SASE – Secure Access Service Edge – is increasingly important as flexible working becomes a standard aspect of corporate IT. Managing cyberthreats is steadily more difficult as the traditional network perimeter disappears.
With employees working remotely and new services being regularly deployed to the cloud, the IT security team is managing thousands of additional end points. Each node represents a potential attack surface that could be exploited to gain access to corporate resources.
SASE takes a multi-level approach to building a coherent defense strategy that protects assets in any location. Digitalizing SASE allows you to use technology to streamline and simplify security management – and to improve your defense capabilities.
There are two key aspects to digitalized SASE: Secure Web Gateways (SWG) and Next Generation Firewalls (NGFW).
Network traffic has grown exponentially as the amount of data being collected and used increased, placing burdens on internal networks. With the adoption of SaaS technologies like Office 365 and Salesforce, that pressure is also affecting external network bandwidth.
Initially, the solution was to deploy SD-WAN technology which increased speed and scalability. SD-WAN also solved many of the limitations associated with VPNs, by moving connectivity controls to the cloud to relieve pressure on the in-house data center. Now decentralized, applying SASE principles to traffic outside the network is simpler.
There is one basic problem with the default SD-WAN set-up. If a hacker manages to compromise an endpoint, they can hijack the SD-WAN connection to access protected resources. Which is where an SWG can help with your digitized SASE strategy.
Securing web traffic and applying SASE policies
A secure web gateway acts like a cloud-based proxy for network traffic between your sites, creating a new line of defense even as the old concept of the network perimeter becomes less useful. All of your users’ network traffic is routed through the SWG for analysis and comparison against your SASE configurations. Traffic passing between endpoints and corporate IT resources is carefully inspected in real-time to identify and block suspicious activity.
The SWG allows you to enforce SASE policies for resources that are hosted outside the corporate network – including the endpoints themselves. You can permit or deny access to resources and services that are not work related, which have not been approved for use, or which present an identified risk to corporate resources. The SWG offers additional, automated protections like sandboxing and deep packet inspection.
In this way, SWGs solve two of the most pressing SASE problems. First, they can be used to monitor and protect traffic that never actually passes through an ‘owned’ resource, like the data center. Second, the SWG filters traffic from endpoints that are outside the IT department’s control – like those used by remote workers. Security policies and filtering can be applied to all traffic regardless of its location.
The elastic nature of the cloud allows the SWG service to scale as demand increases, ensuring that SASE policies continue to be applied consistently. Digitalizing SASE also reduces latency and improves performance because cloud-based policies are brought closer to the user – traffic is inspected before it ever reaches critical resources on-premise or in the cloud.
Going beyond SWGs
The secure web gateway for protecting against malicious network traffic – but the SWG is not enough on its own. Your digitized SASE platform will also need to monitor and protect at the application layer – which is where the next generation firewall comes into play.
The NGF also exists in the cloud and on premises, again to filter malicious activity between endpoints and your corporate resources. Ideally deployed as an add-on to the SWG, an NGF goes beyond the traditional allow/deny rules-based traffic filtering.
To do this, the NGF has additional capabilities:
- Deep packet inspection and filtering analyzes all network traffic to detect and block suspicious or unexpected data packets that may indicate a cybersecurity threat. Unlike traditional firewalls which only check the validity of incoming and outgoing addresses, the deep packet inspection (DPI) capabilities of the NGF also assess the contents of each packet to detect malware signatures and other threats.
- Application awareness and control analyzes network traffic at layer 7 – the application layer. This allows you to better apply your digital SASE processes and block risky applications, preventing their traffic – and potential threats – from entering the network.
- Intrusion protection identifies and blocks known and unknown threats. The NGF compares packets to known threats and looks for unusual changes in traffic and protocol behavior.
The NGF is also able to accept threat intelligence data from the manufacturers. This information sharing helps to ensure that SASE provisions are always up-to-date and ready to deal with new cybersecurity threats as they emerge.
Protecting all network traffic
Digitalizing SASE means more than simply protecting your SD-WAN network however. Because of the increased sophistication of cybersecurity attacks, all incoming and outgoing traffic needs to be monitored and assessed to ensure bad actors and malicious traffic are blocked.
Choosing cloud-based SWG and NGFs simplifies and accelerates deployment because all of the underlying infrastructure is managed by the service provider. More importantly still, any traffic can be routed through the platform – not just SD-WAN connections. This flexibility allows you to apply your SASE protocols quickly and efficiently for any remote (or local user) with minimal additional set-up or configuration.
Digitalizing SASE to enhance network protections
Deploying SWG and NGFs will become increasing important as network traffic and volume continues to grow. With digitalized SASE you can apply best practice network security protections to all of your incoming and outgoing traffic, in the cloud and on-premises. SWG and NGFs will also help to reduce some of your administrative overheads, possible threat vectors and malware infections, as well as shared threat intelligence to proactively upgrade and patch systems to prevent new, previously unidentified threats from compromising your security.