How VPNs Work with SASE

Enterprise Networking Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Digital transformation has changed the way we work. The shift to the cloud, remote work, and BYOD (bring your own device) are just some of the changes in enterprise IT. But along with greater digitization comes the risk of greater threats.

With cyberattacks increasing by leaps and bounds, enterprises are looking for a means to counter the threats. For example, technologies like VPNs (virtual private networks) encrypt company data and enable its safe passage, allowing remote workers to access the corporate data center in a safe manner.

Although VPN technology is well established, it remains popular as ever. In fact, many companies scaled up their VPN capabilities during the COVID-19 pandemic to meet the demands of their remote workforce.

Still, while there was increased VPN adoption, cases of VPN breaches were not uncommon, either. That’s why SASE (secure access service edge), a relatively new cybersecurity model, also found many takers during the health crisis.

Whether or not  SASE replaces VPNs – or if there is a possibility for both to coexist – is still to be seen. Let’s take a look at these two technologies.

Also see: Best Cloud Networking Solutions

What is a VPN?

A VPN is a private and safe way of sending data through the internet without the fear of it being intercepted en route. When a remote employee accesses business data over the public internet, there is a risk of sensitive data being unintentionally exposed to threat actors.

VPNs create an encrypted tunnel between an enterprise’s network and an employee’s device, so the data that moves through it remains secure. Once the encrypted data travels through the tunnel and reaches the organization’s endpoint, it gets decrypted with the right decryption keys.

Features of a VPN

Encryption capabilities

One of the primary aims of a VPN is to block unauthorized attempts by third parties and prevent them from accessing personal and restricted information. VPNs accomplish this by encryption, where the data is converted into cipher text. The encrypted data is accessible only to authorized users and can be read only when it is decrypted with the correct decryption keys.

Split tunneling

Split tunneling is a process that lets you select which apps to route through the VPN and which ones to send through the local network. Split tunneling is an excellent method to conserve bandwidth and prevent network outages.

No-logs policy

A no-logs policy means that VPNs do not store any information that passes through their network. This ensures that private information remains safe.

Kill switch

A kill switch is a feature in a VPN connection that automatically terminates your activity when you lose contact with your VPN connection. It prevents unauthorized users from accessing your confidential data when VPN services drop.

Also see: 7 Enterprise Networking Challenges 

Why SASE?

Traditionally, applications were deployed at a single data center, with employees accessing company servers via a virtual private network. The system works well up to a point. However, legacy VPNs start caving in when you throw in complex IT environments and diverse geographical areas into the mix.

The move to the cloud and the increased adoption of cloud services do precisely that. Add to it more attacks on the network than ever before — after all, more endpoints means a bigger attack surface — and what you have is a situation where current security technologies clearly fall short in dealing with the challenges facing modern enterprises.

What is needed is a solution that is platform-agnostic, accessible from anywhere, and adapts well to agile operations. From a cybersecurity approach, SASE fits the bill perfectly.

Michael Cade, senior global technologist at Veeam, explains this with an example.

“With a VPN, we would need a VPN connection from A (user laptop) to B (Central DC/Authentication), which would then route traffic to C (cloud-based network-attached storage share example),” Cade said. “Data would be potentially spending a long time in transit this way, and B is going to deal with the bandwidth and possibly security overhead.

“With a SASE solution, you will likely be able to still authenticate with B, but data will come directly from C back to A via a broker. Meaning your data is not in transit for as long. This will reduce bandwidth requirements at B. All in all, more secure and likely quicker for the end user accessing the data.”

Also see: Top Enterprise Networking Companies

What is SASE?

SASE is a cloud-based service model that combines network security functions, like secure web gateway (SWG), firewall as a service (FWaaS), cloud access security broker (CASB), and zero trust network access (ZTNA), and wide area network (WAN) features into a single console. This console enables devices and users to securely connect with the company’s server irrespective of where they’re located.

“It is an approach to secure connections using multiple platforms in the cloud. So, rather than just connecting to one server, it is a network perimeter,” said Volodymyr Shchegel, VP of engineering at Clario.co. “SASE is an improvement on VPNs … because of this perimeter, which allows users to securely access the cloud with less congestion and delays.

“In the age of remote work, this is essential, as the prohibitive cost of VPNs at a large scale isn’t feasible for most large companies. Cloud-based solutions are more scalable when many users need access to a network from varying distances from the workplace.”

With SASE, data is processed right at the edge, where the user is located. So, an enterprise does not need to maintain a dedicated VPN. Instead, their employees can simply connect to a SASE solution based on ZTNA with granular capabilities and access networks securely.

Also see: Best IoT Platforms for Device Management

Principal Components of SASE

SD-WAN

A software-defined wide area network (SD-WAN) is an overlay network that separates the networking services from the underlying hardware, thus removing the complexities associated with managing traditional WAN. Apart from simplified WAN management, other benefits include improved network performance, low costs, and the capacity to support high-bandwidth requirements.

Firewall as a service

FWaaS is a next-generation firewall (NGFW) cloud-native service that uses advanced techniques like intrusion prevention system (IPS) web filtering and Domain Name System (DNS) security to enforce threat prevention.

Secure web gateway

A SWG is a web security product that acts as a gatekeeper between a company and a user. By using technologies like URL filtering, sandboxing, data loss protection (DLP), and Secure Sockets Layer (SSL) inspection, it provides complete visibility into network traffic and helps thwart malicious attacks. When used in a SASE platform, SWGs filter out malicious traffic and protect users from accessing suspicious websites.

Cloud access security broker

CASB is one of the crucial pillars of a threat prevention strategy. It is a security application that identifies apps at risk in the cloud and helps organizations set stringent data protection policies.

Zero trust network access

The zero-trust policy works on the principle of least privilege, which means all users are granted only minimum rights. In this framework, users are verified and vetted before accessing an app. By continuously monitoring users and devices, ZTNA limits the radius of a data breach.

Benefits of SASE

  • SASE supports users regardless of location.
  • It does away with backhauling traffic, reducing transport costs. In the process, it also reduces latency.
  •  SASE works in all types of IT environments.
  •  IT teams have complete visibility over operations.
  • It enforces ZTNA that securely connects employees to office networks.

Does This Mean the End of VPNs?

According to Shchegel, “the ‘SASE as a replacement for VPN’ narrative mainly applies to the server-based VPNs most organizations have been using up until this point. It also assumes that all organizations can completely migrate to the cloud all at once, but in reality, most organizations will need some sort of hybrid of SASE and VPN (either as a service or onsite) until they can fully migrate to the cloud.”

Though SASE is being deployed at a fast pace, many IT and security teams are struggling to implement it in their organization. VPNs are still one of the prominent methods of providing secure access to distributed workforces. Going forth, it looks like both technologies will stick around and cater to their respective audiences.

“VPN is not going away; it’s still a solid use case for the job that needs to be done. But as we know, environments are no longer within the four walls of the data center,” said Cade. “We have services here, there, and everywhere that our users need access to.

“A VPN will get you into a central location and out to services, but security gets a little washed at that point, which is where SASE comes in, potentially again, depending on the use case and nature of the business.”

Also see: Top Zero Trust Networking Solutions 

Susnigdha Tripathy
Susnigdha Tripathy
Susnigdha Tripathy is a full-time writer and editor based in Singapore, and a regular contributor to Enterprise Networking Planet. She has over 10 years of experience writing, editing, and delivering exceptional content for a variety of international technology brands such as Virtasant, a cloud technology company, and Krista Software, a provider of intelligent automation solutions. She has also appeared in ServerWatch and other industry publications.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles

Follow Us On Social Media

Explore More