot less important” with SASE because critical services are independent of where employees and resources are located.

For example, “a company that supports a global workforce that includes hybrid workers can provide protection and network connectivity to a worker anywhere in the world.”

SASE Modular Capabilities

Arandjelovic agreed that, like many comprehensive frameworks, “SASE can seem overwhelming when you consider everything at once.”

But because it’s modular, organizations can gradually adopt it at their own pace and priorities.

The first step is to collaborate across the “IT gap,” he said, with security and infrastructure teams forming a common set of requirements. Once agreed, the next step is to identify and prioritize key projects, whether it’s securing access to web and cloud applications, modernizing VPN connectivity, or implementing data protection across the enterprise.

Organizations can then develop controls and policies, and deploy subsequent projects as needed, a process made simple by the unified SASE platform.

A thoughtful and sensible approach

In fact, many analysts recommend first implementing ZTNA and then extending its use “little by little,” said Klaus Gheri, vice president of network security at Barracuda.

This is the “most thoughtful and sensible approach” as long as organizations consider questions such as:

• Does the solution provide agents for all required platforms?
• Does it force funneling all traffic through the SASE service or allow access to other capabilities like Microsoft 365?
• Do you allow access to other apps than web apps?
• Does it allow for expansion to adopt additional features?
• Does it enable deployment of devices or sensors for IoT or industrial use cases?

Ultimately, SASE tools should be about constant security, everywhere, with a zero-trust foundation, he said.

“This ensures that all employees get secure, reliable and fast access to applications without the bottleneck of a VPN concentrator that we used to see,” he said.

“Changing an existing company’s network and security infrastructure sounds scary, and often is,” he acknowledged. “Therefore, the benefits should outweigh the risks and the efforts fairly quickly.”

Complex, but a worthwhile investment

Ultimately, business leaders need to be aware that there are many possible paths to take when deciding how and when to implement SASE, said Mary Blackowiak, senior manager of product marketing for AT&T Cybersecurity.

Some choose to get SD-WAN from their security provider, while others prefer to stack security on top of their existing network infrastructure, he noted.

Another option is to purchase the technology and outsource it to a Managed Security Service Provider (MSSP). This may be particularly attractive in light of the current skills shortage in the security industry, he noted.

Additionally, it is critical to create a roadmap of upcoming network and security transformation initiatives and begin the proof-of-concept process early.

This “can help position companies for higher productivity, less risk, and simplified management,” Blackowiak said.

The bottom line, said AT&T’s Thomas, “SASE is a complex and resource-intensive strategic initiative to execute but can ultimately be a transformative strategy and deliver cost savings to an organization.”