Network Security Investment Priority #3: SASE

FireMon

Global Independent Study of 500 Senior Level Respondents Provides Clear Picture for the Future of Network Security

Resource Hub

The Future of
Network Security

This is part 4 of a 6-part series addressing The Future of Network Security findings. Read Part 1 here.

Endpoint numbers have been exploding for years due to cloud traffic, BYOD, and IoT. Now the need to manage entirely remote workforces has added to the strain. Businesses have been trying to secure their increasingly complex networks by implementing a whole menu of products intended to enforce zero trust and least-privilege, such as VPNs, CASB, SWG, and NGFWs. But these attempts to secure the enterprise add further complexity and, as every security professional knows, complexity spawns vulnerability. A more unified approach to zero trust security is needed, and today IT leaders are looking to secure access service edge (SASE) to secure their dynamic attack surfaces.

25% of businesses have already implemented SASE, according to IT executives who responded to an independent survey sponsored by FireMon: The Future of Network Security, and another 2/3 said they will be implementing SASE within the next 2 years.

The Run-Up to SASE

Businesses that expected their VPNs to securely enable remote workforce productivity were disappointed last year. VPNs tend to scale poorly, and productivity takes a hit when high demand erodes availability and performance.

63%

of organizations will implement SASE within 2 years

Software-defined wide area networking (SD-WAN) has been growing at a rate of 40% year over year, but SD-WAN is a networking solution. It is effective at optimizing network traffic in today’s constantly morphing environments and can manage network connections with an intent-based policy model – but as a security solution, it has limitations.

Zero Trust Architecture (ZTA) is becoming the de facto security strategy in enterprises today. ZTA works by protecting individual assets inside the network and setting policies at a granular level. The result is strong security, but all those policies need to be managed. SASE solves that problem by placing security where it needs to be – at the endpoints that ZTA created.

Factors Driving SASE Adoption

IT leaders said they are implementing SASE because they need to replace legacy VPNs with Zero Trust Network Access (ZTNA), securely serve mobile workforces, and reduce the overall cost and complexity of managing security and infrastructures.

6 Top Drivers for SASE Adoption
Replacing legacy VPN with Zero Trust Network Access Reducing cost/ complexity Enabling an increasingly mobile / distributed workforce Improving user experience Securing access to cloud and SaaS applications Reducing the number of point security solutions
58% 55% 53% 53% 42% 40%

Network-centric network security wasn’t built to handle mobile workforces, data scattered across the hybrid cloud, or SaaS services connecting and disconnecting continuously. Attempts to shoehorn network-centric approaches to a cloud environment result in complicated policies which, in turn, lead to policy conflicts and misconfigurations.

With SASE, the policy follows the user. Rather than creating policies around resources, policies are tied to the entities that are accessing the resources, such as a user accessing an app or a device accessing a service.

 

COMPONENTS OF SASE
SASE isn’t a single technology, but rather a bundle of technologies that connect software-defined perimeter (SDP) clients and service edges, whether those service edges are public, private, or hybrid clouds, on-prem datacenters, mobile users, or any other facility, device, or user.
SD-WAN ZTNA CASB ISWG NFGW
Strengths
  • Scalable
  • Dynamic load balancing
  • Automatic failover
  • Efficient WAN utilization
  • Secure remote access without depending on corporate networks
  • Granular access control
  • Supports least-privilege approach
  • Visibility
  • Threat protection
  • Data security
  • Compliance
  • Visibility
  • Detects and prevents emerging threats
  • Integrates with existing security ecosystem
  • Protects apps
  • Examines packet-based threats
Limitations as a standalone offering
  • Only protects cloud-based apps
  • No on-site security capability
  • Susceptible to performance issues
  • May result in jitter and packet loss
  • Does not prevent insider attacks
  • Does not protect apps
  • Does not secure access from closed networks like ERP and SAP
  • No protection between cloud services
  • Requires constant policy tuning as information flows change
  • Intellectual property and other unstructured data is not easily recognized
  • Most effective in environments where remote traffic is backhauled to a central location
  • Expensive and hard to manage in environments in remote access
  • Can add latency
  • Can result in insecure
  • Stream-based scanning can miss malicious traffic
  • Malicious traffic can slip through in fragmented packets

Integrating SASE with Traditional Network Security

Most organizations have already implemented some combination of CASB, NGFW, and SWG, and SD-WAN implementation is rising rapidly. Pulling cloud and remote access into the infrastructure is a logical progression. By choosing a SASE platform rather than buying its components individually, enterprises will save on the costs of implementation, as well as ongoing management expenses and inefficiencies.

At this point in time, SASE is most frequently adopted to replace MPLS, it also supports remote access, cloud connectivity, and other capabilities that are necessary to conduct business in 2021. SASE can be implemented in phases, which allows organizations to reduce the pain of replacing security assets that have not yet fully depreciated. SASE can be deployed in phases, which eases migration pains, and it can be deployed either across the entire estate or only across parts of it. If some locations are still using legacy firewalls, they can be connected to SASE via IPsec tunnels and excess traffic can be sent to the SASE cloud for processing by using firewall bursting.

SASE relieves costs in several ways. Most obviously, the cost of maintaining many different security products is reduced to the cost of operating SASE through one vendor. Security man-hours are also reduced because the SASE vendor is responsible for upgrading the infrastructure to protect against emerging threats.

Managing Policy across SASE and Traditional Architecture

Vendors are rushing to meet the demand for SASE. Some of the offerings are not true SASE solutions, but a mix of VM-based datacenter solutions bundled with cloud technologies, and then relabeled as SASE. This approach still relies on backhauling from the cloud to the vendor before allowing users to access their applications. The productivity hit is significant. They also use a single-tenant architecture and network-based access policies, but true SASE is based on user access. Trying to use a network-based approach results in complex policies that don’t scale.

SASE provides centralized, cloud-based policy management with distributed enforcement points close endpoints. This localized placement of enforcement points reduces latency and results in a better user experience than traditional security processes.

The security team also gets a better experience because they only have to manage one global security policy, and they can do so through a single console. This benefit doesn’t just relieve pressure on security staff, it also leads to better security of the enterprise as a whole – access to normalized data in near real-time is the foundation for achieving comprehensive visibility.

How Does FireMon Help?

With FireMon you can visualize, normalize and manage policies across SASE platforms, SD-WAN, and FWaaS. FireMon can help you integrate new technologies with minimum effort and disruption. These technologies include: Zscaler, CloudGenix and Cisco Viptela.

Learn more today.