What is Secure Access Service Edge (SASE) ?

The CISO Perspective

13 Aug 202007:49

Summary

TLDRThis video introduces Secure Access Service Edge (SASE), a term coined by Gartner that combines multiple network and security technologies into one comprehensive solution. SASE addresses challenges of remote work and complex network infrastructures by integrating security as a service and network as a service. Key components include SD-WAN, Secure Web Gateway, Firewall as a Service, and Zero Trust Network Access, which ensure consistent security policies and optimized performance. The video discusses how SASE reduces latency, enhances security, and centralizes policy management, making it a critical approach for modern, distributed networks.

Takeaways

🔒 **Secure Access Service Edge (SASE)** is a term coined by Gartner that integrates network and security services.
🌐 **Goal of SASE** is to provide secure network services from anywhere a user connects.
🏠 **Work from Home Increase**: The demand for secure cloud access without traditional VPN bottlenecks has grown.
🛠️ **SASE Core Levels** include SD-WAN, Secure Web Gateway, Firewall as a Service, and Zero Trust Network Access.
🔄 **Recommended Levels** in SASE involve sandboxing, browser isolation, network access control, and next-gen antivirus.
📡 **Optional Levels** may include Wireless LAN and VPN services for certain customer needs.
👥 **Zero Trust Network Access** is foundational to SASE, ensuring secure access regardless of user location.
🌐 **Endpoint Client** acts as a vehicle for data, providing connectivity and zero trust access.
🔄 **SD-WAN Integration** in SASE allows for intelligent routing and security offloading.
🔒 **CASB (Cloud Access Security Broker)** is crucial for managing and securing access to cloud applications in SASE.
🔄 **Service Chaining** is a key concept where SD-WAN directs traffic to secure web gateways for inspection.

Q & A

What is Secure Access Service Edge (SASE)?
-SASE is a term coined by Gartner that combines multiple network and security technologies into a single offering, aiming to provide secure network services regardless of where the user connects from.
Why is SASE important for modern organizations?
-SASE is crucial because it addresses the challenges posed by distributed workloads and users, providing a unified security policy and reducing inefficiencies and costs caused by using multiple separate technologies. It is especially important with the rise of remote work and increased demand for secure, direct access to cloud services.
What are the three levels of SASE as outlined by Gartner?
-Gartner outlines three levels of SASE: Core, Recommended, and Optional. The Core level includes SD-WAN, Secure Web Gateway, Firewall as a Service, CASB, and Zero Trust Network Access. The Recommended level includes Sandboxing, Browser Isolation, WAF, Network Access Control, and Next-Gen Antivirus/EDR. The Optional level includes Wireless LAN and VPN for those who still need them.
How does SASE solve the latency and bottleneck issues caused by traditional VPNs?
-SASE addresses VPN-related latency and bottlenecks by distributing security inspection to regional points of presence (PoPs) instead of routing all traffic through a central location. This allows for secure, efficient access to cloud applications without the delays caused by traditional VPNs.
What is Zero Trust Network Access (ZTNA), and why is it critical to SASE?
-ZTNA is a security model where trust is never assumed based on network location. It verifies both the user’s identity and the device before granting access to specific resources. In SASE, ZTNA ensures secure access regardless of the user's location by enforcing strict access control policies.
How does SD-WAN play a role in the SASE framework?
-SD-WAN plays a critical role in SASE by enabling efficient traffic routing and service chaining security inspections. It allows organizations to optimize traffic routes while still ensuring security through features like packet duplication, forward error correction, and quality of service (QoS) prioritization.
What role does the Secure Web Gateway (SWG) play in SASE?
-In the SASE framework, SWG provides cloud-based security services, such as firewalling, web filtering, antivirus, and intrusion prevention, often acting as an SDP gateway for secure communication between users and resources. SWG ensures secure access without the need for centralized inspection points.
What advantages does SASE offer over traditional hub-and-spoke network architectures?
-SASE offers advantages over traditional hub-and-spoke networks by distributing security inspection across regional PoPs, reducing the need for large, centralized security devices, and enabling more efficient routing, reducing costs and latency for remote and cloud-based users.
What is Cloud Access Security Broker (CASB), and why is it integral to SASE?
-CASB is a security policy enforcement point that sits between cloud service consumers and providers, ensuring that cloud-based applications are accessed securely. In the SASE framework, CASB provides visibility, control, and protection for cloud services, centralizing security policies and ensuring secure access to SaaS applications.
How does SASE ensure consistent security policies across on-premise and remote environments?
-SASE provides consistent security policies by integrating Zero Trust Network Access, SD-WAN, and CASB into a unified management plane. Whether users are on-network or off-network, the same security policies are applied without gaps, ensuring seamless protection regardless of the user’s location.

Outlines

00:00

🔐 Understanding SASE (Secure Access Service Edge)

SASE, or Secure Access Service Edge, is a term coined by Gartner that merges various network and security technologies into a single solution. Its goal is to provide secure network services regardless of where the user connects. As organizations and workloads become more distributed, traditional security systems become costly and inefficient, especially with the rise of remote work. SASE addresses this by integrating security as a service with network services to offer direct cloud access without the latency issues of traditional VPNs. Gartner outlines three levels of SASE: core, recommended, and optional, encompassing technologies like SD-WAN, secure web gateways, firewall as a service, and more.

05:01

🏠 Challenges of Remote Work and Traditional Security Approaches

With the increasing shift to remote work, traditional security setups are facing challenges. Employees use SaaS applications and require access to internal resources, often through a VPN. This centralized approach causes higher latency and increased costs. Vendors like Zscaler tackle these issues by decentralizing security inspections to regional points of presence (PoPs) and integrating security directly into cloud environments. SASE aims to solve these challenges by providing secure, direct access, enabling seamless connectivity without routing everything through a central location.

🔒 Zero Trust Network Access (ZTNA) and the Role of SDP

A key component of SASE is Zero Trust Network Access (ZTNA), which allows user verification regardless of location. In a true zero-trust network, a user only accesses specific resources they are authorized for, preventing over-permissioned access. Software Defined Perimeter (SDP) is becoming the preferred technology for this model. SDP sets up secure TLS tunnels on a per-application basis and dynamically controls access. This integration ensures secure, direct access, minimizing the need for traditional VPNs and central security inspection.

🌐 How SASE Connects Users to the Cloud and Internal Networks

SASE enables users to connect securely to both cloud applications and internal networks, wherever they are located. The system uses a client to route users to the nearest inspection point for security checks before accessing resources, whether it be a SaaS application or private network. The security services, including firewalling, web filtering, and antivirus, are all performed in the cloud, eliminating the need for large, centralized security appliances. By distributing security inspections regionally, SASE optimizes both cost and performance.

📡 Merging SD-WAN and Secure Web Gateways

SASE combines the benefits of SD-WAN and secure web gateways to create a cohesive solution. When a user connects remotely, SASE authenticates them with Zero Trust Network Access (ZTNA) and uses SD-WAN to optimize traffic flow. This allows for critical features like QoS, traffic prioritization, latency reduction, and packet duplication, which are essential for voice and data applications. The system also supports service chaining, where security inspections can be offloaded to secure web gateways like Zscaler when local inspection is not available.

💻 Service Chaining and Policy Management in SASE

In SASE, service chaining allows security functions to be passed between various solutions, ensuring consistent security policies. For example, users can seamlessly switch between on-premise SD-WAN and off-network secure web gateways without changes in policy. The goal is to apply security policies uniformly, whether users are working from the office or remotely. This consistency ensures that security inspections happen regardless of location, minimizing gaps in security coverage.

☁️ The Importance of Cloud Access Security Brokers (CASB)

Cloud Access Security Brokers (CASB) play a critical role in modern SASE solutions. With most enterprises heavily using SaaS applications, CASB is essential for visibility, access control, and policy enforcement across cloud environments. A CASB integrated into a SASE solution offers centralized security management, allowing for consistent policies for both on-net and off-net users. This ensures that organizations can enforce security measures across all cloud applications and quarantine users in case of suspicious activity.

🔑 Summary: Combining Zero Trust, SD-WAN, and CASB

To summarize, SASE starts with Zero Trust Network Access (ZTNA) to authenticate and authorize users based on their identity and device. Depending on whether the user is on or off the corporate network, the system routes traffic through the nearest PoP for security inspections. SD-WAN steers traffic and provides performance optimizations, while CASB ensures visibility and control over cloud applications. This unified approach offers a seamless, secure experience for users, wherever they may be.

Mindmap

Keywords

💡Secure Access Service Edge (SASE)

SASE is a term coined by Gartner that unifies networking and security services into a cloud-native framework. It is designed to provide secure access to the internet and cloud services from anywhere. In the video, SASE is the central theme, aiming to solve the problem of secure network services for distributed users, replacing traditional VPNs with a more efficient and scalable solution.

💡Zero Trust Network Access (ZTNA)

ZTNA is a security concept centered around the idea that no automatic trust is given to any user, device, or network inside or outside an organization's perimeter. The video emphasizes ZTNA as the foundational principle of SASE, ensuring that users are authenticated and authorized to access only the resources they need, regardless of their location.

💡Software-Defined Wide Area Network (SD-WAN)

SD-WAN is a technology that abstracts the network services from the underlying hardware, allowing for centralized management and optimization of network traffic. In the context of the video, SD-WAN plays a critical role in SASE by enabling service chaining to offload security inspection to the secure web gateway when needed and making the best routing decisions for traffic.

💡Secure Web Gateway (SWG)

An SWG is a cloud-based service that provides web filtering, malware protection, and data loss prevention. The video discusses how SWGs, like Zscaler, distribute inspection engines regionally to reduce latency and handle traffic more efficiently, which is a key component of the SASE framework.

💡Firewall as a Service (FWaaS)

FWaaS refers to the delivery of firewall functionality as a cloud-based service. The video mentions FWaaS as part of the SASE core level, indicating that traditional on-premises firewalls are being replaced by cloud-based solutions that can scale and adapt to the needs of a distributed workforce.

💡Cloud Access Security Broker (CASB)

CASB is a software tool that mediates access between cloud services and internal enterprise resources. In the video, CASB is highlighted as an essential part of the SASE framework, providing visibility, policy enforcement, and security for cloud applications, which is crucial as more businesses adopt SaaS applications.

💡Service Chaining

Service chaining is a networking technique where traffic is passed through multiple services in a sequence. The video explains how SASE leverages service chaining to direct traffic to the secure web gateway for inspection, combining the benefits of SD-WAN and SWG for a comprehensive security solution.

💡Policy Enforcement

Policy enforcement refers to the implementation and monitoring of security policies across an organization's network. The video underscores the importance of consistent policy enforcement in SASE, ensuring that whether users are on or off the corporate network, the same security policies are applied.

💡Inspection Point

An inspection point is a location where network traffic is analyzed for security threats. The video describes how, in a SASE environment, inspection points are distributed across regions, allowing for local security services and reducing the reliance on a central location for all security checks.

💡Work from Home (WFH)

WFH has become a prevalent work model, especially due to the pandemic. The video discusses how SASE addresses the increased demand for secure access to cloud resources without the latency issues associated with traditional VPNs, which is a direct response to the WFH trend.

💡Distributed Workloads

Distributed workloads refer to computing tasks that are spread across multiple locations or systems. The video highlights the challenge of managing security for distributed workloads and users, which SASE aims to simplify by offering a unified approach to network and security services.

Highlights

Secure Access Service Edge (SASE) is a term coined by Gartner that combines multiple network and security technologies into a single offering.

SASE aims to provide secure network services to users wherever they are located, addressing the challenges of distributed workloads and users.

One key problem SASE addresses is the inefficiency and costliness of multiple security policies and technologies that don't integrate well.

With the increase in work-from-home users, SASE enables secure, direct access to cloud services without the bottlenecks and latency of traditional VPNs.

Gartner's SASE framework includes three levels: Core, Recommended, and Optional. Core includes SD-WAN, secure web gateway, firewall as a service, CASB, and Zero Trust Network Access.

Recommended SASE services include sandboxing, browser isolation, WAF, network access control, and next-gen antivirus/EDR.

Optional services within SASE include wireless LAN and VPN for customers that still require these legacy technologies.

Zero Trust Network Access (ZTNA) plays a crucial role in SASE by ensuring users only access specific resources based on their identity and privileges, regardless of their location.

ZTNA is supported by Software Defined Perimeter (SDP), which creates one-to-one tunnels for secure application access on a per-application basis.

SASE provides network security services like firewalling, antivirus, web filtering, and IPS in the cloud, allowing for distributed inspection rather than relying on centralized VPNs.

SASE's integration with SD-WAN allows for intelligent traffic steering, ensuring secure, optimized connectivity to both internal resources and cloud services.

Service chaining within SASE allows SD-WAN appliances to offload security inspection to secure web gateway providers like Zscaler when necessary.

The consolidation of security and network policies into a single solution is a key benefit of SASE, ensuring consistent enforcement whether users are on or off the network.

Cloud Access Security Broker (CASB) is essential within SASE for managing security policies related to SaaS applications, including access control and monitoring for suspicious behavior.

SASE solutions allow organizations to implement zero trust network access while optimizing traffic flow with SD-WAN, ensuring seamless and secure access regardless of user location.