SBN

The CISO Perspective 2023-02-20 09:19:54

At one point, virtual private networks (VPNs) were a valuable tool for remote workers to access private networks and data centers. But with more and more software as a service (SaaS) and cloud-based services available directly on the internet, this approach no longer makes sense for modern organizations. Today’s enterprises rely on an average of 1,000 SaaS applications, which are highly distributed and accessed directly by users based on their location.

Backhauling user traffic into a central location introduces higher latency, longer round-trip times, and bottlenecks that can reduce performance and increase costs. This is because organizations require additional equipment to keep up with SaaS demand, which can be both expensive and time-consuming.

The Need For SASE (Secure Access Service Edge)

To solve this problem, Secure Access Service Edge (SASE) provides both security and networking services in distributed points of presence (POPs). SASE vendors have a global presence with POP locations hosted in multiple regions, which allows them to partner with tier 1 backbone providers like AT&T and Verizon to have preferred, direct access to nearly any point on the internet they need to reach. This approach ensures users connect to the nearest POP location, which then routes them out to the SaaS application or private resource. Security is enforced where the user connects from, whether in Europe in the morning or California in the evening.

SASE Components

SASE is not a technology but rather a package of four different services that are brought together under one or two vendors to provide the user a single place to control access and policies across all four services. The four technologies that make up SASE are:

  1. Secure Web Gateway: SaaS providers like zScaler and Netskope have POPs all over the world from which users can connect to access. According to Gartner, Secure Web Gateways must include URL filtering, malicious-code detection and filtering, and application identification and control. SWG’s almost always include some type of firewall service.
  2. Cloud Access Security Brokers (CASB): These provide granular access control and security to SaaS applications like O365 or Salesforce.
  3. Zero Trust Network Access (ZTNA): This connects users to private resources in a corporate network or data center.
  4. Software-defined wide area network (SD-WAN): This is the WAN edge device that connects a corporate location, such as a branch or HQ, to the public or private WAN provider and makes intelligent steering decisions. For SD-WAN vendors without built-in security like Silverpeak or Velocloud, the integration meant that it could offload those services to the nearest SASE POP for inspection.

Gartner predicts that by 2025, over 60% of all enterprises will have strategies and timelines to migrate to adopt SASE. But while this is a booming market, the consolidated vision of integrating security and network into a single or two-vendor solution has left some question marks.

In order to accomplish the SASE vision, security providers like zScaler and Netscope teamed up with SD-WAN vendors like VeloCloud and Viptella. But integration between traditional security and network vendors has proven to be difficult and provide few options to choose from the best of breed. If you wanted the security service of zScaler with the network services of Viptella, you may not have all the integration you need. And in a post-COVID world, you may not need SD-WAN in the first place.

With the rise of remote work, organizations have been facing new challenges with regards to network security. In response to this, a new category of networking technology has emerged – SASE (Secure Access Service Edge). However, SASE includes both security and networking components, which may not be ideal for all organizations.

Intro to Secure Service Edge (SSE)

To cater to the security needs of organizations that do not require networking components, Gartner announced a new category called SSE (Security Service Edge) in 2021. SSE includes only the security components of SASE, namely Secure Web Gateway, CASB, and ZTNA, without the networking components like SD-WAN or wireless LAN.

By focusing solely on security, SSE allows organizations to adopt a “best of breed” approach in selecting their security vendors and integrating them themselves. This approach is ideal for organizations that do not need SD-WAN or do not require it to be integrated as a single offering. Optional security components such as DLP, sandboxing, and NAC are still available in SSE, just like in SASE.

It’s worth noting that SSE vendors can still work and integrate with SD-WAN. For instance, Zscaler works with all major SD-WAN vendors available. However, the level of integration between vendors and platforms may vary.

Conclusion

Ultimately, the choice between SASE and SSE depends on whether or not the organization has on-premise connectivity requirements. For organizations that are 100% remote or do not need SD-WAN integration, SSE could be the ideal solution.

In a post-COVID world, where organizations are slowly moving back to the office, SASE provides a way for offices to enforce consistent security at the WAN edge. However, for those organizations that do not require on-premise connectivity, SSE is a viable alternative.

In conclusion, SSE is a component of SASE but without the networking requirements. It offers a focused and flexible approach to security, allowing organizations to tailor their solutions to their specific needs. As with any security solution, it’s important to carefully evaluate and select the right one for your organization.

*** This is a Security Bloggers Network syndicated blog from The CISO Perspective authored by [email protected]. Read the original post at: https://cisoperspective.com/index.php/2023/02/20/2567/