How SASE Can Improve Security
With data and workloads spread among remote users and cloud services, a decentralized approach can help organizations manage threats.
IN THIS ARTICLE
VIDEO: SASE: Protect Data Where It Resides
What Is Secure Access Service Edge (SASE)?
Strategies for Effective SASE Deployment
SASE Can Strengthen Security Strategies
The secure access service edge (SASE) approach to cybersecurity plays a crucial role in protecting today’s distributed information systems. This evolving security strategy recognizes that organizations now have users working from home, on the road and in other remote locations. Those same users are no longer just accessing information stored in safeguarded corporate data centers but are probably using a variety of cloud-based services to meet their business objectives. In this environment, it’s no longer necessary or prudent to route all remote user traffic through a centralized data center.
SASE technology enables remote work and the use of cloud-based services by shifting the point of security policy enforcement away from the corporate network and applying it wherever users are located. End-user devices and other security tools understand and enforce the organization’s security policies consistently, regardless of the device’s physical location or network connectivity. This allows technology teams to sleep soundly, knowing that remote users are subject to the same security requirements as those who use devices on a corporate network.
SASE technology also simplifies branch-to-central and branch-to-branch network connectivity over highly sophisticated and comprehensive WAN technologies, along with enhanced cloud-delivered network security functions such as secure web gateway, cloud access security broker (CASB), data loss prevention (DLP), Firewall as a Service and zero-trust network access to support the dynamic secure access needs of digital transformation.
SASE: A Security Approach That Protects Data Where It Resides
As threats target widely distributed IT operations, secure access service edge shifts security as close to endpoints as possible
THE ACCELERATED MOVE TO THE CLOUD
A move to the cloud offers multiple benefits but shouldn't be made without considering new security implications.
In a remote work, cloud-first world, a data center approach is difficult to enforce, increases the burden on the data center and results in poor network performance and decreased user satisfaction.
The accelerated move to the cloud has complicated the deployment of sound security policies. Decisions about cloud computing were often made rapidly, and security concerns often were not carefully vetted.
What Is Secure Access Service Edge (SASE)?
SASE combines many existing security technologies with WAN technology to provide users a secure network connection wherever they are. Think of SASE as delivering a secure network connection as a cloud-based service without requiring a connection back to an organization’s own data center.
THE LANDSCAPE
The COVID-19 pandemic has permanently altered how organizations work, accelerating workplace trends that were already gaining momentum in many industries. Chief among these: the growing adoption of cloud computing solutions and an increased reliance on remote work.
END-USER SECURITY
SASE allows cybersecurity teams to apply controls to end-user devices making use of cloud services, simultaneously delivering a better experience for users and protecting the organization’s data from compromise. Organizations adopting a SASE strategy may more effectively use their firewalls, malware protection solutions and other tools.
REMOTE WORK
This shift from centralized applications to the cloud helped drive an increase in the number of remote workers and the amount of time they spend working outside of the office. Employees now demand access to corporate data and use of the same applications they would have if they were in the office.
SASE AND ZERO TRUST
SASE plays a crucial role in enforcing zero-trust policies by providing identity-based remote network access. It works with other security technologies to limit network access to authorized users and then restricts those users to carrying out activities that fit within their security profiles.
CYBERTHREATS
Ransomware and phishing attacks continue to plague organizations, and the attacks are growing in sophistication and number. Organizations adopting a SASE strategy will find that this approach supplements existing technologies with additional tools designed to combat modern threats.
Learn how CDW can help provide critical defense against cyberattacks with Amplified™ Security services.
SASE and the Fight Against Ransomware
Ransomware attacks continue to cripple organizations across industries. High-profile attacks against Colonial Pipeline and JBS Foods in 2021 made major headlines, but hundreds of other firms fall victim to these attacks every month. The attacks start when a cybercriminal gains an initial foothold on a network and installs malicious code that crawls the network and encrypts data, preventing its legitimate use. The attackers then demand large payments in virtually untraceable cryptocurrency transactions before providing the victim with the means to decrypt the data and restore access.
SASE solutions play an important role in safeguarding networks against ransomware attacks by protecting data that flows over communication channels between an endpoint and resources that are connected to the internet. For example, a SASE solution can detect and block the download of a malicious payload to a client device while also preventing a client from connecting to known ransomware and bot command-and-control servers.
Enabling SASE
Effective SASE deployments build on a variety of tools and capabilities to create a layered approach to security. They bundle many different security services and capabilities and deliver them to endpoint devices through the cloud, protecting the organization’s data and systems from a wide range of security threats. This requires that organizations build out a comprehensive set of security components and then supplement them with a strong network capability to deploy those services to remote users.
Organizations adopting a SASE strategy should begin with an inventory of their existing cybersecurity controls. They have probably already deployed many of the core technologies that make SASE possible and may leverage those components in their SASE programs with some reconfiguration or upgrades. While some organizations may need to acquire new solutions to fill the gaps in their current cybersecurity program, it’s likely they can begin with the technologies they have and then add capabilities as their SASE program evolves.
Securing Your Distributed Environment with SASE
Working with existing technologies, a SASE strategy can leverage newer technologies to make a disparate environment more secure.
SECURE WEB GATEWAY (WEB PROXY)
Many modern threats gain their initial foothold on endpoints by deceiving end users into visiting malicious websites and downloading content that compromises the security of their systems. Secure web gateway technology seeks to mitigate these threats by inspecting end-user web activity and applying a consistent set of security policies to enforce safe browsing habits at the endpoint.
CLOUD-DELIVERED OUTBOUND FIREWALL
While secure web gateways play a crucial role in protecting users from malicious network traffic, it’s important to remember that not all network traffic uses the web. Cloud-delivered outbound firewalls provide a robust filtering service for other ports and protocols, protecting the organization with the ability to write context-specific rules for the types of network activity permitted from different endpoints.
INTRUSION PREVENTION SYSTEMS
Intrusion prevention systems provide another layer of network security, analyzing traffic to and from endpoints for signs of malicious activity that might escape the notice of a firewall or secure web gateway. IPS platforms combine signature detection techniques that look for known patterns of malicious activity with behavioral analysis technology that watches for activity deviating from normal baselines.
DNS SECURITY AND CONTROL
The Domain Name System (DNS) serves as a crucial backbone of the internet, allowing systems to determine the correct IP addresses associated with each domain name. SASE solutions incorporate DNS security tools that leverage this centralized lookup server to enforce security policies. SASE endpoints receive DNS service through a trusted, secure DNS server as part of their cloud-delivered bundle of network services.
CLOUD ACCESS SECURITY BROKER
The proliferation of cloud services makes it extremely difficult for cybersecurity teams to stay on top of the many consoles and tools used to manage those security configurations. Cloud access security brokers provide a unified platform where administrators can centrally configure policies for cloud service use.
COMMON CASB APPROACHES
One common CASB solution is the proxy-based (inline) approach, which monitors and controls traffic between an endpoint and a Software as a Service system by proxying the HTTP/HTTPS connection. In another approach, the CASB solution reaches into each of the cloud services used by the organization via its application programming interface and configures the cloud service to enforce that policy.
DATA LOSS PREVENTION
DLP platforms focus on protecting data from compromise by monitoring outbound network traffic for potentially unauthorized exfiltration of sensitive information. They then step in and block transmissions that would violate security policies, preventing data from being irretrievably lost. Network-based DLP solutions may be delivered as part of a bundle of cloud security services provided over an end user’s network connection.
REMOTE BROWSER ISOLATION
In an RBI deployment, users see a familiar web browsing interface and can navigate to any website that meets the organization’s security policy. However, the user’s computer doesn’t run the browser and never interacts directly with the remote website. Instead, the user controls a web browser installed on the RBI platform.
Speak with a CDW Amplified™ Development expert to learn how CDW can develop a SASE strategy for you.
Network Components
The security components of a SASE deployment play a vital role in protecting users and devices from cybersecurity risks. However, these are effective only if they are delivered to endpoints as a bundled set of security services. The network components of a SASE deployment offer this delivery service.
VPN as a Service
This approach replaces traditional VPNs with a bundled service that uses VPN encryption to protect network traffic to and from endpoints.
SD-WAN
Software-defined wide area networking rests at the heart of an organization’s SASE deployment. SD-WAN allows remote offices to access the internet directly.
Circuit Aggregation and Consolidation
SD-WAN and direct internet access help organizations dramatically reduce their connectivity costs by aggregating and consolidating communication circuits.
Strategies for Effective SASE Deployment
As organizations consider the future of SASE deployments, they should also rethink both their security posture and their network connectivity model. Changing to a decentralized enforcement of centralized security policies marks a major paradigm shift, but it comes with the significant benefits of reduced network costs and improved security posture. With the right planning, SASE initiatives can deliver tremendous business value.
SASE deployments differ from other security projects that organizations undertake.
CLOUD-BASED NATURE OF SASE
The cloud-based nature of SASE components allows organizations to make only minimal capital expenditures because there isn’t much hardware to purchase. This approach also dramatically reduces the risk of sizing and scaling the security components of a SASE deployment. Cloud-based SASE components can simply scale with the business, expanding and contracting to meet changing requirements. SD-WAN connectivity is perhaps the only area of a SASE deployment that requires careful sizing prior to selection.
SERVICE-BASED COMPONENTS
The service-based nature of SASE solutions gives organizations significant flexibility over traditional tools. Organizations can avoid “big bang” upgrade and migration projects that cause service outages, instead opting for small, controlled pilot testing of new technology with isolated test groups. Once they’re confident that the technology works properly, rolling it out to the entire organization is often as simple as flipping a switch. This approach improves the user experience and limits the negative impact of changes.
AUTOMATED SECURITY OPTIONS
SASE solutions fit nicely into organizations’ efforts to automate their security operations. Application programming interfaces offered by SASE component providers enable the direct integration of SASE tools with security orchestration, automation and response platforms. This allows both internet-based tools and on-premises security devices to play a role in the organization’s automated responses to changing cybersecurity circumstances. By working cooperatively with other security tools, SASE components provide IT teams and security leaders with both enhanced visibility into their current security posture and rapid response capabilities when things go wrong.
Story by:
Robert Herriage, a solution architect team lead for secure access service edge and enterprise networking at CDW
Philip McClure, an experienced information technology professional in security, network and systems administration at both staff and management levels in the government, higher education, healthcare, manufacturing, financial services and technology sectors
Pete Schepers, who has been with CDW for more than 10 years and has workedin professional services roles and most recently as an enterprise solution architect
Jack Wang, a principal solution architect for CDW’sSASE practice, focusing on solution design and developing strategic relationships with customers to guide them in their decision-making
Want to find out more about how CDW can help minimize risk and protect against cyberthreats?
