Remote worker on online video conference call showing SASE and security and network architecture

What Your Architecture Needs To Ride the SASE Wave

The past two years have revolutionized the way we work, with companies in nearly every industry adopting the “Work from Anywhere” model. As a result, the wave of interest in Secure Access Service Edge (SASE) has never been higher as organizations look to balance security and networking requirements. The connectivity, control, security and efficiency benefits of SASE are fuelling growing interest in this new approach. As good as all this sounds, however, not all organizations are ready for it.

Implementing SASE is unlike rolling out any other technology. It requires dedicated coordination between security and networking teams, a streamlined security and networking architecture, and a fundamental understanding of the business goals and current processes. As a result, before organizations dive into SASE to realize all the benefits it offers, they must begin with an extensive assessment of their digital infrastructure to ensure they’re fully prepared to take on this new approach.

A brief look at SASE

SASE is a cloud-native technology that establishes secure networking as a critical and embedded function of the network fabric. It integrates security and networking services and delivers them flexibly across any environment, including on-premises, cloud, or hybrid environments. This innovative approach enables secure and seamless anytime access to business resources for users from anywhere.

In traditional enterprise architectures, services are often delivered to users through single-purpose point solutions such as a dedicated endpoint client or VPN. These approaches create network bottlenecks and create critical security vulnerabilities in a hybrid or remote environment. This is because security policies and controls are enforced on the local corporate premises, for example data centers or cloud-native directories. Since the end-user devices are completely unmonitored and unprotected by the security controls, a single compromised device can expose the entire network.

On the other hand, SASE solutions enforce security controls at the end-user, enabling organizations to securely connect users, devices, applications, branch offices, and IoT systems anywhere regardless of their location, and without any VPN or endpoint client needed. SASE also aggregates all security and networking controls into a unified fabric, while offering a consolidated view of all network activities for the security teams. This approach lets organizations establish proactive controls over all user access points and network services, whether they are remotely accessing on-premise systems or connecting to cloud applications.

Is your architecture ready for SASE?

SASE implementations aim to enable business continuity and efficiency in today’s work-from-anywhere environment. But before organizations can realize SASE’s benefits, they must ensure that their existing architecture is flexible enough to adopt this model. As a good first step, organizations should examine their network architecture. Security and IT teams must ensure their network architecture allows for flexibility and scalability. SASE offers flexibility and scalability for organizations as they grow, however if the current technology implemented does not allow for this, these critical SASE benefits will be choked off.

It is also mandatory that organizations have an established architecture that promotes consistent policies across all environments. All policies including networking, security, application, user, and analytical policies should be consistent regardless of where they are deployed on-premises or in the cloud. Otherwise, a SASE implementation will create redundant policies that don’t fit with the integrated services, increasing management complexity.

Once consistent policies have been established, the next step to examine how all network services are integrated within the entire architecture. Services such as Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Data Loss Prevention (DLP), VPN, Virtual Desktop Integration (VDI), Sandboxes, Remote Browser Isolation (RBI), and firewalls must be able to be incorporated into one single software stack. This is an advantage of advanced SASE solutions, and in addition to reducing the management complexity of security and networking services, a single-stack SASE solution will deliver improved performance, agility and integration of all services.

More importantly, advanced single-stack SASE approaches establish hardware neutrality and multi-cloud capability. This ensures that all services can be deployed and accessed through any device, anytime, when the users and devices meet pre-defined policies. Another viable approach to unifying networking services and achieving hardware neutrality is leveraging a microservices design. This is an architectural approach where the application is developed as a collection of services, resulting in all services being deployed and maintained independently, on private or public clouds, and within a single application or API.

Once you’ve examined and optimized the network structure, the next important step is to look at your security architecture. SASE implementations greatly benefit from a single-pass architecture, one that allows a packet (network traffic data) to pass through a processing chain once for all sub-processes or features. This enables very low latency with high throughput, while keeping all security functions active.

It’s also crucial that organizations implement multi-tenant segmentation and in-line encryption within their security architectures before adopting SASE. Without in-line encryption, for example, SASE solutions cannot terminate and inspect encrypted sessions. Also, multi-tenant segmentation is important because SASE delivers security by isolating and segmenting the network traffic. SASE requires every user or tenant to have a separate operating environment, profiles, policies, privileges, and configurations. Segmenting the network enables SASE solutions to be seamlessly implemented while not losing visibility over any network components.

Final steps toward SASE

The above provides a brief overview of the core components network and security architectures must have before taking on a SASE approach. Implementations can be time-intensive and even intimidating – the most feasible approach is to implement a tightly integrated SASE-enabled software operating system, rather than rolling out each service individually through different tools. Advanced SASE solutions integrate all required services within a single OS, saving organizations countless hours, costs and resources.

Finally, when looking to jump on the SASE wave, it is important for organizations to choose the right vendor. Not every SASE solution includes all the necessary services required for a successful implementation. When choosing a vendor, organizations must ensure that the OS includes ZTNA, CASB, DLP, SWG, RBI, NGFW (next-gen firewall), IDS/IPS, Malware Protection, SD-WAN, and real-time analytics services. Missing any of these fundamental services, will impact your SASE benefits realized, and overall success of the implementation.