The cloud’s knight in shining armour

SASE integrates SD-WAN and cloud-delivered security, ensuring unified cybersecurity with SSE components for efficient, cost-effective, and scalable protection

If you aren’t a cybersecurity professional, you might mistake Secure Access Service Edge (SASE) for an advanced algebra problem or perhaps a scientific formula. But IT professionals understand that at a high level, SASE is a solution that provides the hybrid workforce with consistent enterprise-grade cybersecurity no matter their location and is composed of both networking components, Software-Defined Wide Area Network (SD-WAN) as well as cloud-delivered security (SSE).

If drilled deeper though, the confusion about what SSE means and which cloud-delivered security solutions are necessary for a comprehensive SASE approach is still there. Not understanding each element and how they work together to protect the hybrid workforce can leave the organisation with an incomplete solution, management challenges, and, potentially, costly breaches.

SASE offers a more streamlined and efficient way to manage and secure network traffic, especially in the context of a hybrid workforce.

SSE is a cloud-delivered security solution that ties together the four components namely, Firewall-as-a-Service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), and zero-trust network access (ZTNA). Each of these products work together to secure users, devices, and edges to applications, no matter the location.

FWaaS: ONE SOLUTION FOR ALL

FWaaS allows organisations to move security inspection partially or fully to a cloud infrastructure. With security in the cloud, their solution is managed by the cloud provider, who maintains the hardware infrastructure that powers their solution. Many companies want a service-based architecture because it gives them the freedom to expand security coverage without having to provide new hardware. FWaaS is a one-solution-fits-all option, regardless of the size of the organisation.

With FWaaS, an organisation’s distributed sites and users are connected to a single global firewall with a unified application-aware security policy, allowing them to better scale security. FwaaS provides the functionality of next-generation firewalls (NGFWs) including web filtering and intrusion prevention systems, such as IPS, DNS security, file filtering, and threat protection without the high capital expenditure costs associated with an on-premises wide area network (WAN) infrastructure investment. FwaaS technology also enables high-performance secure sockets layer (SSL) inspection and advanced threat detection via the cloud. It also maintains secure connections and analyses inbound and outbound traffic without impacting user experience.

SWG: PROTECTING AGAINST CYBERTHREATS

SWG protects against internet-borne attacks by securing user internet connections. As threats grow increasingly sophisticated, attackers are working overtime to infiltrate the network and remain hidden for as long as possible.

For complete protection against internet-borne attacks, the SWG should have the following features: intrusion prevention to block threats, DNS filtering to protect against sophisticated DNS-based threats, and sandboxing to isolate potential malicious code. Traditionally, SWG has been delivered with on-premises firewalls or dedicated proxy appliances, but with SASE, SWG is delivered as a cloud-based proxy within the SSE.

CASB sits between users and their cloud Software-as-a-Service applications to enforce security policies as users access cloud-based resources.

CASB: SECURING CLOUD-BASED RESOURCES

CASB sits between users and their cloud Software-as-a-Service (SaaS) applications to enforce security policies as users access cloud-based resources. The four pillars of CASB are visibility for all cloud applications, built-in data security, advanced threat protection, and compliance based on the industry.

Specifically, CASB provides a comprehensive visibility of cloud application usage, such as device and location information, to help organisations safeguard data, intellectual property, and users. It also provides cloud discovery analysis, which enables organisations to assess the risk of cloud services and decide whether to grant users access to applications. CASB solutions must include DLP tools so organisations can monitor sensitive information moving between and across their on-premises and cloud environments to prevent data leaks.

CASBs also enables organisations to protect themselves against insider attacks from authorised users. They can create comprehensive usage patterns to use as a baseline when identifying anomalous behaviour, empowering organisations to detect improper access or attempts to steal data as soon as it happens.

ZTNA: SAFEGUARDING PRIVATE RESOURCES

ZTNA solutions verifies all users and devices when they attempt to access corporate applications and data. Verification continues after the user is granted access and moves through the network. Applying the ZTNA approach to application access allows organisations to quit using traditional virtual private network (VPN) tunnels, which allows unrestricted access to the entire organisation’s network.

Implementing ZTNA requires strong authentication capabilities, powerful network access control tools, and pervasive application access policies. For example, consider a person checking into a hotel who is provided with a keycard to access their room. This is how ZTNA works. On the other hand, a VPN is more analogous to someone receiving a key that opens every room in the hotel.

SINGLE-VENDOR SASE APPROACH

SSE is a critical component of SASE, but it’s only one-half of the equation. SD-WAN is the other half and is key because it provides efficient connectivity and optimum user-to-application experience.

The cloud-delivered security must work seamlessly with the SD-WAN solution for a comprehensive and easy-to-manage SASE deployment. This is best achieved through a single-vendor approach because it can offer integrated security across all users, applications, and devices. It also helps simplify management by providing a single management console for all the security and networking features, while enhancing performance by optimising the flow of traffic between the users, applications, and the cloud, reducing latency. The approach also helps in reducing costs by eliminating the need to manage multiple vendors and their products.

SASE is still a relatively new solution, so it’s continuing to evolve and is no longer just a buzzword. It offers a more streamlined and efficient way to manage and secure network traffic, especially in the context of a hybrid workforce. A properly deployed solution protects connections to and from the internet as well as SaaS and private applications.

And to make sure no advanced threats penetrate the network, devices, or edges, the cloud-delivered security solutions within SASE need to be kept current and be upgraded to include the latest developments to protect against emerging and ever-evolving cyberthreats.

By Vivek Srivastava

The author is the Country Manager for India and SAARC region at Fortinet.

feedbackvnd@cybermedia.co.in