Secure Access Service Edge (SASE)

Secure Access Service Edge, or SASE, is an emerging cybersecurity concept. In this video, you understand how the key capabilities of SASE address the demands of growing network sprawl and the challenges of digitally transforming your business.

Versa for Work-From-Home

Versa has made it simple for organizations to offer Secure SD-WAN for Work-From-Home users on home appliances or working from anywhere

Top Energy Firm Achieves Comprehensive “Work-From-Anywhere” with Versa SASE

A large, publicly traded energy company operating in all areas of the oil and gas industry has dramatically simplified their network stack and realized huge cost savings with Versa SASE.

 
Availability and Buying Options in the Emerging SASE Market

EMA evaluates the different SASE vendors and their approaches to architecture, go-to-market, and support for their cloud-delivered and hybrid services.

 
Gartner Magic Quadrant for WAN Edge Infrastructure, 2020

Gartner 2020 Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.

Versa Networks - Explained in 1 minute

Learn about the Versa Secure SD-WAN solution in a high-level, one minute overview.

Versa SASE (Secure Access Service Edge)

SASE is the simplest, most scalable way to continuously secure and connect the millions points of access in and out of the corporate resources regardless of location

 
Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

A Quick Introduction to SASE Architecture


SASE converges both networking and security capabilities into a single-service cloud-native architecture that shifts the security focus from traffic-flow-centric to identity-centric. SASE encompasses a package of technologies that embeds security into the global fabric of the network so it is always available no matter where the user is, where the application or resource being accessed is, or what combination of transport technologies connects the user and the resource.

SASE enables ubiquitous and direct client-to-cloud security—based on user identity and context—fully integrated with optimal client-to-cloud WAN routing. This realizes a flexible and scalable network architecture that provides embedded security as well as optimal performance along the Software-Defined Perimeter (SDP) edge.

The SASE Identity Architecture
SASE – Convergence and Inversion of the Network and Security Architectures

High-level SASE Architecture


In the Gartner representation of SASE architecture, the core of SASE is comprised of:

  1. The users, devices, applications, and resources, and
  2. The identity, risks, roles, profiles, privileges and policies that govern access between them

Encircling this core is the outer SASE layer comprised of all the security and networking technologies required to securely connect core entities: the Software-Defined Perimeter (SDP). The SDP tracks the transient connections between core entities, rather than follow the hard perimeters of traditional network architectures that aligned with fixed locations, geography, physical network zones, IP addressing or buildings.

Five SASE components are involved in defining and protecting the SDP: these components are engaged in a connection when needed (such as an NGFW, SWG or CASB), or are fundamental capabilities integral to the fabric of SASE (such as SD-WAN and ZTNA).

  • Secure SD-WAN
  • Secure Web gateway (SWG)
  • Cloud Access Security Broker (CASB)
  • Zero Trust Network Access (ZTNA)
  • Firewalling: NGFW and Firewall-as-a-Service (FWaaS)

SD-WAN Architecture

SD-WAN architectures enabled organizations to leverage direct internet connectivity to enable client-to-cloud workflows.


Traditional WAN Architecture
Traditional WAN Architecture

Traditional WAN architectures use the internet (if it uses it at all) purely as a point-to-point connection—protected by VPN technology—between an off-prem user and the headquarters or data center location. From there, where security and policies are applied, traffic is routed to cloud destinations. This design suffers from latency and scalability deficits.

SD-WAN Architecture
SD-WAN Architecture

SD-WAN architectures — based on Software-Defined Networking (SDN) principles — everage the internet as a meshed backbone transport, with the data center or cloud destinations equally and directly accessible by any Work-from-Anywhere (WFA) user. This design minimizes latency and optimizes scalability, but necessitates SASE to enable security enforcement in this environment of any-to-any connections where the terms “on-prem” and “off-prem” have lost significance.

SDP Architecture

The SDP concept draws on the 2007 Defense Information Systems Agency’s (DISA) model of restricting connections to those with a need-to-know, rather than trusting everything inside the fixed perimeter of a network. In 2013, the Cloud Security Alliance’s (CSA) SDP Working Group popularized SDP to create highly secure, trusted, end-to-end networks for broad enterprise use, also incorporating:

  • Standards from the National Institute of Standards and Technology (NIST)
  • Zero Trust principles to facilitate secure access between hosts regardless of location

A fundamental attribute of an SDN architecture is the separation of control, data and management planes. This separation allows for control of both the SD-WAN and the SDP control planes in a network, which in turn allows implementation of both SD-WAN and SD-security in the same software control component.

Software Defined Perimeter Architecture

SWG Architecture

A SWG protects enterprises and users from being accessed and infected by malicious web traffic, as well as from being contaminated by hijacked websites that contain malware or viruses.

Based on the user, device, and location context, the SWG evaluates application policy and grants access only if the policy allows the request based on identity context.

FIrewalls
Make decisions on a packet-by-packet basis
No termination,
Stream scanning only
SWGs - Proxies
Receive complete request from client before making decisions
Session termination,
Policy enforcement

CASB Architecture

A CASB provides a central location for concurrent policy and governance across multiple cloud services for both users and devices along with granular visibility into, and control over, user activities and sensitive data. There are two deployment options for CASBs, API mode and proxy mode.

API Mode
Proxy Mode

ZTNA Architecture

ZTNA underlies SDP architecture. The essence of ZTNA is to trust nothing and to authenticate every access attempt based on identity and context. ZTNA’s primary function within a SASE architecture is to authenticate users to applications using advanced context and role-based identity combined with Multifactor Authentication (MFA).

Free eBook

SASE
For Dummies

Learn the business and technical background of SASE including best practices, real-life customer deployments, and the benefits that come with a SASE enabled organization.