SASE replaces broad network access with granular, identity-based access to important IT resources
The shift in workforce dynamics continues to be one of the most challenging and exciting areas of IT infrastructure design, especially with respect to network security. It wasn’t too long ago that most workplace activities were centralized, but this has changed dramatically. Today, most work is conducted remotely—at least part of the time. In this new world, security plays a starring role. While corporate virtual private networks (VPNs) were the standard for securing remote access in years past, they are being replaced by zero-trust network access (ZTNA).
The ZTNA paradigm for remote access is referenced by Gartner under the Secure Access Service Edge (SASE) banner, replacing broad network access with granular, identity-based access to important IT resources. In related reports, Gartner has confirmed that ZTNA-enabled solutions improve flexibility, agility and scalability, enabling digital ecosystems to work without exposing services directly to the internet as a way to reduce the risks of distributed denial of service attacks and more.
Leveraging a cloud-native backbone, ZTNA is gaining prominence in the market for reshaping networking services with greater access for an expanding universe of employees, contractors and other users regardless of location. This emerging category affords policy-based, software-defined secure access from an infinitely tailorable network fabric in which enterprise security professionals can precisely specify the level of performance, reliability, security and cost of every network session based on identity and context.
The emergence of SASE is need-driven and timely, as there are several issues with enterprise networks today that traditional hardware-based approaches can no longer accommodate. Legacy enterprise networking has become less capable of delivering the services needed in evolved computing ecosystems, especially in deployments that position the data center as the core of enterprise IT infrastructure. This includes highly dispersed cloud-based environments dominated by mobile technologies.
The first problem with traditional networking topologies is the allowance of overly permissive remote access. Additionally, because traditional network security is limited in scope, there is no ability to address new internal/external security concerns and an ever-expanding range of cloud-based and mobile applications. VPNs, for example, lack security granularity and provide excessive trust. Once a remote user is authenticated by a VPN, that person is considered “trusted” and is granted access to more of the network than required, making network resources overly vulnerable and open to attack.
The next issue with the status quo of network environments is that they require complex onboarding and management of users and resources. Because today’s distributed networks require that remote workers have secure remote access to dozens of different servers on cloud provider instances, this means deploying, configuring and maintaining VPNs for every instance.
In addition, most of today’s network environments deliver a low-quality end user experience, which impacts business productivity. Today’s enterprise user expects a simple, flexible and reliable experience with a seamless connection to applications and servers. Consider, for example, the issue of concurrent access to multiple apps and cloud servers. It’s not uncommon for an employee working from a remote location to require access to a manufacturing system in the data center or a supply chain app or CRM platform in the cloud. With a VPN, the user experiences network latency and a complex process of connecting and disconnecting to different resources, which leads to frustration and decreased productivity.
The Distributed Workforce and SASE
“In a modern cloud-centric digital business, users, devices and the networked capabilities they require secure access to are everywhere,” noted Gartner in a report titled, The Future of Network Security Is in the Cloud. “As a result, secure access services need to be everywhere as well. The data-centric model will not scale. Network gymnastics to route traffic to and from the enterprise data center make no sense when very little of what a user needs remains in the data center.”
To provide a more secure and manageable alternative to legacy networking solutions, SASE offers reduced risk, application-specific access, efficient management and consistent end user experience. Administrators can onboard each network resource to a SASE platform once and manage all policies centrally in the cloud, avoiding the need to configure and sync across different locations. Fully cloud-based SASE platforms require little setup or maintenance and operate in the data center or VPC that the user enables access to. All intelligence and security enforcement is done in the cloud.
Accompanying the consideration of an integrated secure networking strategy as detailed by experts is the positioning and adoption of SASE as a digital business enabler because it’s built for speed and agility. Proponents of SASE emphasize shifting security staff from managing security boxes to delivering policy-based security services, as well as engaging with network architects to plan for SASE capabilities using software-defined WAN and MPLS offload projects as a catalyst. This then enables integrated network security services that reduce complexity on the network security side by moving to one vendor for a secure web gateway (SWG), cloud access security broker (CASB), DNS, zero trust network access (ZTNA) and remote browser isolation capabilities.