To protect private applications and corporate networks, including apps in public and private clouds, datacenters and IaaS, Zero-trust Network Access principles are applied on inbound connections to ensure least privileged access while reducing the attack surface.
To protect remote and branch users’ access to the internet, a full security stack such as branch FWaaS or Secure Web Gateways applies application and URL filtering, as well as data protection, and threat prevention to outbound connections.
Finally, to secure SaaS applications such as cloud email, file sharing, and collaboration tools, which are private yet hosted externally, CASB solutions ensure full SaaS visibility with zero trust access control, data security and advanced threat prevention.
While secure connections to private applications, the web and SaaS comprise the security pillar of SASE, (also called Security Service Edge, or SSE) the networking pillar is comprised of Software-defined Wide Area Networks (SD-WAN) which ensures optimized internet and network connectivity, regardless of the underlying physical networking infrastructure. SD-WAN is aimed at improving the speed and reliability of direct branch-to-internet and branch-to-cloud connections, as well as improving network performance for branch offices and sites connecting to each other.
How Does it Work?
SASE solutions are designed to integrate multiple functions into a single, easily-managed solution. In fact, SASE is itself built from two distinct solutions: software-defined WAN (SD-WAN) and security service edge (SSE). Simply stated, SASE solutions are solutions that offer networking and security from a single solution, hosted in the cloud with a global network of of points of presence (PoPs). All traffic is routed to a PoP to undergo security inspection and is then optimally routed to its destination.
Key Components of SASE
SASE is a security technology designed to reduce security complexity by converging multiple networking and security features into a single solution. Some of the key components of a SASE solution include the following:
- Zero-Trust Network Access (ZTNA): Replacing traditional remote access solutions where all traffic is backhauled over a VPN connection to an on-premises data center for security inspection, cloud-based ZTNA moves from implicit trust to explicit identity-based access controls, applied at the network, application and in-app levels , improving security, speed and the user experience.
- Secure Web Gateway (SWG): Secure Internet access to non-business Web applications and services leverages unified Threat Prevention solutions, that include Application Control, URL Filtering, Antivirus, IPS, Anti-Bot, and Zero-Day sandboxing.
- Branch Firewall as a Service (FWaaS): As companies with multiple branch offices or retail locations connect directly to the internet and cloud using their SD-WAN infrastructure, they need a way to prevent threats from entering their networks. A cloud-based Next-Generation Firewall moves firewall functionality to the cloud for scalable, consistent security across multiple sites, delivering improvements in costs, performance and security.
- Cloud Access Security Broker (CASB): A CASB offers both in-line and API-based SaaS security with rich DLP capabilities, advanced threat prevention, zero-trust SaaS access and authorization controls, and visibility into both authorized and unauthorized SaaS usage..
- Software-Defined WAN (SD-WAN): Decouples networking logic from the underlying physical network links (e.g. internet connections delivered over MPLS, broadband or wireless links) and optimally routes site-to-internet and site-to-site network traffic to its intended destination.
- Integrated Advanced Threat Prevention: Provides protection against modern, advanced security threats by integrating technologies such as sandboxing, intrusion prevention system (IPS), phishing and malware prevention, and traffic inspection.
- Integrated Data Protection: Data loss prevention (DLP) technologies identify and block intentional or unintentional exfiltration of sensitive data according to predefined data types, e.g. payment card data, source code and customer PII.
Who Needs SASE?
SASE solutions are designed to meet the networking and security needs of the increasingly distributed enterprise. As companies adopt cloud technology, remote work, and mobile devices, a growing percentage of their IT infrastructure lies outside of the headquarters network. SASE solves this problem by moving security services to the network edge, through a global network of PoPs, and integrating networking capabilities into a single solution. By doing so, it enables companies to ensure that all branches and users enjoy high-performance, while securing access to corporate applications, SaaS and the web regardless of location or device.
Adopting a SASE framework has many advantages for today’s businesses.
- Reduced Complexity: Instead of managing multiple point products, networking and numerous security capabilities can be managed from a single service, including branch FWaaS, Secure Web Gateway, ZTNA, CASB, DLP, advanced threat prevention and SD-WAN.
- Flexibility: Delivered from the cloud and installed with your current infrastructure, a SASE architecture is platform agnostic, enabling the most flexible security framework possible. This flexibility also makes it easy for businesses to scale up their security infrastructure as they grow.
- Cost Savings: Consolidating security services introduces management efficiencies when there is no need for multiple purchasing cycles and the overhead of managing disparate management consoles.
- Performance Improvements: Through a combination of optimized connectivity delivered by SD-WAN and a global network of PoPs for delivering full-stack security services, users connecting to latency-sensitive apps such as web conferencing and remote support services will see a better quality of experience (QoE).
- Improved Security: By centrally managing policies for branch offices and remote users, organizations can implement consistent security for access to private applications, SaaS and the internet. Cloud security services enable consistent security policy enforcement across branch offices, with an enterprise-grade security delivered as service advanced threat prevention such as sandboxing technologies close these security gaps.
- Zero Trust: ZTNA solutions implement and enforce an organization’s zero-trust policy. Users attempting to connect to an organization’s applications and production environments are only permitted to do so if they require that access to perform their duties, with optional in-app controls available to further define what the user is authorized to do within a resource.
A SASE architecture is created by integrating multiple different technologies into a single solution.
- SASE vs CASB: SASE integrates CASB functionality to provide secure access to SaaS applications but also includes other networking and security features.
- SASE vs SD-WAN: SASE is built by combining SD-WAN with SSE.
- SASE vs. SWG: SASE provides SWG protection to all users regardless of location.
- SASE vs. FWaaS: FWaaS is a feature of SASE designed to protect branch locations without backhauling and reliance on legacy appliances.
- SASE vs. ZTNA: ZTNA is the secure remote access solution integrated into SASE solutions.
SASE Security Solution with Harmony Connect
SASE provides modern, distributed companies with the security that they need without compromising on network performance. By integrating security and networking functionality into a single, cloud-based solution, SASE enables companies to deploy security closer to where its users are. Learn more about the benefits of SASE and SASE adoption best practices in this ESG whitepaper.
Harmony Connect — Check Point’s SASE offering — delivers ZTNA, SWG, CASB, and FWaaS to protect users and branch offices with zero-trust access control, advanced threat prevention, and data protection. Explore the capabilities of Harmony Connect for yourself with a free demo today.