Company networks have evolved rather spectacularly in just 20 years along a couple of distinct tracks: connectivity and security.
We began the new millennium with on-premises data centers supporting servers and desktops that a technician in sneakers could service. Connectivity was relatively uncomplicated. And given a tangible network perimeter, cybersecurity evolved following the moat-and-wall principle. Locking down web gateways and erecting a robust firewall were considered the be-all and end-all.
Fast forward to the 21st Century’s third decade. Today, connectively is a convoluted mess. Company networks must support endless permutations of users and apps, both on-premises and in the Internet cloud. Security, meanwhile, has morphed into a glut of point solutions that mostly serve to highlight the myriad gaps in an ever-expanding attack surface. And threat actors continue to take full advantage.
These inefficiencies and rising exposures are not being ignored. Quite the contrary, there’s plenty of clever innovation, backed by truckloads of venture capital, seeking to help networks run smoother, while also buttoning down the attack surface. One new approach that is showing a lot of promise cropped up in late 2019. It’s called Secure Access Service Edge, or SASE, as coined by research firm Gartner.
SASE (pronounced sassy) replaces the site-centric, point-solution approach to security with a user-centric model that holds the potential to profoundly reinforce digital transformation. The beauty of SASE is that it accomplishes this not by inventing anything new, but simply by meshing mature networking and security technologies together and delivering them as a single cloud service — with all of the attendant efficiency and scalability benefits.
To get a better idea of SASE, I had the chance to visit with Elad Menahem, director of security, and Dave Greenfield, secure networking evangelist, at Cato Networks, a Tel Aviv-based startup that’s in the thick of the SASE movement. Here are the key takeaways I came away with:
The limits of SD-WAN
In order to deliver the modern digital services we’ve come to take for granted, large enterprises have come to rely on multiprotocol label switching (MPLS) as a means to handle gargantuan loads of high bandwidth traffic at the high speed. But MPLS has proven to be expensive and inflexible. And so this led to the emergence of software-defined wide-area networking, or SD-WAN.
SD-WAN arose in 2014 as a way to use software to manage traffic moving across large networks, especially to-and-from geographically dispersed branches. SD-WAN made site-to-site connectivity much more flexible and affordable for big companies. Research firm IDC says that the market for SD-WAN systems is in the midst of a five-year run of growing 30% annually — and should top $5.25 billion by 2023.
The catch is that SD-WAN has been all about connectivity, and not so much about security and privacy. For instance, SD-WAN solutions have generally lacked threat prevention capacities that CISOs today look for in cybersecurity solutions, Greenfield observes.
All networking systems and all security solutions that send and receive traffic must also inspect that traffic and apply policies to that traffic. This typically occurs in the realm of deep packet inspections (DPI.) And at present, there is a lot of redundancy in the realm of DPI.
“SD-WAN appliances and security appliances both do the same deep-packet inspections,” Menahem told me. “One layer of appliances runs inspections to make networking decisions, one runs inspections to make security decisions, and yet another layer runs inspections for acceleration.”
Solving the bigger problem
Five years ago, Cato Networks’ co-founders, CEO Shlomo Kramer and COO Gur Shatz realized the problems point-solution propagation caused enterprises. “They questioned why anyone needed to run the same deep packet inspections — and other functions — on four different point solutions,” Menachem says.
Kramer and Shatz envisioned providing a service that would function as a “global, single-pass networking and security engine in the cloud,” Greenfield added. “A packet would come into their cloud, it would get depacketized and de-encrypted, and all networking and security functions would be performed in parallel before getting resent out across the cloud.”
The co-founders were certainly well-positioned to rethink both networking and security. Kramer previously co-founded firewall pioneer Check Point Security, among several other cybersecurity companies; Shatz co-founded Incapsula, a supplier of content delivery network (CDN) systems that optimize and secure the delivery of web content. Incapsula was acquired by web application firewall vendor Imperva. Kramer and Shatz launched Cato Networks in 2015 to converge connectivity and security and make it available to enterprises as a managed cloud service. Four years later, in 2019, Gartner would define SASE as security subsector which fit what Cato had introduced to a T.
Today Cato’s SASE service sits on its own private backbone network that crosses some 60 point-of-presence (PoP) facilities the company has set up around the globe. Cato makes this resource available to manage connectivity and apply security protections.
“We’ve converged networking and security together into a cloud-native service,” Menahem says. “So, out of the box you get a seamless networking infrastructure and a seamless security infrastructure.”
SASE: An emerging solution
Cato is by no means alone in the nascent SASE market. Cisco, Palo Alto Networks, zScaler and Fortinet are just a few of the dozens of cybersecurity vendors are pushing their business models in this direction. There has been enough attention paid to this general area that Gartner formally designated SASE as a cybersecurity subsector in its August 2019 . In a more recent report, Gartner projects that by 2024 at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.
Greenfield told me that Cato’s SASE offering aligns very closely with Gartner’s characterization of a true SASE service being “cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” He noted that Cato also meets Gartner’s call for support of identity-driven security practices. Notably, this very helpfully reinforces Zero Trust Network Architectures (ZTNA) and passwordless authentication, both of which have been steadily gaining wider adoption on their own.
By delivering security through a cloud service that includes ZTNA, SASE aligns well with how connectivity is rapidly shifting to the “edges” of modern business networks; not just data centers and branch offices, but increasingly, and more crucially, smartphone users joining a meeting or seeking access to company resources, on the fly, from far-flung geographies.
Empowering users to leverage the latest, niftiest mobile apps – securely and privately from anywhere – in more mission-critical than ever in the post Covid-19 era. It won’t be easy nor cheap for security vendors to pull together. As Gartner acknowledges, “The breadth of services required to fulfill the broad use cases means very few vendors will offer a complete solution in 2020, although many already deliver a broad set of capabilities. Multiple incumbent networking and network security vendors are developing new or enhancing existing cloud-delivery-based capabilities.”
This is where Cato differentiates, Greenfield says. No other SASE provider today claims to deliver a global, cloud-native platform, quite like Cato. It may be well be why the company was able to close another $130 million financing around while achieving more than $1 billion valuation.
In the post-Covid-19 era, with schools and businesses delivering more services remotely, the capacity to robustly embed security and privacy at the networking level seems more vital than ever before.
Can SASE take us there? Will SASE take root and ultimately foster resilient, agile business networks that seamlessly and securely connect users globally? SASE is in a fledgling stage. It’s going to be instructive to see which variants win in the marketplace – and how quickly and widely SASE solutions get adopted. I’ll keep watch and keep reporting.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-will-secure-access-service-edge-sase-be-the-answer-to-secure-connectivity/