How do you compare SASE network security across vendors?
Comparing SASE network security requires evaluation of how each vendor offers configuration, out of the box policies and ongoing support including real-time threat analysis. While the term SASE (Secure Access Service Edge) has been adopted by the industry to describe the framework to secure Wide Area Network services, the feature-set and deployment options vary when comparing SD WAN vendors.
The Software WAN marketplace is offering differing capability across the SASE concept with some choosing to integrate with security vendors, providers and integrators and others building SASE architecture into their end to end proposition.
With the above in mind, there is a need to research how each SASE solution will fit into your business and WAN architecture. While there is clarity on what SASE is and why the concept is required, SD WAN and Security vendors will and are offering their own specific feature-set within the framework.
The goal of most IT teams is to deliver a SASE security service with network (I.e. secure SD WAN) in one holistic fabric. The SD WAN vendor marketplace offers varying capability which the Enterprise must align against specific needs and requirements.
Why do we need the SASE concept?
Gartner created their paper which is titled 'The future of network security is in the cloud' to recognise how every business is adopting cloud working methodologies. We've written about how the new WAN edge is actually 'mobile users' with traffic originating from almost anywhere on a global basis. With the flexibility offered by public Cloud SaaS services, there needs to be a recognised out of the box standard to deal with security. I appreciate that an out of the box deployment may appear a little blasé when discussing network security but the reference is more defining the need to offer a base feature-set.
SD WAN attempts to make SASE cloud security deployments simple by allowing IT teams to essentially turn on the network security architecture features required which include both a base level of configuration but also access to recommended policies. SASE moves WAN capabilities to the next level of sophisticated solutions for the cloud computing world.
The SASE business outcome should be to implement verification of the user followed by trust. Prior to the SASE framework, traditional Firewall security verified the user without too much thought to live security threats. Although Next Generation Firewall services have advanced, SASE describes the full feature-set needed for the Enterprise to operate in the cloud with associated threats. NGFW as a concept was not intended to fully support cloud based adoption due to scalability issues associated with multiple connections from cloud applications.
Which SASE components do you need to compare?
When comparing SASE, Netify recommends gaining clarity on four main aspects:
1. Feature-set - does the SD WAN vendor offer a built-in feature set or do they partner with a security specialist? If your prospective SD WAN vendor is offering SASE partnership integration, careful thought must be given to resiliency.
2. Management - SASE should be managed centrally allowing for easy definition of places, unified incident management, control of access, cloud API integration and any policies which cover acceptable use based on the profile of your business or organisation.
3. Real time threat analysis process - Gartner states that SASE leaders must offer security which adapts to risk and trust. The SASE framework which encompasses these elements are CARTA (Continuous Adaptive Risk and Trust Assessment). The adaptive nature of SASE means that policies are provided based on user profile for overall access together with ongoing real-time analysis of global security threats.
4. Support - the vendor should control the complete SASE stack with the ability to support every aspect of the solution in a DIY, co-managed or fully managed capacity.
The majority of SASE provider solutions will be delivered with SD WAN services which may include WAN acceleration, cloud path selection and quality of service to further consolidate a single Enterprise proposition. Regardless of your deployment architecture, the SASE component should be well placed to meet the demands of the following attributes:
- Global capability - SD WAN SASE vendors will offer either private backbone or public gateway PoP access. Where solutions do not offer backbone or public gateway, the vendor will typically opt to partner with a specialist SASE provider, Zscaler is a good example. The global aspect reflects the need for SASE to exist on a global basis rather than backhauling traffic to on-site Firewalls or specific Data Centre locations which does not meet the demands of cloud working and cloud resources.
- CNaC (Cloud Native Architecture) - as with our previous writing surrounding CNaC, the Gartner frameworks should be delivered as turnkey solutions where CPE is involved. In other words, the vendor should control the complete technology stack to offer effective support. The alternative is to deploy discreet security and networking devices. Where vendors do integrate a SASE security service into their solution, the service offering should be completely transparent by connecting elements via API access.
- Identity - SASE revolves around user identify with real-time analysis of traffic origin type and random samples of data to look for patterns.
Security as a Service under the SASE framework must be based on an Enterprise network design which offers dynamic inspection of traffic across users from wherever they are located. The objective is to detect any malware which may even be within an encrypted traffic flow across multiple layers from the app type, the domain name and the actual URL. In addition, the security must be fully SASE cloud accessed with aspects such as DNS security and control with the capability to inspect SSL traffic across mobile users, branch office locations and the HQ.
And, with all aspects discussed in this article, management and visibility should be simple to access offering complete control and out of the box deployment where required.
Proxy based secure web gateway - inspection of web requests including company policy restrictions.
URL filtering - immediately ban URLs based on both company policy and live up to date database threats.
SSL interception - ability to look at SSL packets to establish whether threats are encrypted.
Advanced threat protection - real time analysis of traffic with AI learning and constant analysis of customer traffic to identify patterns.
DDOS/WAF as a service - designed to protect web based application by examining the traffic between the app and Internet.
DNS security - transition from using static name servers to globally based DNS which helps to absorb attacks but also to avoid DNS forgery.
CASB (Cloud Access Security Broker) - SASE is actually contained within the SASE framework although the term was discussed by Gartner from 2015 to date. CASB recognises the transition from the centralised site Firewall with on-site apps to the security model Cloud based SaaS applications.
FWaaS - Firewall as a Service delivers next generation Firewall security (NGFW) with layer 7 Inspection, URL filtering, threat and intrusion protection and security using DNS (Domain Name Server).
ZTNA (Zero Trust Network Access) - ZTNA describes how the cloud enabled Enterprise must never trust traffic (zero trust model) but always verify. This may include segmenting networks with layer 7 threat analysis.