17 Apr Doctor Jonathan Cartu Says – Network Security Should Follow Network Users to the Edge
The use of enterprise networks is evolving as network users and endpoints (like cloud-based resources) move off of the corporate LAN. This can create challenges for networking teams trying to ensure the security of data and devices not connected to the corporate LAN.
As these users and endpoints move to the network “edge”, it is necessary for security to move to the network edge as well. This requires a new approach to security since the traditional approach of deploying point security solutions does not scale well when an organization must deploy, monitor, and manage a number of deployment locations. Secure Access Service Edge (SASE) provides a solution to this problem. As corporate networks grow and evolve, ensuring that security evolves with them requires an understanding of what is SASE and how it can be applied to meet the needs of enterprise network users.
The Evolution of the Enterprise Network
In the past, company networks were largely composed of devices connected to the enterprise LAN. An organization had a number of user workstations and servers, all behind the enterprise firewall and perimeter defenses.
Over time, this has changed. The first shift was away from desktops to laptops. This enabled employees to move around within the office or even to take work home with them. This also created new threats to the organization as employees working from untrusted and insecure networks could be infected with malware and carry that infection past the company’s perimeter defenses and into the internal network. This change forced a shift from network-focused cybersecurity to also deploying security solutions, such as antivirus on endpoints.
Now, companies are facing another shift in the use of enterprise networks and devices. Organizations are increasingly leveraging mobile devices, the Internet of Things (IoT), and cloud computing for business purposes. Mobile devices enable employees to be more flexible and productive, IoT devices enable centralized monitoring and management of devices deployed on offsite locations, and cloud computing offers scalable, flexible, and affordable data storage and processing.
Network Users at the Edge Require Security at the Edge
The growing use of mobile, IoT, and the cloud creates new networking and security challenges for organizations. Unlike desktop workstations and servers, these devices are often connected to untrusted wireless or mobile networks. With the growth of 5G, the move of business traffic to networks outside of the organization’s control is only likely to increase.
This evolution of the enterprise network requires a new approach to security. In the past, an organization could deploy cybersecurity defenses at the network perimeter to scan all traffic entering and exiting the corporate network. While this may not be capable of identifying and blocking all threats, creating the need for internal defenses, it was effective against the majority of them.
As users move off of the corporate LAN connecting over the public internet, this approach is no longer effective. While traffic that originates or terminates within the corporate network can easily be scanned by perimeter-based defenses, the percentage of business traffic that does so is dwindling. Increased usage of Software as a Service (SaaS) and other cloud-based applications makes it logical for remote users to connect directly to the cloud. Forcing traffic to be routed through the enterprise network for monitoring and security inspection can have an unacceptable impact on network latency (the “trombone effect”).
SASE Provides Security at the Network Edge
As network users move off of the corporate LAN, network security needs to do so as well. By leveraging the global reach of cloud computing, SASE enables organizations to deploy distributed security where their users are.
The traditional approach to security is deploying an array of point solutions at the network perimeter. This typically includes a next-generation firewall (NGFW), secure web gateway (SWG), and a secure email gateway (SEG) at the minimum. This approach to security does not translate well to the cloud, where network administrators may need to deploy, configure, monitor, and maintain multiple different deployment locations.
SASE solves this issue by integrating all of an organization’s traditional security infrastructure into a single appliance. This not only simplifies deployment and management, since there is no need to configure devices to interoperate via application programming interfaces (APIs) but also can improve performance as the organization’s security infrastructure is optimized to work as a whole.
SASE also addresses the needs of network users by enabling organizations to effectively move security to the network edge. Rather than forgoing security entirely or routing traffic through the enterprise network, with a dramatic impact on network latency, SASE enables remote users to connect to a nearby point of presence (PoP), which performs security inspection and optimized routing of traffic to its destination. With high-performance, secure network links between PoPs, SASE may even offer better performance than routing traffic over the (unreliable) public Internet.
Taking the Next Step in Network Evolution
Enterprise network users have already moved off of the corporate LAN. New technologies, such as mobile, IoT, and the cloud, use less trusted networks for business purposes. These technologies are deployed at the network “edge” rather than on the enterprise LAN. Ensuring remote worker productivity and security requires organizations to deploy their security solutions at the network edge as well. SASE makes this possible by integrating networking and security functionality and making use of cloud computing as a platform for security functionality.