Security Flashcards
(7 cards)
Secure Access Service Edge
SASE allows organizations to extend users’ secure access and security policies from the network edge to the cloud edge. By following the user, SASE deliver a consistent user experience for a hybrid workforce across endpoints, WAN, cloud, data center.
Secure access service edge, often abbreviated (SASE), is a security framework that converges software-defined wide area networking (SD-WAN) and Zero Trust security solutions into a converged cloud-delivered platform that securely connects users, systems, endpoints, and remote networks to apps and resources.
Security is based on digital identity, real-time context (location, time of day, risk/trust posture of the connecting device and application and data sensitivity), and company and regulatory compliance policies, rather than a security appliance like a firewall. A digital identity may be attached to anything from a person to a device, cloud service, application software, IoT system, or any computing system.
Clifford Grossner of IHS Markit criticizes the lack of analytics, artificial intelligence and machine learning as part of the SASE concept and the likelihood that enterprises won’t want to get all SD-WAN and security functions from a single vendor. Gartner counters that service chaining of security and SD-WAN functions from multiple vendors yields “inconsistent services, poor manageability and high latency.”[11]
IDC analyst Brandon Butler cites IDC’s position that SD-WAN will evolve to SD-Branch, defined as centralized deployment and management of virtualized SD-WAN and security functions at multiple branch office locations.
SASE is Achievable in 2 Ways, As Service Chaining or Converged Platforms/Service.
Service Chaining: Organizations build their SASE architecture by chaining several networking and security services
from 1 or more vendors. These vendors provide application programming interfaces (APIs) that integrate the
chained services.
Converged Platform/Service: A single platform (software stack/image) tightly converges and integrates both
networking and security functions, and a single management console manages them. A single-pass processing
architecture conducts the security and network inspection, enabling the optimal efficiency and performance of the
converged services
Software-defined wide area network (SD-WAN)
A software-defined wide area network is an overlay architecture that uses routing or switching software to create virtual connections between endpoints—both physical and logical. SD-WANs provide near-unlimited paths for user traffic, which optimizes the user experience, and allows for powerful flexibility in encryption and policy management.
Secure web gateway (SWG)
A secure web gateway is a web security service that filters unauthorized traffic from accessing a particular network. The goal of a SWG is to zero in on threats before they penetrate a virtual perimeter. A SWG accomplishes this by combining technologies like malicious code detection, malware elimination, and URL filtering.
Cloud access security broker (CASB)
A cloud access security broker is a SaaS application that acts as a security checkpoint between on-premises networks and cloud-based applications and enforces data security policies. A CASB protects corporate data through a combination of prevention, monitoring, and mitigation techniques. It can also identify malicious behavior and warn administrators about compliance violations.
Firewall as a service (FWaaS)
Firewall as a service moves firewall protection to the cloud instead of the traditional network perimeter. This enables organizations to securely connect a remote, mobile workforce to the corporate network, while still enforcing consistent security policies that reach beyond the organization’s geographic footprint.
Next Generation Firewall (NGFW) offers a subset of the security stack offered by SASE, and typically doesn’t include SD-WAN services. NGFW may be deployed on premises or as a cloud service, while SASE is a cloud architecture by definition. While SASE focuses security on WAN connections, a NGFW can be deployed anywhere including internally in the data center.
Zero Trust Network Access (ZTNA)
Zero Trust Network Access is a set of consolidated, cloud-based technologies that operates on a framework in which trust is never implicit and access is granted on a need-to-know, least-privileged basis across all users, devices, and applications. In this model, all users must be authenticated, authorized, and continuously validated before being granted access to company private applications and data. ZTNA eliminates the poor user experience, operational complexities, costs, and risk of a traditional VPN.
Centralized and unified management in SASE
A modern SASE platform allows IT administrators to manage SD-WAN, SWG, CASB, FWaaS, and ZTNA through centralized and unified management across networking and security. This frees IT team members to focus their energy in other more pressing areas and boosts the user experience for the organization’s hybrid workforce.
