SASE and The Evolution of WAN Security

Businesses are constantly evolving, and their technology needs to evolve with them. As a result of digital transformation initiatives and the need to support expanding customer bases, most organizations have traded in the corporate local area network (LAN), consisting of servers and workstations connected directly to the enterprise network, for a global wide area network (WAN) that includes multiple sites’ LANs, an expanding remote workforce, and growing cloud infrastructure.

Over time, the ways that organizations use their WANs has changed dramatically. With these changes come new solutions for optimizing the performance and security of these sprawling networks. As telework becomes more widespread, legacy WAN security solutions, such as virtual private networks (VPNs), are incapable of providing the level of performance and security that companies require.

Secure access service edge (SASE) represents the latest stage in the evolution of the corporate WAN. An understanding of what is SASE and how it improves upon previous WAN security solutions is essential as organizations explore options for correcting the deficiencies of legacy VPN-based infrastructure.

The Legacy Virtual Private Network

VPNs are the most common and widely accepted solution for implementing a secure WAN. VPNs enable secure point-to-point connectivity by creating an encrypted tunnel between a VPN endpoint and a VPN client or another endpoint. This enables organizations to securely link the local area networks (LANs) of multiple sites or connect a remote worker to the corporate network.

While VPNs are the most common solution for creating a WAN, they are not an ideal one. The point-to-point nature of VPN connections means that the complexity of a VPN network grows exponentially with the number of sites.

Additionally, VPNs provide only limited security guarantees to the organization. They are designed to provide a user experience similar to that of being directly connected to the network where the VPN endpoint is located. If the organization has not implemented internal network security, such as network segmentation or zero-trust security, a malicious insider or compromised endpoint connected to an enterprise network via VPN can provide complete access to the enterprise network.

Improving Security with Zero-Trust Network Access

In the past, many organizations have relied upon a perimeter-based security model. Under this model, anything within the network perimeter is considered “trusted” while anything outside the perimeter is “untrusted”.

VPNs are designed to enable organizations to continue applying this model despite the fact that “trusted” teleworkers operate outside of the network perimeter. However, the growing popularity of the zero-trust security model has prompted the growth of new WAN security solutions.

Zero-trust network access (ZTNA) and software defined perimeters (SDPs) are two names for the next stage in the evolution of WAN security. Rather than applying security controls at the network perimeter, ZTNA and SDP are designed to enforce security at the application level.

Through the use of micro-segmentation, ZTNA provides external users with access to a particular application rather than access to the network as a whole. This enables an organization to enforce least privilege, where users only require the access to the applications that they require to perform job roles and have the minimum possible permissions for these applications. This application-focused approach to security also allows ZTNA to collect much more granular information about users than VPNs, enabling more targeted threat detection and response.

Additionally, ZTNA uses an “inside out” access model, where internal IP addresses are not publicly exposed. Unlike VPNs, which expose VPN endpoints as potential targets of attack, ZTNA does not broadcast any information outside of the network. This enables them to limit the information available about an organization’s network infrastructure and the applications that it contains to (potentially malicious) external users.

Despite its many advantages over VPNs, ZTNA is not a perfect solution. ZTNA is designed primarily as a security solution and does not address networking concerns, such as scalability and performance. As a result, ZTNA must be combined with other solutions to implement a functional and secure WAN.

Integrating Networking and Security with Secure Access Service Edge

SASE is designed to address the limitations of both VPNs and ZTNA. It provides full networking and security integration in a solution capable of scaling to meet the needs of the business. The concept of networking and security integration is not a new one. Secure software-defined networking (SD-WAN) solutions are appliances designed to provide both optimal routing of network traffic over multiple transport media and an integrated security stack including solutions such as a next-generation firewall (NGFW) and secure web gateway (SWG). Despite these advantages, SD-WAN is limited by the fact that it is often reliant upon physical appliances.

SASE solves this issue by hosting secure SD-WAN solutions natively in the cloud. By defining cloud-based SASE points of presence (PoPs) and connecting them with dedicated, high performance network links, SASE provides the reliability, scalability, and performance guarantees required by the modern business. Since each PoP contains integrated network routing and security functionality, SASE moves security to the network edge, minimizing the latency and performance impacts associated with providing full visibility and security inspection of all of an organization’s WAN traffic.

Building Security for the Modern Business

As businesses grow and evolve, their network requirements change as well. Over time, legacy solutions for implementing secure WANs have proven incapable of meeting business needs. The state of the art in WAN security is constantly evolving, and, according to Gartner, “the future of network security is in the cloud”.