Buyer's Guide to Unified SASE

Zero trust does not grant implicit trust to user accounts or assets based solely on their network or physical locations. Applying a zero-trust security model to secure application access allows organizations to move away from a traditional VPN tunnel that provides unrestricted remote access.

However, an effective ZTNA solution must grant access to individual applications per session based on user identity and provide continuous near-real-time device posture verification. Your ZTNA solution must also support the following core requirements:

• Explicit and granular access control per application based on user identity and continuous near-real-time device posture validation and monitoring
• Noncompliant devices and sessions blocked in near real time
• Endpoint security and vulnerability management as a part of a unified agent to simplify deployment and management
• Security inspection for application traffic and blocking malicious traffic
• All common enterprise device types, including Windows, Mac, and Chromebooks
• Support for secure access to all your corporate applications
• Universal enforcement of ZTNA policies, even when users are on the corporate network

You want to provide the same zero-trust model no matter the user’s location. This extends ZTNA beyond remote access to anywhere in the organization.

For remote users or branch locations outside the protection of the corporate perimeter, direct internet access expands the attack surface and increases related risks. To address this, the SASE solution must include enterprise-grade FWaaS with IPS and web filtering, SWG, and deep SSL inspection capabilities. It should also include advanced threat protection, including inline antivirus and sandbox capabilities, as a part of its SSE cloud-delivered service to provide consistent, secure internet access from any location.

The FWaaS must support next-gen firewall (NGFW) capabilities delivered from the cloud as a service. It must secure all connections and analyze inbound and outbound traffic without impacting user experience. FWaaS should support L7 application visibility and control, web filtering, SSL inspection, DNS security, intrusion prevention system (IPS), and advanced threat protection (ATP).

The SWG should protect internet users and devices from the most advanced web threats. It should include a broad set of capabilities for securing web traffic, including SSL-encrypted web traffic, without significant performance degradation.

SWG should support deep security inspection capabilities, including web filtering, antivirus, and file filtering, for managed and unmanaged devices using agent or agentless mode. Its web filtering capability must support predefined common web categories for URLs and web content to block access to malware, phishing sites, and inappropriate content.

The antivirus engine should detect and prevent known and previously unknown virus variants. Inline antivirus should include automated updates that protect against the latest viruses, spyware, and other content-level threats.

Sandboxing must offer high-performance security solutions utilizing artificial intelligence (AI) and machine learning (ML) technology to identify and isolate advanced threats in real time. It should also inspect files, websites, URLs, and network traffic for malicious activity, including zero-day threats, and use sandboxing technology to analyze suspicious files in a secure virtual environment.

Your solution should also include AI-powered security services for FWaaS, web filtering, DNS security, antivirus, anti-malware, sandbox, and IPS to ensure comprehensive and up-to-date protection from the latest known and zero-day threats. It is important to validate the efficacy of SWG and FWaaS components, including IPS, based on leading industry security certifications.

Given the rapid increase in SaaS adoption, organizations struggle with shadow IT and stopping data exfiltration. SSE must include the following core capabilities to provide secure SaaS access for users:

Next-generation dual-mode CASB, using both inline and out-of-band support, should provide comprehensive visibility by identifying key SaaS applications and reporting risky unsanctioned applications to overcome shadow IT challenges. Next-gen CASB should also offer granular control of applications to secure sensitive data and detect and remediate malware in applications across both managed and unmanaged devices.

A SASE solution must support a highly customizable suite of data protection capabilities that help safeguard from data-related breaches and compromises by providing a granular data protection policy engine. It should offer a broad set of DLP signatures, a customizable pattern and policy engine, and an advanced and accurate DLP content analysis engine to help achieve the best possible data security posture. It should also provide a rich set of predefined reports on DLP activities and compliance standards, such as SOX, GDPR, PCI, HIPAA, NIST, and ISO 27001.

Many SASE solutions only provide SSE capabilities or deliver lightweight SD-WAN capabilities to forward branch traffic to their SSE cloud. This leaves a gap in providing fast and secure access from branch locations.

The best SD-WAN solutions offer converged networking and security managed by one centralized management system, allowing sites to be brought on quickly without requiring networking or security experts to be on-site for installation. An effective and scalable SASE solution must offer secure SD-WAN devices at branch locations that consolidate core WAN edge networking and branch security capabilities to provide fast and secure access to the internet, SaaS, and private applications from branch locations.

• Transport independence: Secure SD-WAN supports multiple kinds of uplinks, including internet, MPLS, 4G, LTE, and 5G.
• Path control: The SD-WAN must be able to utilize active paths for bandwidth efficiency, failover, and resiliency.
• Security: SD-WAN must ensure security across each branch location, including an integrated, NGFW that offers antivirus, anti-malware, data loss prevention, IPS, IDS, sandboxing, and URL and content filtering.
• Application optimization: The SD-WAN solution must optimize applications, including video and
• voice traffic and SaaS applications. Also, it must be intelligently able to identify thousands of applications and steer them dynamically on the appropriate link.
• Encryption: SD-WAN must support the creation of an end-to-end encrypted tunnel over the broadband between headquarters and branch locations. Companies must use SD-WAN to encrypt WAN traffic and ensure it encrypts it effectively.
• Zero-touch provisioning: The solution must optimize branch SD-WAN device onboarding.
  
• Automation and orchestration: All functions must be supported by a centralized, single-pane-of-glass management system.

A SASE solution should provide flexible connectivity to locations and endpoints beyond remote user devices and branch sites. Cloud-delivered SSE capabilities are a cost-effective choice to secure thin edges to secure LAN, wireless LAN, and OT environments that may not be able to deploy a full NGFW on-premises or install clients on the endpoints.

Many enterprises deploy wireless APs to provide connectivity at remote locations (such as retail stores). These APs require the same level of security as larger branch sites to secure communications with the internet, SaaS, and private applications from within the thin edge. A SASE solution that can offer cloud-delivered SSE capabilities by integrating directly with wireless APs without deploying an NGFW or client at each endpoint provides enterprise-class security and reduces complexity and costs. In addition, the SASE solution can extend zero-touch provisioning beyond branch SD-WAN devices and offer similar capabilities for wireless APs at thin edges.

Organizations need to identify where their users are working from and where the applications they access are located. This helps ensure they pick a SASE vendor that can provide low latency and points of presence (POPs) closer to where users are located.

In addition, not all SASE vendors provide the full stack of SSE security capability at each POP. It is important to understand:

• What capabilities are provided in each SASE POP
• Any mechanisms the SASE vendor has in the POP to optimally steer traffic through their cloud network
• The SLA offered by the vendor for SSE inspection, rather than just going with the total number of POPs claimed by the vendor

There are many approaches to SASE in the market, with varying levels of functionality and integration required for SASE deployments. Enterprises must be aware of the differences to identify the right SASE solution for their needs.

Dual-vendor SASE solutions are typically based on SD-WAN and SSE functionality (ZTNA, SWG, FWaaS, CASB, DLP) from two different vendors. The enterprise networking team normally leads the selection of SD-WAN technology, while the enterprise security team typically leads the selection of the SSE functionality. While dual-vendor SASE provides the flexibility to choose different vendors for networking and security as a service, it leads to increased complexity and costs. It is not simple to deploy or operate.

Single-vendor SASE solutions offer SD-WAN and SSE capabilities, including SWG, CASB, network firewalling, and ZTNA. Such offerings use a cloud-centric architecture and are delivered by a single vendor through a common management console. Single-vendor SASE solutions are simpler to manage, more cost-effective, and easier to deploy than dual-vendor SASE solutions that attempt to combine SD-WAN and SSE capabilities from two different vendors.

Not all single-vendor SASE solutions are based on a common platform or operating system (OS), as some vendors have chosen to offer single-vendor SASE based on integrating multiple products or using third-party OEM technologies for several of their SASE components. They also often require numerous deploying client agents, which adds to complexity and costs.

SASE solutions must support digital experience monitoring (DEM) to provide end-to-end visibility. This provides IT teams with the data they need to decrease resolution times and ensure and maintain an optimal user experience.

DEM should offer insights across users and global SASE POPs and provide comprehensive visibility into the performance of common SaaS applications based on typical metrics, such as latency, jitter, packet loss, and mean opinion scores. DEM should also provide end-to-end monitoring of performance metrics, from user to common SaaS applications, and performance from each SASE POP to the SaaS applications to help troubleshoot issues and reduce mean time to resolution.

Enterprises need a SASE solution that delivers high-security efficacy to combat modern zero-day threats and support 24x7 monitoring of security threats. However, many SASE solutions are limited to threat prevention and detection of known threats based on signature-based IPS. They require additional investment in in-house security, SOC staff, and technology to maintain ongoing security monitoring.

AI-powered security enables prevention, detection, and automated response to zero-day threats. However, not all SASE vendors have the breadth of deployments nor the ability to gather the large volumes of security data needed to effectively support AI and ML for detecting zero-day threats. Enterprises should look for SASE solutions that can gather a sufficiently large breadth and volume of telemetry data to support the AI-powered functions augmenting essential SSE capabilities, such as a SWG, FWaaS, ZTNA, CASB, and DLP, to maintain protection from a wide range of security threats.

In addition, SASE solutions should integrate with existing systems to minimize investments in SOC technology and personnel to monitor and respond to security threats in near real time.

Many SASE solutions require additional third-party clients for endpoint protection, vulnerability management, DEM, ZTNA, and SSE connectivity.

This increases deployment and operational complexity as well as the TCO. Unified SASE solutions consolidate security capabilities in the cloud and at the endpoints to reduce complexity and costs.