Those who are familiar with the term ‘SASE’ will probably have one common thought in mind: Did Gartner know what was coming in 2020?
It was in July 2019 when Gartner introduced the term SASE in their ‘Hype Cycle for Enterprise Networking, 2019’ report1. SASE stands for Secure Access Service Edge. It redefines corporate networking architectures with context-aware traffic management, replacing the existing, data-centric approach. At first glance, it may seem like a rearrangement and relabeling of the usual network elements, such as private links, secured endpoints, data centers, clouds, SaaS applications, traffic management and network security, to create a new perspective on how companies connect users to their IT resources.
However, on closer inspection, it quickly becomes clear that context-aware traffic management calls for a complete revision of how to define and guard the corporate network perimeter and how to manage its inside. In fact, the idea is key to addressing some gaps that were already present at the turn of the year, but which became significant overnight due to COVID-19.
Admittedly, the number of cloud and SaaS applications accessed by companies has been steadily increasing over the last decade. Enterprises have already transitioned to software-defined wide area networks (SD-WANs) to do away with unnecessary backhauling of cloud and SaaS traffic to the data center. SD-WANs provided improved network performance and optimized network resources by flexibly managing traffic policies at the branch level via a centrally managed, active control plane.
The rise of remote work
In 2020, under the onslaught of COVID-19, employees working in secured LAN and WAN networks suddenly needed to leave the office and continue working from dispersed locations. When working from home, users access the same cloud, SaaS and on-premise applications, but over home WiFi or mobile networks, using their personal devices.
Remote employees, however, are not the only users accessing enterprise IT resources through third-party networks. IoT endpoints, such as smart meters or vehicle fleets, are typically connected to third-party IoT networks. These endpoints, or the edge computing platforms to which they are connected, need access to cloud-based IoT applications that collect and analyze large volumes of data for onward distribution.
This effectively leads to an expanding number of corporate edge points on various mobile, IoT, WAN and edge computing clusters. Each of these edge points generates hundreds of authentication requests and thousands of user sessions while accessing corporate resources to complete tasks such as placing a purchase order, collaborating on a project file, entering a new customer record or, in an IoT context, delivering sensor log data.
Network as a service meets security as a service
Companies hence are looking for access control and security management over extended perimeters covering these new edge points while still requiring the network resource optimization and performance management provided by their existing SD-WANs. This is where SASE builds its value proposition. SASE addresses both these requirements, merging network performance management and network security and providing both ‘as a service’.
A SASE platform, via its SASE gateways and the branch CPEs, connects all corporate edge points, enabling secure access for remote workers, IoT devices and branch offices before routing the resulting traffic through a multitude of network functions. In a SASE gateway, a multi-tenant cloud-native software stack from a single vendor undertakes scores of network performance management functions such as load balancing, WAN acceleration, web filtering, VPN gateway and session border control, but also network security functions such as firewall as a service (FWaaS), cloud access security broker (CASB) and intrusion detection systems (IDS). When combined with adequate points of presence (PoPs), SASE provides routing via a private network for faster delivery of applications, especially for those that are business-critical or latency-sensitive.
Still, in its nascent stage, the SASE idea is yet to be fully implemented. Early players in the SASE market are already rolling out key parts of the service. This includes the release of client-less components that use specific landing pages as gateways for secure access to corporate networks. Clientless components are easy to deploy and provide companies with a ready-made solution for addressing the surge in remote connectivity following the pandemic.
DPI and context awareness
Most IT managers reassessing their company’s network performance and security will realize that the biggest selling point of SASE is the context awareness it adds to network management. Rightfully so – intelligent networking is all about making sensible decisions. Access to applications, for instance, should be based on user identity, device identity and location. For example, a company laptop accessing the corporate network through its secure LAN obviously requires less stringent security rules than an external device coming in from the local ISP. Likewise, traffic prioritization should be based on the criticality of the applications, user identity, time of day and availability of bandwidth, while the application of network security policies should be based on user identity, application risk and traffic anomalies.
Context awareness as offered by SASE is also at the heart of our network intelligence expertise enabled by deep packet inspection (DPI) technology that uses metadata inspection to identify and classify 100 % of IP traffic in real time. Our DPI engine provides rich traffic insights at the packet, application and network level, covering attributes such as origin and destination, user identity and session, protocol, type of application and application attributes such as video, text or voice, speed, bandwidth and latency. With its extensive library of frequently updated traffic signatures, R&S®PACE 2 also features some of the most advanced threat identification capabilities for detecting malware, worms, botnets, ransomware, brute force and DDoS attacks. DPI can be deployed as a stand-alone network service or embedded in network and security solutions such as IP probes and next-generation firewalls.
The real-time network intelligence provided by DPI builds the context for the underlying traffic at any PoP, enabling SASE to apply the relevant policy rules for both network performance and network security. This means that DPI provides the SASE platform with the input it requires to invoke the right mix of security functions from an array of available features such as zero trust network access (ZTNA), secure web gateway (SWG) and web API protection as a service (WAPaaS). It also means that the SASE platform is able to enforce the right traffic management policies such as prioritization of low-latency applications, implementation of CDN, NAT and WAN optimization.
With intelligence at the core of context-aware networking, we see DPI as an indispensable technology in supporting SASE. Easy to deploy on any IP network, our DPI provides SASE players who build their PoPs, platforms and gateways with real-time traffic analytics that is key to policy configuration and real-time handling of traffic.
In other words, if SASE is the crucial architecture for securing and managing the ever-expanding enterprise perimeter, DPI is the logical complement, providing real-time intelligence at every point along the way.