A True SASE Solution Requires a Cloud-First Architecture

Traditional network architectures are rapidly becoming outmoded. They were built for bygone days when applications and other corporate resources were housed in the data center—the go-to point of access for users and devices.

In today’s world, where the perimeter has dissolved, enterprises are expanding their environments to cloud platforms and software-as-a-service (SaaS) applications. As Gartner points out in its recent report, “The Future of Network Security Is in the Cloud" (registration required), just about everything you can think of is now running or stored outside the enterprise—from work applications to sensitive data and traffic, both at the main office and branches.
 

SASE comes into its own

Digital business transformation has ushered in a demand for greater agility. Companies are finding that they need to provide consistent and secure globally available access to applications and services, regardless of where users—whether employees or customers—are located or what devices they are using. The evolution of a user-centric world has brought forth a technology known as cloud-based secure access service edge (SASE, pronounced “sassy”). Gartner defines SASE as a solution that offers “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”

How is a true SASE solution built?

The architecture of a true SASE solution is distributed and globally accessible. No matter where in the world users are located and no matter what applications they need to access, the SASE architecture uses intelligent methods to manage and optimize direct connections (peering) to the closest cloud applications and services. The big benefit of this approach is that it optimizes bandwidth and ensures low latency—and the result is seamless and secure connectivity that makes for a great user experience.
 

A proxy-based architecture allows you to do more

A true SASE model runs on a proxy-based architecture, which provides flexibility that is unmatched by traditional network architectures. It enables scalability and typically inspects all traffic, including encrypted traffic. The key benefits of a proxy-based architecture are less complexity and security, more comprehensive and stronger security, and increased application performance. Let’s drill down into some of the specifics:

• SSL decryption at scale is another critical capability of a SASE solution. With more than 50 percent of malware hiding in encrypted SSL traffic, this has become a major blind spot for organizations. The SASE proxy architecture inspects all encrypted traffic, at scale —with the capacity to meet all your security needs today and tomorrow.
• SASE provides zero trust network access (ZTNA). ZTNA provides precise, identity-aware access to internal applications without placing employees, contractors, and other users on the network or exposing the applications to the internet. ZTNA makes access faster and simpler, even if devices are unmanaged, and it reduces risk by eliminating the attack surface.

Getting close to the user

SASE is architected in a way that places it close to users. In a world where much of what users need to access is outside the data center, relying on a traditional network to route access requests to and from the data center can impact the user experience and productivity—not to mention that dedicated MPLS is prohibitively expensive. A SASE solution, on the other hand, relies on direct peering, which enables it to intelligently send user access requests to the applications closest in geographic location, providing a great user experience. It also optimizes direct connections (peering) to cloud applications and services, which ensures excellent performance and low latency.
 

The advantages of multi-tenancy

True cloud-native SASE architectures are usually multi-tenant, with multiple customers sharing the underlying data plane. According to Gartner, some vendors use a dedicated instance per customer, but this will limit the SASE solution’s ability to scale. The most effective SASE solutions are built from the ground up to be truly multi-tenant. The best SASE vendors have well-developed cloud infrastructures, and some have more than 100 data centers worldwide. This type of multi-tenant architecture allows users to access any of the vendor’s data centers and still stay secure while providing an environment that can scale globally and on demand for fast-growing enterprises that will soon be on their way to full cloud.
 

The big caveat

Now that you have a good idea of the SASE architecture and how it works, you’re ready to start on your journey to digital transformation. There is a caveat, however, that Gartner points out in its report. Some vendors say they have a SASE solution, but the reality is quite different. These providers use an approach that is much like a traditional network. They rely on virtual machine-based offerings running in cloud-provider infrastructures. There are several problems with this approach:

• The user experience is less than optimal because of the backhauling required from the cloud to the vendor and then on to the applications users want to access.
• This model relies on a single-tenant architecture using network-based access policies in a SASE model, which should be based on user access. This results in more complex policies that don’t translate well to SASE. It also limits scalability.
• It may use a patchwork of multiple products or services that are not truly integrated but rather cobbled together through an overlay user interface. Just as you can’t stack DVD players and call it a Netflix streaming service, you can’t move a traditional network security stack to the cloud and call it cloud security (SASE).  

Additional reading:

White paper: The Top Three Benefits of SASE

Learn how Zscaler delivers on the SASE promise.

Chris Morosco is Senior Director of Product Marketing at Zscaler.