SASE = SD-WAN + SSE is an equation that has become conspicuous in the security industry. If you aren’t a cybersecurity professional, you might mistake it for a high school advanced algebra problem or perhaps one of Einstein’s scientific formulas. But IT professionals understand at a high level that SASE, a solution that provides the hybrid workforce with consistent enterprise-grade cybersecurity no matter their location, is composed of both networking components (SD-WAN) and cloud-delivered security (SSE).
If you drill deeper, though, there’s still confusion about what SSE means and which cloud-delivered security solutions are necessary for a comprehensive SASE approach. Not understanding each element and how they work together to protect the hybrid workforce can leave your organization with an incomplete solution, management challenges, and, potentially, costly breaches.
Cloud-delivered security within SASE
Security service edge (SSE) is a cloud-delivered security solution that ties together four components: Firewall-as-a-Service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), and zero-trust network access (ZTNA). Each of these products work together to secure users, devices, and edges to applications no matter the location.
FWaaS is a one-solution-fits-all option
FWaaS allows organizations to move security inspection partially or fully to a cloud infrastructure. With security in the cloud, your solution is managed by the cloud provider, who maintains the hardware infrastructure that powers your solution. Many companies want a service-based architecture because it gives them the freedom to expand security coverage without having to provision new hardware. FWaaS is a one-solution-fits-all option, regardless of the size of the organization.
With FWaaS, an organization’s distributed sites and users are connected to a single global firewall with a unified application-aware security policy, allowing them to better scale security. FWaaS provides the functionality of next-generation firewalls (NGFWs) including web filtering and intrusion prevention systems (IPS, DNS security, file filtering, threat protection) without the high capital expenditure costs associated with an on-premises wide area network (WAN) infrastructure investment. FWaaS technology also enables high-performance secure sockets layer (SSL) inspection and advanced threat detection via the cloud. And it maintains secure connections and analyzes inbound and outbound traffic without impacting user experience.
SWG to protect against advanced web-borne cyberthreats
SWG protects against internet-borne attacks by securing user internet connections. As threats grow increasingly sophisticated, attackers are working overtime to infiltrate your network and remain hidden for as long as possible.
For complete protection against internet-borne attacks, your SWG should have the following features: intrusion prevention to block threats; DNS filtering to protect against sophisticated DNS-based threats; and sandboxing to isolate potential malicious code. Traditionally, SWG has been delivered with on-premises firewalls or dedicated proxy appliances, but with SASE, SWG is delivered as a cloud-based proxy within SSE.
CASB to secure cloud-based resources
CASB sits between users and their cloud Software-as-a-Service (SaaS) applications to enforce security policies as users access cloud-based resources. The four pillars of CASB are visibility for all cloud applications, built-in data security, advanced threat protection, and compliance based on the industry (such as HIPAA for healthcare and FINRA for financial institutions).
Specifically, CASB provides comprehensive visibility of cloud application usage, such as device and location information, to help organizations safeguard data, intellectual property, and users. It also provides cloud discovery analysis, which enables organizations to assess the risk of cloud services and decide whether to grant users access to applications. CASB solutions must include DLP tools so organizations can monitor sensitive information moving between and across their on-premises and cloud environments to prevent data leaks.
CASBs also enable organizations to protect against insider attacks from authorized users. They can create comprehensive usage patterns to use as a baseline when identifying anomalous behavior, empowering organizations to detect improper access or attempts to steal data as soon as it happens.
ZTNA safeguards connections to private resources
ZTNA solutions verify all users and devices when they attempt to access corporate applications and data. Verification continues after the user is granted access and moves through the network. Applying the ZTNA approach to application access allows organizations to quit using traditional virtual private network (VPN) tunnels that allow for unrestricted access to the entire organization’s network. Implementing ZTNA requires strong authentication capabilities, powerful network access control tools, and pervasive application access policies. For example, consider a person checking into a hotel who is provided with a keycard to access their room. This is how ZTNA works. On the other hand, VPN is more analogous to someone receiving a key that opens every room in the hotel.
The single-vendor SASE approach
SSE is a critical component of SASE, but it’s only one-half of the equation. SD-WAN is the other half, and is key because it provides efficient connectivity and optimum user-to-application experience.
Your cloud-delivered security must work seamlessly with your SD-WAN solution for a comprehensive and easy-to-manage SASE deployment. This is best achieved through a single-vendor approach because it: 1) offers integrated security across all your users, applications, and devices; 2) simplifies management by providing a single management console for all your security and networking features; 3) enhances performance by optimizing the flow of traffic between your users, applications, and the cloud, reducing latency; and 4) reduces costs by eliminating your need to manage multiple vendors and their products.
But beware of false advertising. When SASE was introduced to the market, it contained more than 20 components. To take advantage of the demand for this new solution, more than 70 vendors claimed to provide SASE while really only delivering one capability such as SD-WAN or SWG. In recent years, the definition of SASE and SSE has been streamlined to reflect converged technologies and the realities of hybrid work, but there are still many who claim to provide SASE who fall short in practice.
Some vendors have even acquired capabilities in order to say that they have single-vendor SASE while still requiring customers to use different clients and consoles to manage their solution, which undermines the benefits of a single-vendor approach.
SASE will continue to grow in popularity
SASE is still a relatively new solution, so it’s continuing to evolve and is no longer just a buzzword. It offers a more streamlined and efficient way to manage and secure network traffic, especially in the context of a hybrid workforce. A properly deployed solution protects connections to and from the internet as well as SaaS and private applications.
And to make sure no advanced threats penetrate your network, devices, or edges, the cloud-delivered security solutions within SASE need to be kept current and be upgraded to include the latest developments to protect against emerging and ever-evolving cyberthreats.
Learn more about how Fortinet’s SASE solution delivers single-vendor SASE that enables consistent security and user experience no matter where users and applications are distributed.