Secure Access Service Edge (SASE) is a new enterprise technology category introduced by Gartner in 2019. SASE converges the functions of network and security point solutions into a unified, global cloud-native service. Because SASE has become such a hot buzzword, many vendors have slapped the term SASE onto their offerings without truly providing the upside of a SASE platform that comes from a feature-rich cloud-native solution. As a result, enterprises are now faced with the challenge of sorting through the hype to identify which vendors can meet their requirements. Our experience with implementation of various “SASE” offerings has allowed us to gain insights into the proper design and deployment of this new technology. In this article, we’ll cover background on SASE and why this technology is revolutionizing today’s corporate networks, replacing traditional VPNs in the process.
Increasingly enterprise applications run in the cloud as SaaS applications and more workloads live in public cloud IaaS platforms. In addition, in the post Covid-19 era, more and more employees work from home where they routinely access the cloud. Cloud transformation and mobility have forced businesses to rethink how they architect their access networks. But what is exactly wrong with the traditional VPNs? A typical VPN based architecture is a network-centric solution that gives users access to a network segment within the corporate network. It usually requires appliances, ACLs, and firewall policies and does not offer granular user to application mapping. As the corporate perimeter has extended to the internet, network-centric solutions, like remote access VPNs have become obsolete. Pitfalls of network-centric approaches such as traditional VPNs can be summarized in terms security, performance, agility and cost:
Security: Traditional VPNs place users in network segments, ignoring individual users needs for specific application access. They focus on network access, providing a true/false verdict on a full network access request by the users. This blindness of VPN service to users’ application needs and their lack of visibility into app-related activity greatly increases security risks. A bad actor who is able to steal someone’s VPN credentials may have carte blanche to navigate through an organization’s sensitive data, including intellectual property and customer information. The addition of multi-factor authentication has helped, but even then, the risk of lateral movement is enormous. On the other hand, SASE using the “zero trust” principles provides data controls and visibility into corporate resources. The SASE model uses a trust broker to mediate connections between a specific private application and an authorized user. It allows IT teams to begin with zero trust, but then provide connectivity based on context (identity, device etc.) Unlike VPNs, SASE delivers means of application access without network access, and the ability to mask applications from the open internet.
Performance: When enterprises subscribe to SaaS applications in the cloud, they expect to have access to multiple mirror sites, hosted on public clouds. Therefore, providing optimal performance for users entails transporting traffic from their endpoint to the nearest cloud service provider’s (CSP) point of presence. However, traditional VPN models generally rely on backhauling traffic to a centralized hub for security inspection. Today, with a significant number of business-critical applications powered by SaaS, data center-centric network infrastructure imposes considerable performance penalty on applications and degrades overall user experience.
Agility: VPN solutions are not elastic since they are rooted in “box-centric” legacy networking that is accustomed to engineering for a specific number of users and bandwidth. These solutions are hard to scale up and down with changes in traffic and number of users. To scale up such solutions, organizations need to buy new hardware, licenses and allocate Opex for installation and configuration of the new resources. Scale down function is seldom completely ignored which means organizations usually end up paying for capacity and licenses they will not use. COVID-19 pandemic will accelerate the transition to heavier reliance on gig workers. As people come and go and as projects begin and end, businesses need to scale remote access in both directions. Spinning up or down with traditional VPN solutions is time consuming and often requires a lot of hands-on IT work. A cloud-native multitenant SASE solution minimizes the manual labor and streamlines provisioning times.
Costs: As mentioned above the elasticity of a SASE solution has important cost benefits to an organization. However, with SASE the cost benefits can be seen in many other aspects of the day-to-day operation of the corporate networks. SASE reduces costs by allowing companies to use a single platform instead of multiple point products. Sourcing, provisioning, monitoring, and maintaining a variety of point solutions across an enterprise network drives up both Capex and Opex. Also, many organizations today have built up their branch or campus infrastructure to support users that are not there anymore. With users working from home and secured through SASE, IT managers can justify decommissioning of many of these devices and the scaling back of the spending on the Internet connections at these locations.
With more users, devices, applications, and data located outside of the enterprise, the existing VPN architectures are awfully falling short. SASE aims to overcome shortcomings of a typical VPN solution by delivering all the necessary networking and security technologies from the cloud and sold through an “as a service” offering.
Want to know more about SASE and its benefits for your business’s circumstances? Contact Konekti today.