Paving the road to SASE: Aryaka and Check Point
When it comes to network security, everybody is boarding the SASE (Secure Access Service Edge) train. With very good reason, too: SASE’s architectural model is optimally suited to support the consolidated networking and security needs of all things XaaS.
Catering to cloud-first architectural needs is one of the top WAN design patterns and has been a key driver for SD-WAN adoption. Cloud architectures don’t play along with traditional WAN design rules, which routed all traffic back to the HQ or the private DC. First generation SD-WAN solutions allowed for more flexibility by enabling local internet breakout, but that truly just represents a very basic and blunt capability that does not provide true optimization. It just passes the ball to basic public internet connectivity without any guarantees for any other improvement than cost optimization, albeit with the downside of unpredictable performance.
Moreover, as soon as a network architect enables local breakout capability into the public internet in any location, the security posture must grow in scope to thwart new threats given the expanded attack surface. However, there are distinct architectural approaches to address this:
- Heavy Branch: Provides state-of-art security in the branch itself with a next generation firewall (NGFW). The “heavy branch” provides advanced networking and security capabilities that ideally are integrated in a single appliance at the edge, thus reducing the traditional “device sprawl.” The optimal heavy branch implementation calls for a consolidated branch CPE that leverages virtualization technology to provide both advanced networking and NGFW capabilities as VNFs (virtual network functions).
- Heavy Cloud: This model acknowledges the fact many enterprises’ application traffic has shifted to the cloud, so why not forward all traffic from the branch into a cloud security service? This just requires a very basic forwarding policy in the branch, and the cloud security service takes it from there.
An ONUG poll as recent as 2019 established that over 65% of network architects did still favor a heavy branch security model, although the fact nearly 30% favored a cloud-centric security model clearly shows a shift is in effect.
However, looking at the emerging security architecture challenge in a binary way, putting technology religion first misses the fact that, while many enterprise architects envision a cloud-first architecture, extremely few have migrated to a cloud-only architecture. And, many enterprises will always stay with a hybrid cloud model that combines public XaaS with private cloud elements. This mandates a hybrid approach to their network security architecture, too: a blended approach that mixes some advanced branch security elements with several cloud-embedded security elements.
The SASE architecture model concludes that this optimally requires a “light branch” security posture combined with security services provided in the “heavy cloud.” SASE calls for advanced networking functions like advanced application recognition and optimization and a full host of other capabilities.
Here’s the problem though: Even Gartner, the thought leadership factory that brought us the SASE concept, acknowledges that SASE will not really go mainstream for another 3-5 years. We hear the inevitable noise from many vendors claiming they have SASE now, just like AT&T Wireless has been claiming to be providing 5G for over a year. I have been a loyal AT&T wireless customer for over 20 years, but their claim is just as inaccurate as SD-WAN vendors’ that claim SASE support now.
As we look at reality, the simple fact is that enterprises’ security needs right now demand the power of choice. The ability to tailor a solution to existing needs -right here and now- while maintaining the ability smoothly migrate to a SASE target architecture in time as that envisioned technology stack truly emerges as a converged and easy-to-manage solution that enterprises can roll out with the ease of X-as-a-Service solutions – an approach that revolutionized computing and application delivery, yet still evades the networking world.
Enterprises need the power of choice because they have very particular architectural and/or regulatory needs. Aryaka’s security strategy has always revolved around providing the power of choice:
- Branch-heavy or Cloud-heavy architecture models or a customizable combination thereof.
- Best-of-breed technology partnerships with security industry leaders.
- Offering an optional (very popular) managed model that provides deployment simplicity and best return on technology investment as all advanced features are configured and maintained by Aryaka domain experts making complex network and security solutions as easy to consume as XaaS services.
Now on to the best part: today, we are announcing our technology partnership with Check Point. With the Check Point CloudGuard family, we now have industry leading solutions for all of the security approaches we introduced above:
- CloudGuard Edge supports a branch-first security approach that runs as a virtual network function (VNF) on Aryaka’s ANAP CPE, and combines Aryaka’s advanced networking features with CloudGuard Edge’s leading NGFW capabilities.
- CloudGuard Connect provides a Cloud-centric security deployment model. Aryaka’s ANAP CPE forwards traffic to the Check Point CloudGuard Connect security cloud via simple forwarding policies.
Thus, enterprises can combine Aryaka’s best-of-breed, cloud-first networking capabilities with the security architecture that best fits their need. Right away, real-world customers endorse the approach, as shown in our press release.
Even better, this approach offers itself to provide a seamless migration from still prevalent branch-heavy security models to light-branch/heavy-cloud models in the future as enterprises embark on the adoption of SASE security architecture patterns.
We are very excited to collaborate with Check Point and provide enterprises with the easy-to-consume, tailored approach to network and security capabilities they require as they inevitably transform their WAN infrastructures to become Cloud-First.