How to Implement Best-in-Class SASE Architecture

How to Implement Best-in-Class SASE Architecture

To support cloud-enabled digital transformation strategies, tighter integration of SD-WAN and security architectures is top of mind for many CIOs and CISOs. That also includes cloud security and what is now known as Secure Access Service Edge (SASE): the combination of WAN edge networking capabilities with cloud-delivered security features, such as:

  • Secure Web Gateway (SWG)
  • Cloud Access Security Broker (CASB)
  • Firewall as a Service (FWaaS), and
  • Zero Trust Network Access (ZTNA) delivered in the cloud.

SASE architecture

As more applications and workloads migrate to the cloud, the role of an on-premises corporate data center has been significantly reduced, if not eliminated in some cases. Furthermore, with the trend to work from anywhere becoming stronger, a defined security perimeter has essentially dissolved. Therefore, a SASE architecture provides a more secure and flexible way to connect users to applications hosted in the cloud, by not sending application traffic to a data center before sending it to the cloud. And by performing advanced security inspection directly in the cloud, users enjoy better application performance—a better quality of experience.

SASE makes the initial assumption that no user can be trusted by default, and thus maintains the least privileged access paradigm expressed through capabilities. Protect sensitive data by enforcing security policies with CASB capabilities. Additionally, an SWG protects organizations from web-based threats using various techniques, such as URL filtering and malicious code detection. FWaaS provides next-generation firewall functionality in the cloud to analyze traffic from multiple sources. Other security features, such as Remote Browser Isolation (RBI), isolate web users from the Internet by rebuilding web pages without malicious code.

SD-WAN is a fundamental foundation for SASE

As the work-from-anywhere trend persists, organizations will need to continue to operate branch offices, requiring SD-WAN capabilities and even extending SD-WAN services to home and small offices. Meanwhile, efforts to transform to a modern SD-WAN architecture must also continue; however, they should also take into account the aforementioned cloud-delivered security capabilities, now called security perimeter services (SSE).

The combination of advanced SD-WAN and SSE creates a SASE architecture that protects access to the web, cloud applications, cloud services, and private applications that are still hosted in the data center. SSE features may also include access control, threat protection, data security, security monitoring, and acceptable use control enforced by API-based and web-based integration.

The key is that SSE is delivered as a cloud-based service and can be supplemented by on-premises or agent-based components such as a firewall with segmentation built into the SD-WAN software stack.

To protect Internet-connected (IoT) devices, which typically cannot host a zero-trust network access agent or VPN client, SASE must also be complemented by a zero-trust identity-based access control framework that provide dynamic segmentation.

Better Together: Advanced SD-WAN and SSE

The combination of advanced SD-WAN and SSE enables organizations to implement a comprehensive SASE architecture. As such, some security vendors have integrated basic SD-WAN capabilities into their respective offerings. However, these vendors often lack the critical capabilities of an advanced SD-WAN solution, and therefore organizations may want to consider a bifurcated approach that leverages the best of cloud security with an advanced SD-WAN.

After all, SD-WAN and SSE focus on two different but complementary goals: SD-WAN is about establishing a strong yet flexible connection, while SSE must constantly adapt to new cybersecurity threats. By acquiring an advanced SD-WAN solution from an established SD-WAN provider that is tightly integrated with the best cloud-delivered security provider, an organization can build a SASE architecture without compromising performance or security.

There are three good reasons why organizations should select advanced SD-WAN when implementing a world-class SSE service:

An advanced SD-WAN is tightly integrated with SSE. Many security vendors provide basic SD-WAN capabilities and promote an “all-in-one” SASE solution. However, these security providers may not necessarily be well integrated with other cloud security providers’ solutions. That poses potential limits, or compromises, of SD-WAN functionality or security functionality for an organization adopting a single-vendor solution.

For companies in some industries, especially heavily regulated ones, business-required security features may require multi-vendor solutions. Whereas, by adopting an advanced SD-WAN that provides native automated integrations with multiple SSE vendors, enterprises have the freedom to choose the security service solution or solutions that meet their needs to protect their business and meet the requirements of compliance. Through automated orchestration, a two-vendor SASE architecture is just as easy to deploy and manage as a single-vendor solution.

An advanced SD-WAN intelligently directs application traffic. This includes directing traffic based on your performance and security requirements as business needs dictate. An advanced SD-WAN can identify applications in the first packet and intelligently route traffic based on security policies set by the organization. To simplify the deployment and configuration of security policies, policies are centrally defined and seamlessly pushed to each branch, allowing organizations to apply a consistent security approach across their locations.

Additionally, through API-based integrations, advanced SD-WANs can automatically configure connections to public cloud providers that support services such as AWS transit gateway and Azure virtual WAN, with the goal of improving performance and security. In both hybrid and multi-cloud environments, workloads can be easily moved from one cloud provider to another.

Lastly, powerful SD-WANs can also accelerate application traffic to reach cloud applications and cloud-delivered security services by always selecting the best-performing path based on advanced health and performance metrics. network as well as local data. resolution.

An advanced SD-WAN incorporates essential security features required at the branch. An advanced SD-WAN includes the right built-in security features to protect branch offices, including unified threat management with built-in IDS/IPS and a zone-based firewall to support micro-segmentation. These security features enable organizations to protect branch offices from malicious threats and segment users, devices, and applications to meet compliance requirements. They also enable organizations to go beyond SASE by mitigating the risks associated with the sheer number of IoT devices, creating a zero-trust architecture, whereas IoT devices, in most cases, employ a simpler architecture that does not supports ZTNA or VPN client hosting.

Therefore, a zero-trust security framework should be adopted that provides micro-segmentation and identity-based access control in addition to SASE to block the spread of malware. In addition, integrated security features enable organizations to reduce branch office sprawl by replacing multiple existing security devices, reducing maintenance and overall operating costs.

At the end of the day, a robust SD-WAN is the foundational component of a SASE architecture. It provides tight integration with leading security vendors and automates policy configuration and orchestration with your cloud security services.

For organizations that cannot afford not to implement a SASE architecture without compromise, a dual vendor approach with WAN services from a leading SD-WAN vendor and cloud security from a leading SSE vendor will provide the best option to enable the organization continue its digital transformation journey.

Leave a Comment