The rise of cloud, mobility and related applications effectively have undermined the concept of perimeter-based security. That is why the Trusted Internet Connection (TIC) 3.0 addresses the need to address security when users, applications and data reside outside the perimeter.
The secure access service edge (SASE) security model is the next logical step. SASE pushes IT services and associated security measures from the perimeter out to the edge, delivering them through the cloud.
To learn more about SASE, we spoke with Stephen Kovac, Vice President of Global Government and Compliance at Zscaler, which operates a multitenant distributed cloud security platform. He highlighted three key benefits.
Reduced IT cost and complexity
In a traditional network environment, IT and security services operate within the data center. That was manageable when end users and IT services worked within the perimeter. But as agencies have accelerated their adoption of cloud and mobile solutions, the traditional approach has proven increasingly difficult to scale, since it requires everything to get rerouted back to the data center.
SASE changes that model by extending IT and security services to wherever end users, systems and data reside, reducing the burden on the network and the data center, and making it easy to scale as new requirements emerge.
It also reduces data center bloat. “The idea of having these big multiple stacks in the data center – and having to update and maintain that equipment – goes away, because now it’s being done in the cloud,” Kovac said.
Better user experiences
Another challenge of working in a widely distributed environment is that the user experience becomes unpredictable. In the traditional network environment, users and systems outside the data center typically rely on a virtual private network (VPN) to connect to the network securely, with variable levels of performance.
By pushing security services closer to the user or system – and by connecting users or systems directly to cloud applications and services – SASE ensures optimal bandwidth and low latency.
This model also provides a consistent experience as a user moves from one location to another. Whether that user is working out of an office in Washington, D.C., from home, or at a remote location, they will have the same experience and better performance, Kovac said.
By design, SASE integrates wide area networking and security capabilities. This ensures that all connections are inspected and secured, no matter where the user or system is or what application is being accessed. And SASE provides a zero trust network access (ZTNA) model, providing connectivity only if the user or system is authorized to do so.
SASE is a cyber version of social distancing. By moving security services out to the edge, an agency keeps users and services from getting inside the perimeter. And by shielding the network and IPs from the internet, SASE helps move agencies closer to a zero attack surface, Kovac said.
“How do you achieve that idea of no perimeter and no attack surface, but still deliver services? We have been caching and accelerating data at the edge for years. Evolution now us allows us to compute and secure at the edge. That’s what SASE is,” Kovac said.