The Components of SASE
SASE converges both networking and security capabilities into a single-service cloud-native model, and includes several distinct components.
SASE is more than a single technology; it is an entire package of technologies that embeds security into the global fabric of the network so it is always available no matter where the user is, where the application or resource being accessed is, or what combination of transport technologies connects the user and the resource.
Software-defined WAN (SD-WAN)
Secure SD-WAN technology forms the foundation of a SASE solution by enabling optimal performance and intelligent routing in a client-to-cloud network architecture. Key capabilities include:
- Secure traffic on-ramp and off-ramp
- Multicloud connectivity
- Embedded UTM security features
- Leveraging internet-based backbones
- Traffic routing from anywhere
- DIA, direct cloud access, and intelligent traffic steering
- Path selection to optimize consistent user experience
- Inline encryption
- Advanced routing and dynamic path selection
- Application-awareness and traffic classification
- Globally distributed gateways
- Latency optimization
- Self-remediating network capabilities
A cloud-based Next-Generation Firewall (NGFW) is a scalable, application-aware software solution allowing enterprises to eliminate the challenges of legacy appliance-based solutions, offering a full set of UTM features. A NGFW solution goes beyond a stateful firewall by offering features such as advanced threat protection, web and network visibility, threat intelligence, and access control. At the minimum, organizations should expect the following for their NGFW deployment:
- User and application access control
- Intrusion detection and prevention
- Advanced malware detection
- Threat and network intelligence
- Automation and orchestration
An SWG guards WFA users and devices against internet-sourced threats by protecting a web-surfing user device from being infected by unwanted software or malware and by enforcing corporate and regulatory policy compliance. An SWG includes:
- Enforcement of internet security and compliance policies
- Filtering malicious internet traffic with UTM capabilities such as URL Filtering, antivirus, anti-malware, IDS/IPS, zero-day attack prevention, phishing protection and more
- Application identification and control capabilities
- Data Loss/Leakage Prevention (DLP) capabilities
- Remote Browser Isolation (RBI) to scan user sessions for risk, allowing users to safely navigate today’s menacing threat landscape. Risky websites are rendered on remote browsers, while sanitized pages (mostly as image files) are rendered on the user browser. RBI allows anonymous browsing and risk-free open access to internet sites.
SWGs can be implemented as on-premises hardware, virtual appliances, cloud-based services, or in hybrid mode as combined on-premises and cloud.
Cloud Access Security Broker (CASB)
A CASB offers products and services to address security deficits in an organization’s use of cloud services. It fills the need to secure cloud services that users are increasingly adopting, and in the growing deployment of direct cloud-to-cloud access. A CASB provides a central location for concurrent policy and governance across multiple cloud services for both users and devices along with granular visibility into, and control over, user activities and sensitive data.
A CASB delivers five critical security capabilities:
- Cloud application discovery
- Data security
- Adaptive access control
- Malware detection
- User and Entity Behavior Analytics (UEBA) which offers policy enforcement based on unusual behavioral patterns of traffic to/from cloud services
CASBs can be either on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to inject enterprise security policies as the cloud-based data or applications are accessed.
ZTNA is a framework of technologies working together, based on the premise that nothing is trusted: not users, devices, data, workloads, locations or the network. ZTNA’s primary function within a SASE solution is to authenticate users to applications. Advanced context and role-based identity, combined with Multifactor Authentication (MFA), are essential for securing access for users and devices, for both on and off-network access.
There are two general models of a ZTNA implementation:
A software agent installed on the device sends its security context and credentials to an SDP controller for authentication. This model is suitable for managed devices.
An SDP (or ZTNA) connector installed along with the application establishes and maintains an outbound connection to the cloud provider. Users are challenged to authenticate to the provider to access protected applications. This model is suitable for unmanaged devices as no special software is required on the end device.