Get your daily dose of tech!

We Shape Your Knowledge

SASE: the new security challenge

Kirey Group

  

    Secure Access Service Edge (SASE) is a cloud-based security model designed to support the dynamic, secure access needs of today’s hybrid organizations.

    SASE is a cloud-delivered service that combines network, connectivity and security functions, offered as a service by the SASE provider.

    Conceptually, SASE integrates VPN and SD-WAN (Software-Defined Wide Area Network) capabilities with cloud native security features such as: secure Web gateways (SWG), cloud access security brokers (CASB), state-of-the-art Firewall (NGFW) and Zero Trust network access (ZTNA).

    The term SASE was first described by Gartner in a report on August 2019 called, “The Future of Network Security in the Cloud.” Gartner notes that in the SASE market trend report, "Customer demands for simplicity, scalability, flexibility, low latency, and pervasive security force convergence of the WAN edge and network security markets.”

    New call-to-action

    Why is SASE necessary?

    The traditional function of the WAN network was to connect branches or remote locations to applications hosted in the data center, ensuring connectivity with dedicated MPLS circuits that ensure reliable connectivity and an adequate level of security.

    The increasing deoloyment of Cloud and Saas (Software-as-a-Service), Iaas (Infrastructure-as-a-Service) and Paas (Platform-as-a-Service) have inverted access requirements, with more users, devices, applications, services and data located outside an enterprise than inside. This makes the WAN network inadequate, expensive and unable to guarantee the levels of dynamism, speed, performance, security and access control required by modern applications.

    Therefore, the SASE approach represents the logical evolution of security needs and technological trends and addresses to these needs, by providing network and connectivity security controls at the edge, i.e., as close as possible to the users.


    SASE convergence_senza scritte-1

    Figure 1 – CDN: content delivery network; RBI: remote browser isolation; WAAPaaS: web application and API protection as a service.

    Components

    The SASE model is based on access security, transforming the network model from "hub and spoke", where access to Internet applications and resources is Data Center-Centric, to "user centric", where access decisions are Identity-centric and applied to the endpoint. The user is identified at the time of connection and on this basis access policies are applied that are no longer bound/limited to the internal or external connection to the corporate network.

     

    traditional data centric_senza scritte-2

    Figure 2 NSP: network service provider

     

    The main components of the SASE model are:

    Software Defined WAN (SD-WAN): a technological approach that decouples network hardware from its control mechanism. It implies the possibility of creating hybrid networks (on intelligent and dynamic platforms) that allow multiple access technologies, bandwith on demand, dynamic routing and security services, integrated with each other.

    Zero Trust Network Access (ZTNA): a network security model that verifies users' identities and establishes device trust before granting them access to authorised applications. It helps organisations prevent unauthorised access, contain breaches, and limit an attacker's lateral movement on your network.

    Firewall-as-a-Service (FWaaS): a Cloud platform that makes firewall service and security services available everywhere.

    Secure Web Gateway (SWG): Web access gateway which integrates advanced security features to protect your users/workstations using Internet resources. Organizations can secure and enable corporate resources while securing and delivering their sites, applications, and APIs.

    Cloud Access Security Broker (CASB): Application for the use of Saas applications. In-line implementation for real-time control of Saas User-Application interaction, or off-line implementation based on "API telemetry" available with Saas Providers.

    sase identity centric architecture_senza scritte-1

    Figura 3AWS: Amazon Web Services; DLP: Data Loss Prevention; GCP: Google Cloud Platform; O365: Office 365; SDP: service delivery platform; UEBA: user and entity behavior analytics


    Benefits

    The SASE approach leads to the transformation of the network from the "hub and spoke" model to "user centric" model, in which access decisions are based on the identity of the user and are applied to the endpoint. The SASE provider becomes the new corporate WAN backbone, avoiding concentrating connectivity and security in the data center, avoiding both bottlenecks caused by limited bandwidth and additional latency; limitations typical of the "hub and spoke" model.
     

    The SASE security model can help your organization in several ways:

    ✔️ Optimized connectivity
    • Independence from transport mechanism and network equipment
    • Active-active hybrid connections for all network scenarios
    • Dynamic routing on all available connections
    • Uniform extension of the WAN to multi-cloud systems

    ✔️ Cost saving

    • Replace or combine the use of expensive MPLS routes with cheaper and more flexible Broadband (DSL, LTE, 4G, 5G, etc.)

    ✔️ Better User Experience

    •   Application traffic with dynamic routing to ensure better performance for critical applications

    ✔️ Maggiore sicurezza

    • Centralized Policies based on the Zero Trust model and customization
    • Real-time access monitoring and control
    • Secure traffic in Internet and Cloud connections
    • Security deployment in remote endpoints

    ✔️ Centralized and simplified application management

    • Centralized monitoring and management dashboard
    • Zero-touch provisioning on all functional components


    What are the new challenges in Security?

    In a context of growing adoption of cloud-based services, sharing information, data and files is becoming increasingly easy and frequent.
    Organisations should review threat vectors to adapt the desired safety posture:

    • Identification and control of compromised accounts: ability based on user behavioural analysis (UBA) capabilities to mitigate damage caused by misuse of the cloud by employees and compromised accounts.
    • Anti-malware automation for cloud apps: a feature that automatically scans and fixes malware infections in the user’s cloud application accounts.
    • Advanced Threat Defense: Provides an advanced level of threat protection (Advanced Threat Protection) to analyze files moving in and out of Cloud accounts.
    • Mitigation of attacks through cloud-based email: email uses the SMTP protocol, which is a different channel than most Internet access and requires specially designed threat prevention capabilities. The solution must protect against phishing attacks with Isolation (RBI) techniques and, when e-mails contain attachments or URL links, they must be scanned with anti-malware engines and analyzed in sandboxes.

    SASE and Kirey Group

    Kirey Group supports companies to ensure adequate protection of business information through the adoption of a unique, consistent and standardised approach.

    • Analysis of AS-IS Security capabilities;
    • update of the grid segregation model;
    • definition of TO-BE Security capabilities;
    • support in the definition and implementation of the Information Security Management System (SGSI) consisting of principles, rules, requirements, methodologies, controls and security measures with the aim of preserving the security of company information and assets;
    • protection, in terms of confidentiality, integrity, availability, verifiability;
    • definition of appropriate criteria, management methods and use in accordance with the rules of law and internal and external regulations;
    • IT risk reduction through appropriate accident prevention and mitigation measures, in line with the IT risk appetite defined at company level.

    Our Value

    • Specific expertise in Network and Enpoint Security, Threat Management, Data Security, IT Governance Risk and Compliance;
    • Experience in security projects;
    • Unique proposal.

    New call-to-action

    Related posts:

    Kirey Group at the Clusit Security Summit in colla...

    Kirey Group participates to the Clusit Security Summit, the event dedicated to the security of infor...

    Code in the washing machine!

    The SAST process should always be included in the context of the S-SDLC to correctly validate the co...

    Banks struggling with new payment schemes and serv...

    Preventing Money Muling activity is a historical problem for financial institutions, not only for da...