SECURE NETWORK EVOLUTION

Exploring SASE, SSE and NaaS Realities

Overview

The confluence of Cloud computing, distributed ecosystems and cybersecurity are forever intertwined. When Gartner postulated the merging of networking and cybersecurity with SASE (Secure Access Service Edge) and later SSE (Secure Service Edge) it created an important architectural shift in what both suppliers and service providers are offering to enterprises. Part 1 (this page) covers SASE, SSE and the services that provide them.

 

These three pages are developed from the article ISE published in June 2024 – click here – and a blog written for ONUG – The Open Network User Group, mid-May 2024. It also examines the implications of adopting a security approach that removes the need for enterprise resources.

Four to five years on, the emergence of enterprise driven NaaS (Network as a Service) brings the opportunity to empower enterprises with business-driven technologies. An important element of NaaS is the opportunity to unify not just the services offered to organizations but the security of those services taking the burden from enterprises. This honors their requirement to take responsibility and to self-verify the integrity of services offered. Part 2 looks in depth at the journey to Network as a Service.

Part 3 looks at the implications of Cybersecurity for both models. This is the reason why these technologies need to be examined from a cybersecurity perspective. It also examines how the combination of NaaS, SSE and SASE serves all parties in the evolving ecosystem, one step at a time turning the world of networking literally upside-down.

It’s too early to be definitive but in a later piece we will look at the intersection of cybersecurity, AI and networking on these two approaches. Overall, The purpose of these pages is to separate the marketing hype of recent network solutions from new approaches that empower enterprises rather than their suppliers. There’s no intention to make any of the following investigation wrong or right. These pages draw on several decades of working in software, networking and cybersecurity.

Part 1: Uncovering SASE, SSE

Who Came Up With This Idea?

Let’s begin by applauding Gartner’s attempt to “bang the heads of the network and security people together” in their SASE (Secure Access Service Edge) blog in 2019 – curiously, since removed. By the following year it was diluted to SSE (Secure Service Edge) removing the SDWAN element given supplier resistance and also the blurring of Firewall functions. Gartner’s ideas were summarized with words like “including” and “such as” for the components, none of which were not uniquely defined. Undaunted, the networking, Cloud, and security providers and following analysts fell and continue to fall in love with the opportunity for useful and profitable “complete solutions.” I counted more than 40 a year ago and the numbers, like the market predictions, continue to grow.

Given the momentum of analysts to define a measurable “solution,” it seems necessary to agree on what the terms actually mean. It’s tricky since each supplier defines them differently depending upon what they think is important, can deliver, or what customers request, etc. The challenge is to unscramble that which meets your organizational requirements and provides the best economic value.

Defining the two the SASE “pillars” and the three common to both SASE and SSE.

SASE CONSISTS OF NETWORK AND SECURITY ELEMENTS:

SD-WAN (Software Defined Wide Area Network): A network approach that provides application-layer connectivity “overlaying” transport of data, APIs, etc., to remote host systems (typically Cloud applications in containers).

Next-Gen Firewalls: Strangely named as “Next Gen,” (today’s Next Gen being tomorrow’s obsoleted marketing). These consist of firewall processes at enforcement points, as opposed to a box in a data center. With functions becoming blurred by web, and application software, firewalls may be relegated to the history books.

SSE COMPONENTS INCLUDED IN SASE:


CASB(Cloud Access Security Broker):
Broker is an unusual networking term, but it is effectively a Zero Trust Policy Enforcement Point. Depending on function,  CASB ensures that user’s identity is authenticated, that the policy for the user to take the requested action is permitted at that time and for it to be blocked and reported if and when it is out of policy. All good Zero Trust best practices.

SWG (Secure Web Gateway): Perhaps better termed as Secure Gateway since they are gateways to more than just web functions. More blurred functions but while firewalls have generally protected users from network layer attacks, SWGs defend user-generated web traffic. Web application firewalls that protect web-based applications are also in this mix.

ZTNA (Zero Trust Network Access): This last one is perhaps misnamed as it has come to mean trusted access to remote (Cloud-based) applications as a VPN replacement or enhancement which is typically device or network to remote network or system. ZTNA is a much stronger approach than a “Secure VPN” as even the Cybersecurity and Infrastructure Security Agency found out when theirs was compromised. With ZTNA, the user gains access only to the applications and data they are authorized to access.
ZTAA might have been a better name. The National Institute of Standards and Technology’s attempt at defining ZTNA as “a
product or service that creates an identity- and context-based, logical access boundary around an application or set of applications” is an example of the difficulty of attempting a definition of terms that are without formal basis.

In Summary, the many interpretations of SSE have become popular as a stepping-stone to a full secure network implementation. SASE is more popular with vendors who added security to their existing network functions.

Curiosity – No Diagram: The confirmation that SSE and SASE are complementary functions rather than a network architecture is the lack of a diagram on this page that shows how it all fits together!

Reality Check

As you wade through the acronym soup, it would be easy to think that you are looking at the “emperor’s new clothes” or an illusion that all SASE or SSE offerings are the same or contain the same elements with a wide variety of additions. They do not. However, all is not lost. The above was important groundwork for guidance on how to choose vendors, integrators, or managed service providers.

The Guidance

Don’t be persuaded that you need one market solution v. another. Instead, get past the product names to look at and pay for the networking, automation, and security functions you actually need and understand how they are implemented. Those network functions might include consolidated automation of event notification. Security functions might include secure DNS, remote browser interfaces, protection against APTs and lateral movement, and cloud microsegmentation bundled in with the offering. Verifying the security of the software supplier’s products, services, and organization is critically important.

SASE Service

For service providers, it has become important to deliver the SASE networking and security functions as a cohesive service that can bring together a wide variety of implementations. This is an actual, formally defined service by the MFE (as MEF 117). Despite the lack of formal definition, work is also under way to certify SASE and SSE offerings.

Given that there are no formal definitions of SASE and SSE terms as seen above, this might seem a strange idea but it has the effect of aligning the industry on agree core functions and it will definitely greatly assist the end-users ability to choose well-tested and verified functions. It will also help align other formal extensions and functions being recognized such as Identity and Access Management Remote Browser Isolation and many security functions such as IP port and protocol filtering, DNS filtering, Data Loss Prevention and many more. These are exactly the kind of functions that help users see beyond the marketing of complete solutions.

Now let’s look at how a new iteration of Network as a Service (NaaS) might change or complement this picture. Link to Part 2.