 / Unified Security Guide / Chapter 3: Secure Access Service Edge

Fortunately, the path towards modernizing your networking and security architecture is flexible, as technologies like cloud-delivered security, software-defined wide-area networks (SD-WAN), zero-trust network access (ZTNA), and more are converging into one unified solution: Secure Access Service Edge (SASE).

Created and defined by Gartner as a way to support the dynamic secure access needs of modern organizations. A SASE architecture makes it easier for you to configure, manage and scale networking and security policies across your entire workforce with better visibility and consistent user experience.

If you’re considering evolving your enterprise networking and security infrastructure to a Secure Access Service Edge architecture, this guide is here to help. Below, we will break down the key components that make up a full SASE stack, as well as how you can easily implement a SASE architecture with a unified solution.

SASE: A new approach to enterprise networking and security

Today’s employees need a fast, reliable, and secure application experience no matter where they are located or what device they are using. Successfully delivering these digital services requires IT teams to become nimble and agile, rather than wasting time managing disjointed or complicated networking and security solutions.

Fortunately, Secure Access Service Edge allows IT teams to implement a consolidated networking and security architecture that breaks down operational silos in IT and meets the needs of modern workforces. While cloud-delivered security can help mitigate challenges with traditional networking security architectures that backhaul software-as-a-service (SaaS) and general internet traffic through a data center, SASE’s consolidated framework moves security closer to users and apps, allowing you to provide employees with a secure, consistent application experience no matter where they are located.

Through SASE’s integration of technology like software-defined wide-area network (SD-WAN), your organization can also remove unpredictable performance of internet connectivity. This means that if internet performance varies across your network, application performance will remain consistent. A SASE architecture also allows IT to consistently enforce security policies for all users through globally distributed points of presence (PoP) that deliver a full stack of security capabilities. This keeps your organization safeguarded against unauthorized access and threats from the internet, like zero-day attacks, malware attacks and ransomware.

Components of a SASE architecture

Defined by Gartner, a comprehensive SASE architecture includes:

SD-WAN

SD-WAN is a virtual WAN architecture that virtualizes and bonds any combination of network transport types, such as multiprotocol label switching (MPLS), broadband internet, cellular, and satellite. Centrally managed from the cloud, SD-WAN dynamically routes traffic based on current network conditions and organizational policies to ensure application accessibility and performance is never sacrificed.

SD-WAN simplifies network and security administration and streamlines the setup of branch offices through integrated network and security policy management and zero-touch provisioning—or automatic device configuration that frees up your IT team for more pressing tasks. With SD-WAN, it’s easy to modernize legacy infrastructure architectures that consist of edge routers and point security solutions.

Top enterprise benefits of SD-WAN

An SD-WAN provides your end users with a better application experience and offers comprehensive security policy controls that are designed to ensure your network is “cloud-ready.” Additionally, an SD-WAN can replace MPLS or work alongside it while adding broadband and 4G/LTE access. Simply put, the benefits of SD-WAN include:

Secure web gateway (SWG)

An SWG is a cybersecurity solution that sits between the user and the internet to protect access to internet and SaaS applications. Using URL filtering, application control, and anti-malware security capabilities, SWGs filter out unwanted software or malware as a user browses the web—all the while enforcing corporate policies to meet regulatory compliance.

For example, a SWG can use URL filtering to block access to web pages and web categories—such as gambling websites or dark web marketplaces—that are deemed unsafe or against your organization's policies. If a user manages to gain access to a high-risk digital location, today’s comprehensive SWGs can provide malware protection to inspect malicious files and prevent downloads.

Many of today’s SWGs also provide internet access control for applications and browsers. This means that if your organization knows Windows 7 has vulnerabilities and is not a recommended operating system for your end users, your IT team can enforce that no Windows 7 devices are allowed to access web and SaaS applications. Native or integrated data loss prevention (DLP) is also increasingly included with modern SWGs.

Cloud access security broker (CASB)

CASBs are on-premises or cloud-based security policy enforcement points that are placed in line between users and applications (such as with Secure Internet Access) or in an out-of-band fashion through API integrations with applications (such as with Microsoft Cloud Application Service).

In both scenarios, CASBs focus on controlling SaaS app usage through four key methods:

Zero-trust network access (ZTNA)

ZTNA is a security architecture that enforces adaptive access with the principle of least privilege (PoLP) for designated users who are utilizing approved applications. With a ZTNA framework, you can create a digital identity-based perimeter that continuously verifies users and devices in real time using parameters such as location and what time of day it is. Additionally, a zero-trust architecture prohibits lateral movement throughout the network, provides a more efficient user experience, and offers more robust and simplified security controls compared to traditional VPNs.

Firewall-as-a-service (FWaaS)

FWaaS enables you to allow or restrict bidirectional traffic into your network based on IP addresses, ports, and protocols on a per-packet basis. For example, these firewalls could be used for packet filtering to block all File Transfer Protocol (FTP) traffic into your network if it is deemed an insecure protocol by your IT team. Firewalls could also be used to block traffic coming from IP addresses in particular countries or regions.

Modern Next Generation Firewalls (NGFWs), however, add application intelligence and malware signature analysis to boost their security capabilities even further. They can also monitor the “state” of communication, which is also known as a stateful inspection. This ensures that when you connect to a web server and that server must respond to you, your stateful firewall already has the proper access open and ready for the responding connection. When the connection ends, that access opening is closed.

A common use-case would be for your enterprise IT teams to use NGFWs with a FWaaS provider to block Microsoft’s ActiveX controls and peer-to-peer applications, both of which have often been identified as risky by IT teams.

With FWaaS integration, you can deploy security controls like:

• Anomaly-based threat detection
• Sandboxing
• Location-based filtering
• Malware protection software
• Intrusion detection and prevention systems (IDS and IPS)

Data loss prevention (DLP)

DLP solutions focus on protecting sensitive data-in-motion—such as such as credit card numbers, social security numbers, birthdates, physical addresses, and email addresses—from careless or malicious insiders or malware. This is done by analyzing data streams to identify pre-defined patterns or exact data matches.

For example, a credit card number may feature 15 digits, but any 15-digit string of characters is not always a credit card number. A DLP solution performs a calculation called a “checksum” to ensure credit card numbers match a recognized pattern used by multiple credit card brands.

During this checksum, the DLP solution also searches for keywords date values that could include the credit card expiration date. Robust DLP solutions also provide behavioral analytics that identify malicious insider behavior via event analysis, which could include database access at atypical hours.

Cloud sandbox

To protect against threats hidden in files being downloaded from the internet, a cloud sandbox establishes a secure environment that allows you to open suspicious files or run untrusted programs without affecting other applications in your network. You can utilize this secure environment at any time to inspect a file, program, or code that you suspect to be malware or a zero-day threat while ensuring it remains isolated from a device and your enterprise network apps.

Remote browser isolation

Unrestricted access to the internet using a browser can expose your organization to browser-based attacks. Remote browser isolation allows you to move browsing activity from a user’s device to a remote server that’s located in the cloud or on-premises in your enterprise network. This process makes it possible to prevent browser-based attacks on your network and lowers your vulnerability for a breach of infection, as data from compromised websites is not transmitted to user devices.

How to implement a SASE architecture

Establishing a full secure access service edge architecture for your enterprise can feel overwhelming, especially if you are already deploying disjointed networking and security solutions from multiple vendors. Today, 78 percent of organizations use more than 50 different cybersecurity tools, and adding even more to that number can create significant roadblocks. This includes attempting to manage and optimize siloed systems and converging these systems to create a single risk rating.

When you partner with a single vendor that offers a unified, ready-to-deploy SASE service, you can easily implement a comprehensive SASE architecture that:

• Improves your IT department’s agility to respond to business needs
• Provides deeper integrations across your current networking and security framework to simplify policy management
• Offers single-pane-of-glass management that makes it easier to troubleshoot problems
• Is designed with a single-pass architecture to maintain performance as your business grows
• Incorporates privacy and data segregation to keep your customers and users intellectual property safe
• Streamlines licensing and procurement so you can quickly add new functionality
• Includes SASE architecture implementation, training, and tech support to help break down IT silos and reduce challenges to adoption

Implement a unified SASE architecture with Citrix

Transforming your networking and security framework starts with Citrix’s unified secure access service edge solution. With our SASE architecture in place, you can modernize your IT infrastructure and ensure your workforce has uniform and secure access to all applications no matter their location or device.