16 December 2023
What would you say if improved information security in line with the Zero Trust model was brought to remote users, but with increased convenience and ease of use? This is made possible by SASE, or Secure Access Service Edge.
In my previous blog post, I wrote about modern and secure corporate networks, so this time I will focus on the cloud security component of SASE, the so-called Security Service Edge, SSE, which I will refer to by using the general term SASE in this post.
Remote access in a changing world
Today's assumption is that all work is done remotely. A traditional virtual private network, or VPN, connection opens a tunnel from the workstation to the corporate network at a network level. The path from the user's computer to the corporate network is then open to a large extent. VPNs have been in the news often in recent years, with their vulnerabilities and involvement in many serious data breaches. Installing updates is often difficult and inevitably delayed. That is why the risks of remote VPN connections have increased dramatically, while they have become increasingly difficult to manage.
VDI, or virtual desktop infrastructure, for remote users is cumbersome to use, with at least multi-factor authentication logins and screen hopping. And the security of the systems is not overwhelming either. The IT department has to maintain many different and partly overlapping systems, which increases costs and management complexity. The lack of visibility into the traffic of remote users means that the risks of remote use are also overlooked, making it agonisingly difficult to resolve user problems.
A meeting place in the cloud
With all employees and an increasing number of applications on the internet and in the cloud, it is natural for employees and businesses to meet at the edge of the cloud in the Security Service Edge, SSE. SSE is SASE's security and access management service, while SD-WAN is a software-defined wide area network service for connecting branch offices with each other. SASE includes a wide range of information security services, such as Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG) and Cloud Access Security Broker (CASB). However, the killer application of SASE is Zero Trust Network Access, ZTNA, which provides finely controlled secure access to either the corporate network and services (Secure Private Access, SPA) or the internet (Secure Internet Access, SIA).
The great thing about SASE is that there is no direct connection from the employee’s computer to the destination. The source and destination connect to the SASE cloud, where the connections are passed on to each other. First, however, the user's identity is identified and access is authenticated and authorised according to policy only to a specific resource. That is, only to one application and under certain fine-grained conditions, in accordance with the Zero Trust model.
The SASE solution hides and closes the edge of your enterprise network, whether it is in your own data centre or in the cloud. The product manufacturer will shoulder more of the responsibility for concerns about and upkeep of remote access systems as Software as a Service, SaaS, while the IT department will be responsible for defining the use policy, which is not necessarily an easy thing to do. Therefore, the company first must have a good asset management register and a centralised user directory. These are used to know what identities, devices and resources are in use and allows the use policy to group them as desired.
A versatile tool
SASE makes the use of applications and resources visible. Remote access monitoring will now be much more comprehensive, accurate and real-time. The SASE application on the user's device can report on the user experience of the applications from the user's perspective and let you know in which part of the connection and in which resources potential problems lie. It is now much easier to solve vague problems experienced by remote users, as you directly are able to see what is wrong and where in the connection chain. At best, the problem is solved before the user even notices it.
SASE's ZTNA can be used in many ways. The obvious application is the company's own employees, but another equally good use is external partners working for the company. Especially in OT environments, remote access to the production network is a big risk that can be managed and well mitigated with a ZTNA solution. All Internet access goes through the SASE cloud, where it is richly scanned and filtered, to the internet and SaaS. In addition to on terminal equipment, SASE software can usually also be installed as a gateway version for use by the entire office. This enables secure access to the internet and SaaS services from branch offices.
New opportunities
In production environments, new opportunities are opening up for businesses to use SaaS and cloud services seamlessly and securely. In office environments, it is time to ask whether there is any need for a dedicated corporate network at the office, or whether the network could be the internet, as is the case for remote work in general. Today, thanks to SASE, you can work in the same way, securely and with ease, no matter where you are.