Most organizations’ security setup is no longer fit for purpose. If that sounds too extreme, then at the very least it’s fair to say that anyone starting from scratch in most organizations would probably not design the security architecture in the way that it is currently implemented. Instead, they would probably design something which looks a lot like a Secure Access Service Edge (SASE) architecture.
That’s because most enterprises have a centralized security function, with security hardware running in the data center guarding the perimeter of the corporate network and monitoring the traffic flowing in and out of it. And that’s fine for organizations that are largely centralized, with users accessing data and applications over the corporate WAN. They may have branch offices, but these will either consume security services offered by the data center, or they may have their own branch office security appliance as well.
And that’s not to mention the huge number of people who are now working remotely due to the coronavirus pandemic, and who may continue to do so indefinitely. Many of these people may be accessing cloud applications most of the time, but even so they have to connect to their organization’s data center via a VPN before their traffic can get to the cloud services they want to access.
However, the proportion of traffic from branch offices which is ultimately destined for the internet rather than the corporate data center has increased from 20% to over 80%, according to Juniper Networks. So sending it to the data center first, to go through a security stack, is definitely suboptimal for a number of reasons:
- This results in a huge amount of traffic moving over the WAN between branch offices and the data center when it could otherwise go straight out onto the internet from branch offices. This has an impact on WAN bandwidth costs.
- Some traffic, such as Office 365 data, does not need to go through the full security stack, so sending it over the WAN is a waste of resources.
- Sending data to a centralized security function can have a significant impact on performance, both of the WAN, but also of cloud applications.
What is SASE?
Before discussing transitioning to a SASE architecture, it’s worth mentioning what is meant by the term. Essentially it’s an architecture which sees the provision of security services including SD-WAN, secure web gateway, cloud access security brokers, zero trust network access and even firewall-as-a-service, at the cloud edge.
Why Transition to a SASE Architecture?
One of the biggest benefits of a SASE architecture is that security services are available where they are needed, not just at a single chosen point (the data center). That means that branch office and remote workers accessing services in the cloud can have their data sanitized as it travels to and from these cloud services, without it having to make a diversion to the corporate data center first. That has important implications for latency, which can be particularly important with real-time applications such as Zoom video conferencing.
Another important benefit is that, as a cloud-based service, SASE security can be scaled almost infinitely in the same way that servers and storage resources can be scaled in the cloud using services offered by the likes of AWS or Microsoft’s Azure.
Lower cost, less complex
A SASE architecture is also likely to be far less costly than a traditional security setup. Certainly it costs less to operate per unit of secured data, and since it can be scaled up and down to meet an organization’s needs over time, enterprises don’t have to pay to maintain a scale of infrastructure that they don’t need.
There’s a fourth important benefit which is often overlooked, and that’s simplicity: a SASE architecture makes security far easier to manage and maintain. That’s in part because there is no need for IT staff to spend time applying updates and patches to appliances, install new hardware, or replace it from time to time. There is also no need for staff to manage equipment at branch offices either remotely or by making site visits.
It’s also easier to manage and configure a SASE architecture because the whole SASE security stack can be managed as a single cloud-based application. This may be possible to a greater or lesser extent with existing data-center based solutions, but it’s doubtful if this can ever be as integrated as is the case with a SASE solution.
Also read: Remote Work Could Boost SASE, Slow SD-WAN
There’s one final and very compelling reason to consider transitioning to a SASE architecture, and that’s related to the complexity of the many modern cyber threats. Managing security, spotting threats, distinguishing between suspicious and legitimate traffic, understanding security logs, and preventing or stopping cyber attacks are tasks that are almost too much for a human — or a team of humans — to cope with. For that reason it’s likely that in the future many security systems will have to use machine learning (ML) and artificial intelligence (AI) to keep up.
The good news is that a SASE architecture is an ideal foundation in which to build a network secured with the help of AI and ML, because all of the data is right there in the cloud, where it can be processed by cloud-based analytics systems.
Time to Transition
For all of these reasons, the time has come for many organizations to consider a transition to SASE — or some cloud-based security architecture that is very close to it. If they don’t, they risk being left with a security setup which, in a world of cloud applications and remote workers, really isn’t fit for purpose any more.