Secure access service edge (SASE) is the recommended architecture for security and connectivity. SASE combines wide area network (WAN) technology for robust onramp to cloud and network security services into one cloud-delivered connectivity and security software stack. This allows enterprises to connect geographically diverse workforces securely while reducing network latency and performance issues.
Though SASE is a relatively new concept, it’s taking the IT world by storm, partially due to the pandemic forcing companies to adopt or improve their remote work capabilities. In addition, SASE addresses the security challenges of using WAN and SD-WAN (software-defined wide area network) technology for remote and branch office (ROBO) network management.
Let’s examine two essential SASE model use cases and discuss the benefits of integrating SASE into your enterprise network management and security strategy.
SASE model key use cases and benefits
SASE offers numerous benefits for remote and branch office security, performance, and network management, which may be why Gartner predicts that at least 40% of enterprises will have explicit plans for SASE adoption by 2024. Consider these use cases as you decide whether adopting the SASE model aligns with your business goals and network management and security requirements.
SASE use case #1: Replacing VPNs for remote work
The need to pivot to a remote workforce in 2020 has driven many organizations to prioritize SASE adoption. Enterprises use VPNs (virtual private networks) to handle their limited work-from-home traffic. But scaling up a VPN solution with enough licenses and VPN concentrators to meet an entirely remote workforce’s increased demand can be more expensive.
Additionally, not all VPN services include centralized remote management to deploy, monitor, and manage remote connections. This could be a minor issue if you only have a handful of remote employees at any given time, but a substantial logistical challenge when your entire workforce must suddenly pivot to work from home.
If you were relying on a VPN solution for all remote work, you likely found yourself overwhelmed by the need to deploy and troubleshoot hundreds or thousands of new VPN client installations, keep those connections secure without crippling your network performance, and ensure that all your enterprise and cloud applications were tested and supported for VPN access.
SASE model benefits of replacing VPNs for remote work
SASE implementations can solve a lot of these remote work challenges. Instead of creating an encrypted tunnel between each remote workstation and your primary network, like a VPN, SASE connects remote users to nearby points of presence (PoPs) to access enterprise applications and resources in the cloud or the data center.
All traffic to and from a PoP is encrypted, with other security technologies—such as secure web gateways (SWGs), remote browser isolation, and cloud firewalls—layered to monitor and protect system use. SASE provides additional security by using cloud access security brokers (CASBs) to apply enterprise access control policies to resources outside of the data center, such as Software as a Service (SaaS) tools or other cloud applications.
Despite these robust security controls, SASE still reduces network latency and improves application performance for remote workers compared to a VPN. Instead of relying on a limited number of VPN gateways to handle all your remote traffic, SASE uses a wide network of PoPs to connect remote users to the services and applications they need.
If a remote user needs to access a cloud application, a PoP can connect them directly to that service, bypassing your data centers and reducing the load on your network. In addition, many SASE providers house their PoPs in the same facilities as major SaaS providers—Microsoft 365 and Salesforce, for example—optimizing the routing paths to these applications and improving performance for remote workers.
IT teams may find SASE easier to manage than VPNs as well. One of SASE’s big selling points for engineers and security teams is reduced network complexity—SASE seeks to replace the physical and virtual VPN appliances you use for remote traffic with a single cloud-native solution. One main advantage is that the end user experience is at its best since the traffic can reach the destination quickly without tromboning (hairpinning) through the datacenter and competing for bandwidth with increased latency.
This also reduces the amount of time and resources spent on updates and patching, device maintenance, and configuration management for your VPN appliances and other remote and branch network infrastructure. SASE also provides one centralized management platform to control identity management and security policies for the entire enterprise and monitor and manage remote network traffic.
Replacing VPNs with SASE for your remote workforce improves the security of your remote traffic and systems, reduces network latency, increases SaaS and cloud application performance, and simplifies remote network and security management.
SASE use case #2: Optimizing SD-WAN security and performance
Many enterprises have already jumped from VPN and traditional WAN technology to SD-WAN or software-defined vast area networks. SD-WAN improves upon WAN technology—often using existing public and private WAN connections as a backbone or underlay network—to connect remote workers and branch offices to enterprise services and applications.
SD-WAN separates the control and management processes from the underlying WAN hardware and makes those functions available as software (hence the name “software-defined” WAN). This virtualized overlay network creates a private, encrypted WAN to connect branch locations, prioritize and route ROBO traffic, and manage and monitor network performance.
SD-WAN does present some security challenges, however. An SD-WAN implementation requires the use of firewalls, intrusion prevention, and web filtering at each branch office, which could mean installing and configuring hundreds or thousands of security appliances. Cyberattacks are becoming a more significant threat each year, reportedly costing businesses up to $4 billion in 2020, so many enterprises are looking to a security-centric solution like SASE to protect their network edge. SASE essentially combines SD-WAN functionality with network security features and bundles them together as a single solution.
SASE model benefits of optimizing SD-WAN security and performance
SASE allows teams to manage both SD-WAN traffic and security from a single pane of glass. SASE solutions roll up security features like CASB, firewall as a service (FWaaS), and zero trust network access (ZTNA) into a single cloud-native service to prevent, detect and mitigate network attacks without the need to deploy multiple security appliances and solutions for all your branch sites.
For existing SD-WAN implementations, you can layer SASE’s network security features into the WAN appliances at each branch office to provide next generation firewall, intrusion protection, analytics, and unified threat management functionality without purchasing new infrastructure. This means you can manage the security of all your branch locations without needing to install firewalls and other security appliances at each site, reducing network complexity by combining SD-WAN and security into one centrally managed solution.
Plus, since the SASE model connects remote and branch users with SaaS and cloud applications via PoPs, you won’t need to backhaul your branch office traffic through your leading network’s firewall. This means your external-to-external traffic (from branch sites to cloud services and vice versa) bypasses your primary network entirely, reducing bottlenecks and delays and improving network and application performance.
You can use SASE to integrate cloud-based security functionality like CASB, FWaaS, and ZTNA with your existing SD-WAN infrastructure, or you can use SASE’s combined security and SD-WAN service stack to upgrade a traditional WAN architecture. Either way, you’ll reduce network complexity and provide a centralized solution for managing ROBO network traffic and security, all while reducing network bottlenecks and application performance issues.
Take complete advantage of all SASE model benefits
Two of the biggest use cases driving enterprises to adopt SASE include the recent pivot to a remote, home-based workforce and the need to improve the security and management of WAN and SD-WAN technology for branch offices.
The SASE model combines SD-WAN technology with network security features into a unified, cloud-native service stack to provide enterprises with many benefits, including increased security, improved application, network performance, and simplified management for remote and branch office connections.
To realize a SASE architecture organizations need a robust and extensible branch edge device that can be the ‘Access’ on-ramp to the cloud delivered ‘Secure Service Edge’ (SSE.)
ZPE Systems’ Nodegrid family of hardware and software is a modular, vendor-neutral solution that provides innovative features such as 4G/LTE failover to maintain business continuity, remote out-of-band management (OOBM) for greater device visibility, and zero touch provisioning (ZTP) to automate deployment. And our SR family can be the on-ramp to SSE vendors such as zScaler, Netscope, Acreto or similar. Contact us for a deep dive video demo of our solution providing the Access onramp for SSE to flexibly realize the SASE architecture.