Deciphering SASE, Unified SASE and Universal SASE
What is SASE?
SASE (Secure Access Service Edge) is defined by Gartner. Network security functions are not new, and SD-WAN is not new to the industry. SASE delivers them as a cloud service. Simply put, SASE combines SD-WAN, network security functions and delivers them as a cloud service.
SD-WAN providers deliver deterministic & reliable connectivity to Enterprises having multiple offices in different locations via geo-distributed PoP infrastructure. SD-WAN service also provides VPN-based secure remote access to connect WFH (Work-From-Home) and Roaming users to the Enterprise networks. Many SD-WAN services also include basic security components such as Firewall & NAT.
Combining threat protection functions – Next Generation Firewall, Anti-Malware, URL filtering, and Data Loss Prevention functions to protect various Enterprise assets with SD-WAN provides multiple benefits to Enterprises. Benefits include lesser complex network infrastructure, faster bring up/down with changes in Enterprise sites, cloud services, SaaS Services, distributed workforce, and faster scale out with increasing load to Enterprise applications. Enterprise administrators also see single-pane-of-glass for policy management & observability. Distributed enforcement points of networking & security provide consistent & deterministic experience to users & applications wherever they are.
What does SASE constitute?
The below picture provides a consolidated view of SASE. SASE service sits in between client entities and Enterprise application/data assets. Clients can be human clients, devices, and programs. Clients can be anywhere. Enterprise applications & data with digital transformation are not limited to Enterprise On-Prem locations and Colos. Enterprises are deploying the applications in multiple regions and multiple clouds for resiliency, redundancy, low latency, and regulatory reasons. Enterprises are also increasingly using SaaS services which are also deployed in multiple locations. Due to anywhere clients and anywhere services, SASE service is also provided as distributed service, but of course with a common management plane.
The main components of SASE are:
SD-WAN: SD-WAN provides secure, optimized, deterministic, reliable connectivity among offices, and data centers via multiple PoPs with central management. SD-WAN services are becoming smarter. They no longer have basic features related to MPLS replacement but also provide user & application-aware routing/QoS, SaaS acceleration via intelligent routing, WAN optimization & caching for low latency access to redundant data, and even basic security services such as NAT, Firewall and VPN.
Next-Generation Firewall (NGFW): It is foundational security technology for any type of access. It normally provides NAT, stateful inspection and IDS/IPS (Intrusion Detection and Prevention System) services. To address Zero Trust requirements, NGFW in SASE architecture is expected to support identity-aware access functionality.
Zero Trust Network Access (ZTNA): ZTNA functionality protects Enterprise applications and associated data. SD-WAN services have basic ZTNA functionality via VPN & stateful inspection firewall. That is not sufficient to call it ZTNA in SASE architecture. ZTNA functionality includes identity-aware application access, user role-based granular access to applications to address “least privilege access” principle, traffic Engineering to multiple instances of the application across clouds & data centers, privileged access management to critical services, and more. Differentiated ZTNA frameworks are augmented with WAF (Web Application Firewall), API security, DLP (Data Loss Prevention) and Anti-Malware functionality for both threat protection and to stop any data exfiltration attempts.
Cloud Access Security Broker (CASB): CASB functionality protects Enterprise data in SaaS Services by ensuring that genuine users are accessing the allowed resources. More importantly, it provides visibility on users and resources being accessed. CASBs also help in stopping access to unsanctioned SaaS sites. Since CASBs are coming in the way of traffic, they also can identify any shadow IT accesses and identify if there are any data leaks between corporate accounts and personal accounts. Some SaaS vendors don’t recommend inline security. To address security requirements of Enterprises for these SaaS services, API- level CASBs are expected to be present in the SASE solution. API-level CASBs work with SaaS provider APIs to automate privileges and to scan content for any malware and data (sensitive, PII) leaks.
Secure Web Gateway (SWG): SWG functionality protects Enterprise client assets while accessing Internet. It stops users from visiting bad sites that host malware and social engineering sites that steal passwords. It also stops users from downloading or uploading malware content. SWG does this by including URL malware filtering and Anti-malware functions. SWG also offers identity-based URL filtering feature to provide differentiated access to Internet services based on user group/role.
True convergence of multiple security functions and SD-WAN is crucial for Enterprises to get the full benefits of SASE. SASE solutions started as loose coupling of multiple security functions delivered on SD-WAN infrastructure. Though Enterprises see one vendor for all functions of SASE, this disaggregated solution approach (“Disaggregated SASE”) has few challenges:
- Multiple policy configuration dashboards:This can lead to repetitive configuration and a steep learning curve and hence can lead to configuration errors.
- Multiple observability stacks:Lack of end-to-end observability and correlations can lead to missed incidents and slow incident responses.
- Performance challenges with proxy chaining:Multiple proxies in the way of traffic can lead to multiple TCP/TLS terminations, authentications, and multiple hops. That can result in higher latency and lower throughput impacting the user experience.
- Performance challenges with multiple PoPs:Security functions and SD-WAN in various PoPs can lead to PoP hopping for the traffic, leading to user experience problems due to higher latency introduced by PoP hopping.
Unified SASE is the term associated with providers who address the above challenges. Unified SASE enables
- True single pane of glass for both configuration and observability
- Common network/service/application/user objects across SD-WAN functions and security functions.
- A given traffic session going through only one PoP for SD-WAN functions and security functions.
- Inspection of TLS traffic only once.
- Single-pass architecture for a given session across SD-WAN and security functions.
- Reduced attack surface on the SASE itself
Thereby benefiting Enterprises with better user experience, reduced costs, and higher trust.
It is also important to understand that SASE providers may not be able to develop all security functions on their own. Technology partnerships are key as some vendors specialize on few security functions. It is the job of SASE providers to comprehensively create a solution with deep technical collaboration with partners to realize ‘Unified SASE’ vision.
The ‘edge’ part of SASE is a set of PoP locations of a SASE provider or a set of multiple PoPs/Clouds of various security functions providers of the SASE. It is a distributed architecture meaning that PoPs are distributed across the globe and SASE functions deployed in each PoP make the SASE distributed.
Having said that, the way SASE is delivered today does not cover all traffic sessions well. It covers traffic flows that are going over WAN between clients to Internet & Enterprise resources very well. Think of these traffic flows. These are not addressed by SASE providers well.
- Traffic sessions when both client entities and application service entities are in the same data center/VPC.
- Traffic sessions across microservices within a Kubernetes cluster.
- Cross VPC traffic flows that go over cloud provider WAN services.
- Traffic sessions from 5G Mobile users and Edge applications.
Network automation & security enforcement is either expected to be taken care of by other mechanisms, or traffic is hair pinned to SASE PoPs. In the first case, uniformity is lost, and in the second case, there could be user experience challenges.
Hence the requirement for Universal SASE. SASE service shall not be restricted to PoP locations only. Enterprises would expect common networking and security services for all traffic sessions in a uniform way. Universal SASE needs to enable cloud-native distributed data plane with cloud-delivered management and observability platform.
The SASE journey started in 2019. Though ‘first-generation’ SASE started as loosely coupled SD-WAN and security functions, the journey would lead to unified and universal SASE to realize true zero trust architecture for Enterprises that have distributed workforce and distributed application deployments.
We at Aryaka are on this journey. Talk to us if you would like to know more