Pushing Security to the Edge

It’s a fairly simple equation. The rise in remote workers generates a rise in traffic on corporate networks from different locations, which in turn generates the need to rethink network security strategies.

Enter “Secure Access Service Edge” (SASE), a security design methodology and networking model proposed by the analyst and research firm Gartner. SASE provides security – as a service – to reinforce and enhance corporate networks where each location or endpoint connects to cloud applications and the public internet.

It’s security performed at the edge of your network, essentially where you meet the internet – and it’s gaining traction.

 

Gartner reports that by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption.

 

With the rapid rise of hybrid/remote work, network security teams are re-evaluating every aspect of their operations to ensure any endpoint has the same level of security as on-site networks.

Increasingly, more organizations are moving away from legacy corporate networks based on dedicated private links. They are opting instead for software-based technologies, like a software-defined wide area network (SDWAN), which use the public internet to direct and manage network traffic.

 

Navigating New Traffic Patterns

In a traditional corporate network, remote users and branch sites connect to resources at or through the main corporate data center, where security devices enforce corporate policy and check for malicious activity.  Until recently, there was a much smaller number of overall remote users so using corporate bandwidth to secure someone working from a coffee shop or from home had little impact.

As the number of remote users grows, and the resources the users need to access are increasingly hosted in public cloud environments, this model become less and less efficient.

With the majority of an organization’s users frequently off-site, corporate security teams are now tasked with having to “over-build” their corporate internet connection and scrubbing capabilities. Also, home networks are getting better and stronger. It’s not uncommon for remote workers to have as much bandwidth as a corporate facility. You can do the math: 1,000 users working from home with each on one-gig internet connection means a company needs to have a 1,000-gig internet connection at the office just to keep traffic moving.

Then there’s the need to build in redundancy in case the corporate data center goes down. If that happens, the consequences of having that single point of failure which all traffic has to go through is that users at home are either no longer secured or can’t get to the internet.

That presents two choices: either don’t send traffic to the data center (don’t secure it) or send it to the data center, constrict the bandwidth, and potentially create a single point of failure bottleneck.

 

Where Secure Access Service Edge (SASE) Comes Into Its Own

SASE in many ways rearchitects the traditional corporate Virtual Private Network (VPN).

Using multiple internet connections to provide service to a new network location at the edge makes a methodology like SASE a logical option. Security at the edge is a much more effective alternative. The fact it’s decentralized gives people more options for managing their own networks and unique security requirements.

A SASE model transfers many security capabilities to a distributed network of scrubbing centers, with high-performance links to the public cloud.  This has the effect of removing both the performance and availability challenges presented by the traditional “backhauling” of all traffic to the corporate data center.

 

When Is SASE the Right Choice?

A SASE approach can fit any company of any size in any market but it’s best suited to organizations with a more hybrid workforce, and to those organizations who have already adopted more cloud-delivered services (SaaS, IaaS, PaaS, etc.).

Whether or not an organization chooses to implement it – like with any new policy – also depends on their technical debt.

For example, banking and financial institutions – with the exception of a few that are cloud forward – still run traditional legacy, big iron hardware in a data center. They have legacy equipment and applications written a while back as well as earlier-generation programming languages.

Many still have a huge amount of on-premise infrastructure that generally makes SASE less beneficial for them. Their data centers have millions of dollars’ worth of equipment that hasn’t fully depreciated. Even if their applications aren’t cloud-friendly, it makes little sense to throw it all away and start from scratch.

However, for a start-up with little or no existing infrastructure, or an established company with a significant amount of public cloud adoption, SASE starts to make sense. If they already use several SaaS services that ensure seamless working – even if the corporate data center experiences downtime – then SASE is a policy they consider.

 

Looking Ahead

Like any new policy, an effective SASE rollout hinges on each organization’s structure, current security profile, level of risk tolerance and user needs. User expectations also must be a consideration, in term of how employees envision their ideal working conditions.

According to Gallup, during the height of the pandemic, as many as 70% of remote-capable employees worked exclusively from home in May 2020. As of February 2022 most remote-capable employees continued to work from home at least part of the time, but the mix evened a bit – 42% had a hybrid schedule, and 39% worked entirely from home.

Numbers can be interpreted in any way and no one knows what the future of work will look like. But statistics like these do signal one certainty: remote, or at least hybrid work models are likely here to stay.

That puts new approaches like SASE at the top of any security team’s agenda, as enterprises of all sizes wrestle with planning for long-term success and adapting to the future workplace.

 

Find out more!

Ron Frederick is senior director of enterprise security solutions at Kudelski Security.  His background as a developer, a systems engineer, a network engineer, and a security architect gives informs three key guiding principles he applies to his work: Focus on practical designs that favor simplicity and ease of operation; understand that different parts of an organization have different needs and priorities; and always start with the priorities and needs of the business.

Was this article helpful?