Charting Cyber
VendorsBlogContact
Lets Talk
Lets Talk
home
purple arrow
pages
purple arrow
portfolio
purple arrow
blog
purple arrow
contact
purple arrow
Home oneHome twoHome three
About oneAbout twoabout threePricing OnePricing TwoPricing Three
team oneTeam TwoTeam ThreeBlog OneBlog TwoBlog Three
Portfolio onePortfolio twoPortfolio three
Blog oneblog twoBlog three
Contact onecontact twocontact three
How can we help?
info@example.com
CMS pages
Blog detailsPortfolio details
Follow us on
Facebook
Twitter
Instagram
Designed by Radiant Templates, powered by Webflow
Blog   .
September 22, 2024

SASE Part 1 - A Vendor-Neutral Reference

Today we are going to be diving into Secure Access Service Edge (SASE) and Secure Service Edge (SSE) concepts. Hopefully this guide will provide enough of an overview to de-mystify a lot of the marketing that exists in the vendor space, and gives you some ammunition to determine if the latest acronyms are a fit for YOUR organization.Before getting started, I have to recognize that I stand on the shoulders of giants. I (and other consultants in my office) have been recommending a great write up from Get SASE With Sarah. That article covers a lot of the basics of SASE. In this article, we are going to get into a little more detail, and with a slightly different take on the types of vendors. But I have to give credit where credit is due. Lets get started!

Table of Contents

The Traditional Security Architecture

Before getting into the promised definitions, we need to set a bit of context. The traditional security model, ie everything you likely read about defending a network, was focused on defending a perimeter of the network. Things outside the network are untrusted. Things inside the network are (generally) trusted, or have considerably more access than externally. To enter the network you have to pass through some type of access control and layered security services, and services or devices requiring direct public access were isolated in a DMZwhere controls were layered differently between public/internal access. The best example of this is using a VPN to enter a corporate network, where internal access to resources is now granted simply because of presence in the network. Sure, there are SOME security services being run internally, but in most real-world deployments they aren't as consistent as academic models.Security services in this model were generally layered at the edge of the corporate network, or in a central location in a datacenter depending on architecture. This obviously has a number of challenges depending on how many sites are in use and how traffic is routed. When services are layered at access points, it requires lots of instances of that service or the device providing it. For a single-instance of a service, it requires all traffic to be routed through that service to be effective. Although not "ideal", this generally worked as bandwidth and CPU power has increased over time.

Traditional Model Downsides

This model has a number of downsides. Lets just cover a couple for a moment.From a security standpoint, access control and most security services are generally layered at the "edge", ie when traffic enters or leave the corporate network . This tends to mean that once an attacker has entered the network they start expanding to wherever they can reach, and their "dwell time" starts. But the interior of many corporate networks were more trusted, so once initial access is gained that network traversal can be accomplished much more easily.There are also network performance concerns with this approach. Services cost money, and every instance of a new service is an additional license. To avoid additional expense, companies began shaping traffic to concentrate it and pass through some kind of gateway layering that access or security services. This number is generally much smaller than the number of branches, so traffic ends up being "backhauled" from a branch to the datacenter, and then out to the internet. This becomes much worse with a remote user using a VPN: traffic moves from the remote worker's location through the VPN to the access point, and then immediately back out to the internet. Potentially over fairly long distance with today's workforce.There are obviously mitigations that can be put in place to minimize these issues: multiple VPN locations, firewalls at each site, multiple connected IDS/IPS systems tied together, moving some services to the cloud, etc. All this comes at an actual quantifiable cost of dollars and increased complexity in initial configuration and maintenance.Keep this in mind as we quickly run through the SASE/SSE backgrounds.

SASE/SSE Overview

Secure Access Service Edge (SASE)

I'm sure you can read the title of this section, but SASE stands for Secure Access Service Edge. It was created in 2019 by the research firm Gartner in both the marketing "hype cycle" (Trough of Disollusionment, anyone?) and a report called "The Future of Network Security in the Cloud". They did this because they noticed that essential business services that used to be hosted in on-prem servers were being migrated to the cloud. When adding SaaS platforms to the mix (Microsoft 365, hosted HR software, Docusign, etc), it gets even more difficult to layer the traditional edge or datacenter security products.The corporate security edge started to get a bit hazy because of separate authentication for each of these services, and web traffic destined for these services wasn't designed to be inspected by traditional security architectures. So SASE became the concept of the "convergence" of network and security services.Vendors have since grabbed onto the term to apply to their own solutions. But since Gartner giveth the category, Gartner also taketh away by defining the specific requirements to be considered a "true" SASE product:"Secure access service edge (SASE) delivers converged network and security as a service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies."-Gartner, 30 JAN 2023

So in the end, SASE is a category/concept of services combining network and security services which was created by Gartner consisting of:

  • Software Defined Wide Area Network (SD-WAN)
  • Secure Web Gateway (SWG)
  • Cloud Access Security Broker (CASB)
  • Next Generation Firewall (NGFW)
  • Zero Trust Network Access (ZTNA) 

.. from the cloud.All that to mean: in the SASE concept we are changing how a user or services connects to corporate resources, and how corporate security policies are applied to that access.

Secure Service Edge (SSE)

Then the pandemic hit. Companies who would never consider how to do remote access now had to come up with a solution. For those that had a corporate network, SASE was a framework that could be applied. But some organizations had no need for SD-WAN because they had no need for prioritized WAN at branches. These orgs still wanted to enforce more granular security controls to cloud or SaaS services, and for that we need ANOTHER CATEGORY. That became apparent in 2021 when Gartner created another category called Secure Service Edge, which consists of all the security services of SASE and none of the SD-WAN network access:

So Secure Service Edge (SSE) is a category/concept of services combining security services which was created by Gartner consisting of:

  • Secure Web Gateway (SWG)
  • Cloud Access Security Broker (CASB)
  • Next Generation Firewall (NGFW)
  • Zero Trust Network Access (ZTNA) 

.. still from the cloud.What does this mean? When you have successfully moved all on-prem services to the cloud or SaaS applications and most of your users are remote, there is little need to use SD-WAN to steer traffic. Applying only security policies in the cloud close to the end user reduces a lot of complexity.This concept is waaaaay more helpful for businesses who need more fine-grained control for remote workers with no SD-WAN requirement.

Why Should I Care?

"So if those are the definitions, why should I care?"- You, probablyNow you are asking the right question! Both SASE and SSE are concepts or frameworks that were created by Gartner to illustrate the possible combinations of network and security services. But just like all cybersecurity or IT products, it should be taken with a critical eye to ensure you NEED the full combination of services. There are very valid problems that SASE and SSE can solve, but they are NOT one-size fits all.

Advantages of SASE

SASE and SSE offer a number of advantages and those depend on what you are migrating from.

  1.  SD-WAN can let you have similar advantages to MPLS networks at a fraction of the cost, and with way more flexibility.  SD-WAN allows you to route traffic based on priority or connection type. Examples: sending all VOIP traffic over a dedicated circuit, routing specific application traffic to a private network to the datacenter, or failing over critical traffic to a 5G backup circuit in an outage.
  2. Consolidate point solutions: can reduce the number of vendors and capabilities you manage internally a big advantage for small teams.
  3. Scalability: The easy application of policies across the organization makes integrating new sites much easier than when configuring SD-WAN and firewalls using traditional methods.
  4. Removing traditional IT routing challenges:  Things don't live in the datacenter anymore: applications, users, and devices are all disbursed.  SASE can apply universal controls without backhauling all traffic or hairpinning all the way into the corporate network.
  5. Better user experience: SASE can give better performance and a unified security experience no matter where users are.

Types of SASE/SSE Vendors

When considering vendors in the SASE/SSE space, they break down into two categories: single-vendor/all-in-one and multi-vendor/combination providers.

Single Vendor

Single vendor SASE providers are exactly what it sounds like: a single vendor leveraging their technology to provide all aspects of the SASE or SSE concepts. Single vendor offerings have a number of advantages, namely that all the technologies are actually designed to work together and there will be a consolidated management portal.It's important to note that true "single vendor" can just be a marketing ploy, as a lot of the big vendors have acquired smaller companies and integrated them into their offerings(Cloud Genix). Also, just because it is single vendor doesn't mean pricing is as consolidated as their offerings. Anyone else tried to price out hardware, maintenance, and full SASE services for varying site sizes in Prisma lately?It sounds like I'm picking on Palo Alto here, but the struggle is real across the board.

Multi-Vendor

This category is the opposite of single-vendor (duh) and is when a vendor combines multiple capabilities (from other vendors) wrapped into one managed offering. The advantage here is that you can get multiple "best in breed" point solutions from a single provider, who will also generally provide management of those services. The disadvantage CAN be that these services may not be designed to work together, so the quality of the vendor managing them for you becomes important.

A Different Way To Approach The Vendor Discussion

After working with all kinds of different organizations, I've found that the biggest differentiators here aren't between single- vs multi-vendor types. There is definitely a decision between those, but that can be analyzed using a list of the pros/cons of each individual vendor (and their non-core features!). Instead, the most common differentiator is between managed and unmanaged offerings. There is some grey area between where that transition is, but once you get the basic concepts that becomes easier to work through.

Self-Managed/Point Solution Approach

Some organizations prefer to keep the full install, configuration, and maintenance of all their services in-house through a self-managed offering. Think the big firewall vendors offering SASE/SSE cloud services that the IT or security team installs and maintains. The actual cloud offerings may or may not be managed by the organization (running on virtualized servers or serverless functions) but the hardware and their services definitely are. The advantage of this approach is the organization is solely responsible for its performance. The downside of this approach is that the organization is solely responsible for its performance. Another difficulty with this approach (among many) is that deployment is complicated. Billing, communication with a vendor(s), configuration (not just rules for the firewall but overall device configuration), combining capabilities with other services, maintenance, and depreciation of equipment are all challenges in this model.All the traditional disadvantages of self-managed infrastructure apply.

Co-managed or Fully Managed Vendors

This category covers vendors who focus on delivering SASE capability and manage the underlying infrastructure, or give access for co-management. These vendors usually manage the cloud infrastructure and have a single portal to manage configuration across the enterprise. The biggest strength of this approach is offloading the resource maintenance to the provider. One initial concern with this approach is cost, but after working with many different clients considering all the aspects of running their own infrastructure.

When Should SASE Be Considered?

Nobody does digital transformation because it's fun. I recommend using some kind of trigger point to drive the bigger change:

  • Upgrading firewalls: If you need to upgrade or change out firewalls, SASE becomes a really good option instead.  By pushing firewalls to the cloud you gain an easier to configure central interface, as well as the ability to more easily stand up new sites.  Firewall replacement becomes a lot easier when all your policies are written once and universally applied.
  • Updating/implementing SD-WAN: If you are already discussing SD-WAN you can gain a lot more security protection for no extra work.  Once a business is onboarded, turning on additional services can be as easy as turning it on in the portal.  The SASE service does the rest.
  • Migrating business apps to the cloud: As you move more business apps from an on-prem solution to the cloud (or integrate more SaaS apps), SASE starts making a lot more sense with ZTNA and the other traffic introspection capabilities.
  • Remote worker increase: If your organization is trying to secure more remote workers, SASE and SSE are a much better option than traditional architectures.
  • Increased security: If your business needs more security controls, SASE should definitely be in the discussion for comparing.
  • Small IT/Security Teams: If you are trying to do more with less people, SASE will likely give you more control and administration across your network than traditional methods.
  • Large M&A/Carve-Out: Large business transformation can really reap the benefit of increased control and time saved during an entire project.

A Note On Implementation

Timing in IT transformation can be a significant challenge. Contract renewals are never timed together. The good news is that SASE can be easily phased (remember the scaling advantage above?). Phasing can be by capability, or by site. I have had customers implement a phased firewall replacement as contracts expire, and then apply more security services over subsequent quarters. I've also had clients roll out a vendor's full security suite at their HQ location, and then onboard branches over time. The possibilities are endless!

Not Done Yet!

I hope this has been helpful for those looking for a more in-depth background than traditional articles. This is part one of a three-part SASE series, and next up we will be diving further into the core capabilities. Be sure to subscribe for notifications on additional articles!

Adrian Tilston
icon
Ready To Start A Project?

Reach out and start tracking successes rather than frustration.

icon
Contact Us Today!
Contact Us Today!
icon
Charting Cyber
Copyright 2024 by Charting Cyber LLC
footer glow