Enabling Adoption of the Secure Access Service Edge (SASE)

As cloud deployments and remote work have been dramatically accelerated, organizations must rethink their approach to network security.



Customer Challenges Customer Challenges

Your network and security architecture needs to evolve in order to cost-efficiently address digital transformation and migration to the cloud.

Cost and performance issues of traditional SD-WAN architecture

Traditional DIY SD-WAN approaches rely on underlay MPLS and DIA transport, forfeiting deterministic control of global network performance as well as the opportunity to optimize bandwidth cost.

Deployment and operational
complexity

The multitude of architectural components in network and security their functional complexity threaten to overwhelm IT departments’ capabilities. IT wants to spend more time strategizing and less time “keeping the lights on”.

Hybrid
Workforce

CIOs want to roll out hybrid workplaces to let their employees be productive from any location while accessing any application with highly predictable application performance.

What is SASE?

The Secure Access Service Edge (SASE) is an emerging architecture that combines advanced networking and security functions with a cloud-first delivery model. Gartner pioneered the SASE vision with the white paper “The future of network security is in the cloud”. The key security features, including secure web gateways, cloud access security brokers, firewalls, and zero-trust network access are delivered as a cloud service by SASE vendors.

It is important to point out that, according to Gartner, no networking or security company is offering a complete SASE solution now, nor is any company likely to until 2023 or even later. Gartner’s “Hype Cycle for Network Security, 2020” currently positions SASE at the “Peak of Inflated Expectations” and does only foresee it reaching the “Plateau of Productivity” in 5 to 10 years. Hence, SASE is a vision that enterprises should strive for – not implement in the immediate future, as that could entail the risk of getting caught in a transitory, incomplete solution.

SASE represents the convergence of a cloud-managed SD-WAN networking solution with cloud-delivered security, consisting of over 10 complex functional elements. Digital business transformation dictates agility, and complexity is the enemy of agility. Hence, ease of Day 0-1-2 deployment and day-to-day operations will be of paramount importance for SASE’s success.

Naturally, ensuring business continuity also remains the key priority of both the networking and security stack that comprise a SASE architecture. Since SASE relies on a cloud-centric security model, highly reliable, deterministic network performance remains key to deliver on an enterprise-class SASE architecture.

Hype cycle for network security

SASE Functional Stack

Let us provide an overview of the many functions that are consolidated in a SASE solution:

1. Network as a Service Functions

Software-Defined Wide-Area Network (SD-WAN)

SD-WAN represents the evolution of the traditional enterprise wide-area network. Its goal is to greatly simplify the management and operation of an enterprise’s WAN, which has grown increasingly complex over time and lacks the agility to keep up with emerging digital enterprise business needs.

WAN Optimization

WAN optimization includes a wide array of technologies that increases wine-area network traffic efficiency as well as performance. Among several others, technologies for WAN Optimization include deduplication, wide area file services (WAFS), TCP, SMB and HTTPS proxies, media multicasting, web caching and overall bandwidth management.

2. Security as a Service Functions

Cloud-Access Security Broker (CASB)

A cloud access security broker (CASB) sits between users and cloud applications, monitoring all activity and enforcing security policies. A CASB monitors user activity, warns administrators about potentially hazardous actions, enforces compliance with security policies and prevents malware.

Next Generation Firewall (NGFW)

Next-generation firewalls (NGFW) represent the third generation of firewall technology. NGFWs combine traditional firewall functionality with new capabilities such as device filtering functions, application firewall with in-line deep packet inspection (DPI), intrusion prevention system (IPS), encrypted traffic inspection, website filtering, antivirus protection and even more functions.

Software-Defined Perimeter (SDP)

The software-defined perimeter (SDP) is a security approach developed by the Cloud Security Alliance (CSA) and controls resource access by leveraging identity. User identity and device posture are established before granting access. This prevents a variety of common attacks such as server scanning, denial of service, SQL injection, operating system, application vulnerability exploits, man-in-the-middle, etc

Zero Trust Network Access (ZTNA)

While security technologies have grown to protect the enterprise with a growing number of functions that offer defense mechanism against an ever-increasing number of threats, the traditional enterprise security posture is a passively defensive one. On the other hand, Zero Trust It is a security posture that prevents anything or anyone into the enterprise unless identity is confirmed, and strict policies are applied to map access to micro-segments in the network. For additional information on Zero Trust, navigate to the dedicated Zero Trust section in this page.

Virtual Private Network (VPN)

VPN technology securely connects remote users and branch offices to enterprises resources. The tunnel connecting the user to the VPN server is encrypted. VPN users also need to authenticate with passwords and/or certificates.

Web Application Firewall (WAF)

A web application firewall inspects bi-directional web-based (HTTP) traffic and blocks any malicious activity. It represents a security policy enforcement point positioned between a web application and the client endpoint. WAFs leverage rule-based logic, parsing, and signatures to detect and prevent attacks such as cross-site scripting and SQL injection.

Data Loss Protection (DLP)

The data loss prevention function is tasked with detecting potential data breaches. DLP detects data that is transmitted in violation of information security policies.

Secure Web Gateway (SWG)

A Secure Web gateway protects Web-surfing PCs from infection and enforces company policies, filtering unwanted software/malware from user-initiated Web/Internet traffic.

Sandbox

A Sandbox provides a safe environment and separates running programs to mitigate system failures or software vulnerabilities from spreading. A Sandbox represents a tightly controlled set of resources for guest programs to run in.

Remote Browser Isolation (RBI)

As the name implies, RBI isolates a user's browsing activity to protect the local network and infrastructure.

User Entity Behavior Analytics (UEBA)

UEBA solutions establish behavioral patterns and then apply algorithms and statistical analysis to detect meaningful deviations from established, “normal” patterns.

Why partner with Aryaka on your SASE journey?

Aryaka’s approach to SASE combines leading network and security functionality as a cloud-first service to deliver on an architecture that is optimally tailored to the architectural and regulatory needs of any enterprise.

Enterprises also need to know that, even in the long term, no single vendor is likely to offer class-leading solutions for every functional element of a SASE architecture. Hence, combining true best-of breed solutions is an option that is likely to deliver the best possible solution. That is clearly shown in Aryaka’s “2021 State of the WAN” report, which shows that 51% of network and security decision makers prefer best of breed solutions compared with only 21% that favor a single vendor solution.

Last but not least, Aryaka’s managed SASE solution greatly simplifies implementation and operation, thus allowing enterprises to harness the benefits of a SASE architecture without being bogged down by the inherent complexities of a SASE architecture.


Network

Aryaka SmartConnect and SmartCloud services provide optimal network performance to both on-premise and cloud applications.


Security

Best-of-breed security solutions in Aryaka SmartSecure from leading technology partners allow enterprises to optimally tailor their security architecture to their particular requirements.


Operational Simplicity

Focus on your business transformation initiatives as Aryaka’s managed services model dramatically simplifies configuration, optimization and operation of your SASE solution.


  • 1/3

    Network

    Aryaka SmartConnect and SmartCloud services provide optimal network performance to both on-premise and cloud applications.

  • 2/3

    Security

    Best-of-breed security solutions in Aryaka SmartSecure from leading technology partners allow enterprises to optimally tailor their security architecture to their particular requirements.

  • 3/3
    Multi-Cloud Connectivity

    Operational Simplicity

    Focus on your business transformation initiatives as Aryaka’s managed services model dramatically simplifies configuration, optimization and operation of your SASE solution.

Zero Trust

Zero Trust architectures are quickly becoming the golden standard as enterprises update their security postures in a cloud-first world. Zero Trust Architectures are defined by NIST in this publication.

Furthermore, Gartner defines zero trust network access (ZTNA) as “a product or service that creates an identity and context-based, logical access boundary. ZTNA verifies the identity, context and policy adherence of participants before allowing access. This removes application assets from public visibility and significantly reduces the surface area for attack.” In a nutshell, ZTNA removes excessive implicit trust that often accompanies other forms of application access.

Note that Zero Trust Network access is just one architectural component in a Zero Trust Architecture. Building a genuine Zero Trust Architecture requires a multi-vendor solution, since all elements -especially required functions such as identity and micro-segmentation- are not provided by any single vendor.

Aryaka SmartSecure (including Private Access) provides basic building elements for Zero Trust Network Access with capabilities such as:

  • Embedded L3/L4/Application Firewall in the Private Access client
  • Least privileged access based on user-Id, device posture and network location with Private access client Zero Trust capabilities
  • Always-on user protection with network access only after user authentication
  • Zero-Touch Zero-Trust based on device certificates and authentication
  • Strict admission control policies enforcing device compliance with security policies (otherwise the user/device will be quarantined)
  • Integration with existing MFA (multifactor authentication) and OTP (one-time password) solutions
  • Ease of deployment with Aryaka’s managed service
  • Next Gen Threat Prevention capabilities for Private access users with Harmony Connect integration

Learn about Aryaka SASE Solutions

aryaka security architecture

Today’s Networking Security Challenges

Learn why enterprises are turning to a fully managed SASE for better TCO.

Dummies

Re-Defining VPN with SASE and a Cloud-First Solution

In this webinar, you will learn about Aryaka’s new fully-managed remote worker offering that leverage a SASE-ready, Cloud-First WAN infrastructure to deliver on the user experience and flexibility required for today’s hybrid workplace.

SD-WAN as a Serivice

Exploring SD-WAN as a Service

Manufacturer Enables Hybrid Workplace and Boosts Productivity

Learn about Aryaka SASE Solutions

  • aryaka security architecture

    Today’s Networking Security Challenges

    Learn why enterprises are turning to a fully managed SASE for better TCO.

  • Dummies

    Re-Defining VPN with SASE and a Cloud-First Solution

    In this webinar, you will learn about Aryaka’s new fully-managed remote worker offering that leverage a SASE-ready, Cloud-First WAN infrastructure to deliver on the user experience and flexibility required for today’s hybrid workplace.

  • SD-WAN as a Serivice

    Global Sporting Goods Manufacturer

    Manufacturer Enables Hybrid Workplace and Boosts Productivity