maxkabakov - Fotolia
SASE model drives improved cloud and work-from-home security
Find out how the Secure Access Service Edge model provides increased work-from-home security and cloud access outside of the traditional enterprise data center access model.
A significant percentage of the workforce working from home due to the pandemic won't be moving back into corporate offices when COVID-19 recedes. The result is that enterprises need a stronger work-from-home security strategy, and the SASE model can do the job.
After seeing that their teams can be effective working from home or elsewhere, Nemertes' research on the digital workplace revealed many companies see an opportunity to let go of office space and all of the associated real estate and office management expenses. To do this safely, however, businesses need to embrace a different way of thinking about security, which was already becoming urgent before the pandemic.
Nemertes completed its Next-Generation Networking 2020-21 Research Study just before the first major COVID-19-driven lockdowns. Even then, the results revealed only about 39% of enterprise WAN traffic originated and terminated inside the enterprise -- i.e., started in a branch office and ended in a data center. The rest of the enterprise WAN traffic originated or terminated outside the organization -- i.e., in a home office or a cloud service.
Just under 20% of traffic both originated and terminated outside the organization, as when a staff member working from a hotel gained access to the corporate network through a VPN only to be routed out to Microsoft 365 or another cloud application. Since the pandemic drove the broad mass movement to work from home (WFH) and accelerated many cloud migrations, that 20% probably has ballooned. The fact that so many people will never go back to the office means enterprise WAN traffic patterns will never go back to prior levels.
All security predicated on inside-to-inside traffic, therefore, needs to be reconsidered as work-from-home security or, more broadly, as security designed for work from anywhere. Enterprises need to seamlessly integrate securing the traditional scenarios and the newer outside-to-outside scenarios exemplified by WFH access to the cloud. Traditional VPNs can be difficult and expensive to scale up to the necessary numbers of sessions and volume of traffic.
SASE model shifts security focus to WFH and cloud model
The fast-emerging Secure Access Service Edge (SASE) model is focused on shifting enterprise security to a more cloudlike operating model. Instead of a small number of VPN on-ramps located in company data centers, SASE tools provide a widely distributed set of points of presence (POPs), and users authenticate to the nearest one to connect to enterprise resources in the data center or in some flavor of cloud.
Among the benefits of the SASE model, all traffic to and from the entry POP to resources in the cloud or enterprise data center are encrypted, and various other types of security technologies are layered on to monitor and protect system use, including secure web gateways and cloud firewalls. Most importantly, SASE systems provide or integrate with cloud access security brokers (CASBs) to apply enterprise policy access to enterprise systems outside the data center, especially SaaS tools that enable traffic to head straight to the cloud and bypass data centers. SASE POPs will often be in the same facilities as SaaS provider access points, so traffic will get to the SaaS solution with minimal latency.
Extend secure enterprise-managed endpoints
As the massive shift to WFH placed even more attention on securing enterprise-managed endpoints without the protections of enterprise networks, the need to reach beyond traditional SASE became clear. Specifically, while SASE provides cloud-based VPN on-ramps, enterprises need a holistic approach to protecting endpoints and both the cloud and on-premises environments from attack. This entails integrating endpoint protection and endpoint detection and response with SASE.
Furthermore, the entire environment needs comprehensive behavioral threat analytics -- often provided as part of extended detection and response (XDR) products to make the whole operation responsive to diverse and subtle threats in real time. Nemertes calls this combination of functions secure cloud access and policy enforcement (SCAPE).
SASE tools and services from vendors, including those from Cato Networks, Cisco, Fortinet and Palo Alto Networks, are all evolving toward SCAPE as enterprise embrace of integrated endpoint protection deepens and as broad-based behavioral threat analytics or XDR get more deeply integrated. Gartner defines XDR as a "unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."
Enterprises should evaluate their own needs and preferences as they assess their options, especially with respect to how they want to combine managing security for on-premises users and private cloud resources with managing work-from-home security or, post-pandemic, from anywhere but the office.