SASE Architecture

What is a Secure Access Service Edge (SASE) Architecture?

The modern enterprise likely has more users, devices, applications, services, and data outside of its network perimeter than inside. This means that the traditional perimeter-focused security architecture is no longer effective.

To address the needs of the modern enterprise, Gartner has defined the SASE architecture. This architecture is designed to meet an organization’s networking and security needs in a single solution.

• Optimized Network Routing: Distributed users and services mean that the topology of the corporate Wide Area Network (WAN) has become more complex. A high Quality of Experience (QoE) requires dynamic and optimized path selection for network traffic using software-defined policies.
• Security as a Service: Security centralized at an organization’s physical sites increases network latency for off-site traffic. Security needs to be deployed at the cloud edge as a service, rather than onsite at the perimeter of the headquarters’ network. A geographically distributed network architecture provides a distributed mobile workforce with better access to cloud applications.
• Secure Access: As security services are consolidated and delivered as a cloud service, zero trust principles with strong multi-factor access management can be applied throughout a session. Efficiencies are achieved by unifying management and inspection. Decryption, inspection and encryption happens once reducing latency.

Balancing the needs for network performance and security requires a network and security architecture with these features. As shown in the image below, SASE incorporates a number of different network and security features.

This functionality can be classified into three categories: cloud-hosted security, zero-trust network access principles, and network services.

#1. Cloud-Based Security Components

As security moves to the network edge, security solutions traditionally deployed at the network perimeter must relocate to the cloud. SASE architecture provides cloud-native options for core security functionality, including:

• Firewall as a Service (FWaaS): A firewall is the foundation of an organization’s network security architecture. With SASE, a firewall can be deployed as a cloud-based service to provide security with minimal impact on network performance.
• Secure Web Gateway (SWG): Both on-site and remote users need to be protected from Web-based threats. A SWG enforces corporate cybersecurity policies and inspects and filters malicious Internet traffic.
• Cloud Access Security Broker (CASB): CASB is a Software-as-a-Service (SaaS) security and access control solution. It helps to monitor and secure access to cloud-based applications, such as Office 365.

#2. ZTNA Components

A zero-trust security policy is designed to limit a user’s permissions and access on a network to the minimum required for their job role. This limits the probability and impact of a security incident.

Zero-trust network access (ZTNA) solutions – also known as a software-defined perimeter (SDP) – enforces a zero-trust security model. This is accomplished by implementing:

• Strong Authentication: With a zero-trust architecture, access and permissions are based upon a user’s role within an organization and verification of the device. Identity-based security requires strong user authentication protected using multi-factor authentication (MFA) and device compliance solutions.
• Authorization and Access Control: Once a user’s identity has been proven, a ZTNA solution should determine the validity of any future requests. This requires comparing a request to role-based access controls (RBAC) and allowing or denying access on a case-by-case basis.
• Continuous Session Monitoring: Zero-trust security is designed to minimize risk, which requires continuous session monitoring. This ongoing monitoring enables risk calculations and trust levels to be updated as needed based upon observed behavior.

#3. Network Services Components

In addition to providing security for the corporate WAN, SASE is also designed to optimize network performance for the distributed organization. It accomplishes this by integrating software-defined WAN (SD-WAN) functionality and securing mobile and temporary users.

SD-WAN is deployed as a network of SD-WAN appliances, either physical or in the cloud. All traffic flowing over the corporate WAN is routed from its entry point to the SD-WAN appliance closest to its destination based upon application and business intent. The use of SD-WAN as part of SASE provides a number of advantages:

• Optimized Path Selection: Network outages, bandwidth limits, and congestion can all increase network latency. SD-WAN uses performance monitoring and intelligent route selection to maximize network performance.
• Application-based Routing: Remote and mobile corporate users also require secure connectivity to corporate resources when not in an office. In addition contractors may need access from devices that are not managed. With a Secure Remote Access solution, both client and clientless devices can have secure access to the SASE network and, from there, to the desired resource.

Value of a SASE Architecture

As corporate networks evolve, network and security architectures must evolve with them. SASE is designed to provide both security and optimized network performance in a single solution. By moving security and network routing functionality to the network edge, SASE minimizes the impact of security on user experience while maintaining a high level of security.

Check Point’s Harmony SASE enables organizations to deploy network and security functionality that meets their needs. To learn more about how Harmony SASE works and see it in action, request a demo.