Secure Access Service Edge: A Paradigm Shift

Secure Access Service Edge

The network and network security world is experiencing, like any other technology, its digital revolution. The traditional vision of “inside the firewall” and “outside the firewall” has been shattered: Internet has become the network of the extended enterprise.

Secure Access Service Edge: Trends Leading to a Paradigm Shift

Moving from a “network-centric” architecture to a “user-centric” and “application-centric” architecture. On the one hand, the cloud and the decentralization of servers and applications in disparate clouds; on the other hand, the mobility and decentralization of terminals (“devices”, “endpoints”) and users “anywhere” (in the office, at home, on the move or at a service provider’s premises, etc.).

The general trend towards virtualization and “software-defined xxx”. In one sentence, we could say that network access is becoming a cloud service. We are moving from a physical architecture to a logical one, where physical devices (there are still some left!) are controlled by a centralized software layer that configures and reconfigures the devices and networks in a much more dynamic way. We use the term “infrastructure as code”, which is nothing more than DevOps applied to SDNs (Software Defined Networks).

This fragmentation of the network into software services brings with it a new set of hybrid secure access technologies and services (partly in datacenters operated by the enterprise, partly in datacenters operated by cloud service providers): these new technologies and secure access services are referred to as “Secure Access Service Edge”, “SASE”, which is pronounced “sassy”! Application workloads are now either in the Cloud or on the user’s terminal: and this is where governance and security rules and policies must be deployed and applied. Meanwhile, the network that makes them interact and interoperate becomes a set of services made available in the Cloud.

The word “edge” could be translated as “terminal”: we contact the nearest “edge”, and the other “edges” are connected to each other in a network or interconnected networks. The “edge” is the “point of presence” or the closest point of connection: the “edge” is no longer the company’s firewall, but the interconnection and access service.

Obviously, the basic technology underlying SASE is first and foremost a network technology, and a “software-defined” network technology. But this “software” or “virtual” network is complemented by access and security technologies depending on the use cases. Access technologies according to the different use cases

“Zero-Trust Network Access” (“ZTNA“) is the term used for remote access “through the network” to enterprise applications. It is the core technology for teleworking: providing secure access from anywhere to desktops or enterprise applications.

There are two complementary and necessary technologies.

  • “Protection” technologies, which “keep the bad guys out”: for applications, we use the term “Web Application Firewall” (“WAF”).
  • “Access” technologies, which “allow the good guys in”: this is the purpose of “ZTNA”.

“Cloud Access Security Broker” (“CASB”) for “network” access to SaaS applications and cloud services. “CASB” often plays both roles, “protection” (preventing the use of SaaS applications or “wild” cloud services, thus preventing the “shadow IT”), and “access” (allowing the use of SaaS applications or cloud services). Some ZTNA solutions cover this “access” part of a CASB, for regulatory compliance reasons for example, to force the passage through the company’s datacenter, which can then, for instance, encrypt the application flow to SaaS applications or cloud services.

This is known as a “Secure Web Gateway” (“SWG”) for inter-site access. It avoids the creation of a dedicated network between a company’s different locations and allows access between these locations via a cloud service on the Internet.

Security Technologies for Different Use Cases

Remote display technologies are better known for properties other than their security properties: but they have a real contribution to the security and protection of terminals (“devices”, “endpoints”). They provide an image of the interface that is not vulnerable to malware (such as a browser on the workstation, for example). These can be application or desktop virtualization technologies (known as “VDI”, “Virtual Desktop Infrastructure”) or web browser virtualization technologies (known as “RBI”, “Remote Browser Isolation”). All fraud detection technologies based on “User Behavior Analytics”. For example, by analyzing a user’s mouse and keyboard usage behavior, the user’s behavioral print can be calculated. It is then possible to compare a calculated print with an expected print and thus detect if the user behind the terminal is still the same user who has passed the authentication bar. On the same principle, behavioral analysis on other data is the most advanced means of fraud detection. These technologies obviously use Artificial Intelligence (essentially Machine Learning). As a specialist in application virtualization (by remote display), access management and Artificial Intelligence, Systancia is at the heart of these technological innovations and an actor of “SASE”, to support you in these major transformations. The current crisis is further accelerating the need for and adoption of these emerging technologies, particularly for secure remote access to the information system, for employees or service providers working from home.