Edge

Why Secure Access Service Edge is key for a distributed workforce

Written by Daniel Blackwell, Product Manager – Network and Security at Pulsant, on using edge to transform networks. The huge shift to remote working and the increased sophistication of SaaS applications used by employees on vastly extended networks present significant security challenges. Supercharged by the pandemic, these major trends have left many businesses struggling to address the long-term security risks generated by such an expanded attack surface. The problem is that thousands of employees are now working from uncontrolled environments, frequently using their own devices, and almost certainly relying on domestic networks. Personal devices and home broadband lack the same security protocols and controls that apply to corporate devices and networks, making them more vulnerable to cyber-attacks. Internet access is often shared with other devices, while home networks either have weak passwords, or none at all, and are generally configured without encryption. All these vulnerabilities provide multiple angles of attack on a corporate network which are potentially easier to carry out than many other methods employed by criminals or activist hackers. The picture for IT chiefs is further complicated by the use of multiple cloud vendors and the steadily growing adoption of hybrid infrastructures for sound business reasons. This further compounds the vulnerabilities of an expanded surface, with multiple ingress points to access distributed business information and systems, which all need to be controlled and monitored. Removing the IT headache For IT teams these developments are problematic. Applying security policies to each employee working remotely can be complex and costly. For example, applying the same policies and controls could require deploying a firewall at each employee’s home which is expensive and generates huge management overheads. The alternative of providing each employee with a remote VPN connection back to a central office location goes against the flow of what businesses need today for increased agility and cost-effectiveness. As organisations increasingly move to decentralised services employing SaaS applications and public cloud, there is little sense in routing traffic back through an office location. The role of SASE Secure Access Service Edge (SASE) is increasingly emerging as a solution to most of these difficulties, enabling organisations to apply security policies to employees wherever they are working, using a centralised management policy. Adoption of SASE remains cautious, however, largely because there is no settled definition of what it is, nor has it been standardised, causing significant confusion about the benefits that it can bring. Depending on who you want to believe, SASE comprises all or most of the following technologies: secure web gateways (SWGs); web-filtering; cloud access security brokers (CASBs); firewall-as-a-service (FWaaS) and Zero Trust Network Access (ZTNA). Many organisations will already have some of these applications in place but not in a unified, cloud-based solution that provides genuine control, visibility and management, removing the drudgery and cost of overseeing and administering them separately. Gartner defines SASE as an extension of SD-WAN to include other network security controls and services that can be centrally managed through the same SD-WAN management plane. This covers the essential elements of network and application optimisation, access control and the vital requirement for the IT team to have full visibility. With these capabilities, troubleshooting becomes much quicker and more effective. Unfortunately, many vendors have boarded the SASE bandwagon in what are often little more than rebranding exercises. They slap the SASE label on cloud-based security solutions that are not managed by a single dashboard and still involve multiple separate products. Others claim to provide SASE even without an SD-WAN offering, while yet more offer elements of SASE but not the full product range. In the current market, there are very few vendors who provide SASE matching Gartner’s full definition. This does not mean, however, that SASE is something that organisations should disregard; instead it should be seen as more of a framework to build a solution that helps solve the security complexities introduced by modern working. Zero trust and the edge SASE is fundamentally about the application and the user. With SD-WAN, the primary purpose is to have control over the application and apply routing policies to ensure the right applications obtain the best possible path. This optimises performance for the end-user and enables organisations to upgrade or implement new applications efficiently and quickly. True SASE means applying the same principles of efficiency and agility to security controls. The application and the user are still considered, but more specifically it is about ensuring the right user has access to the right applications, but only those applications. This implementation of the zero-trust approach can even be broken down further to the right device, at the right time of day, from the right network, and access restricted to applications and web services based on the security posture of the user, device, and destination. The physical location of the SASE 'engine' should also be considered. The term cloud implies that something is located everywhere, while in the UK this typically means it is hosted in one location. By having regional points-of-presence, the enforcement of security policies is distributed closer to each user wherever they are working. Using this approach, organisations can stop employees from accessing known bad web services, regardless of location, removing the risk of downloading malicious files or applications. If malware does get through and a device is breached, access can be revoked, preventing attackers from gaining access to applications or services.   Securing the edge Genuine SASE forms a comprehensive package that combines a variety of solutions, and as organisations move towards distributed and decentralised applications, SASE and SD-WAN provide agile and flexible central controls. These are vital attributes. Remote working policies are now permanent and widespread, and before too long, SASE and SD-WAN will enable IT and security teams alike to bring security protocols closer to users. The outcome will be a highly-resilient network that optimises the edge and truly supports its users and protects them from emerging and increasingly sophisticated cyber threats — whether they are at home, on the road, in a branch office or headquarters.

The benefits of application-aware networks and its link to edge computing

By Daniel Blackwell, Pulsant The migration to hybrid working in thousands of organisations is set to have many consequences, including a surge in the use of SaaS, cloud services and distributed applications. The adoption of a mixture of office and remote working may once have looked ephemeral, but a McKinsey global survey of senior executives in large corporations found nine-in-10 intend on continuing with a combination of on-site and remote working beyond the pandemic. Businesses that had maintained connectivity and facilitated 'microtransactions' between employees through the most trying times were found by McKinsey to have sustained higher levels of productivity. Such a major change in the way that enterprises function is only made possible by the user-friendly effectiveness of today’s ever-expanding galaxy of big-name business applications, or increased adoption of collaboration tools such as Slack, Dropbox, Zapier and Trello. All these applications depend on fast, high-bandwidth networks which are resilient and available. You need to see the applications on your network As a result of this embedding of hybrid work practices, it’s now more important than ever that organisations know where applications are moving throughout their infrastructure and how best to manage and control them to deliver optimal performance. The reliance on applications is increasing pressure to ensure performance, reliability, and security. This means focusing attention on networks to avoid lacklustre performance. For network operators, this dictates a shift towards application-aware networks to provide detailed reporting and intelligence to route applications down the best path. In the digital economy, application experience can make or break a business. Yet, achieving visibility over applications isn’t easy. It often takes far too long to troubleshoot and identify the root cause of a latency or performance problem and develop a resolution. Greater visibility from an application-aware network allows businesses to understand and fix application issues faster, saving them time and the cost of traditionally complex troubleshooting processes. Security is a concern too Security is also a major concern along an extended attack surface that may include hundreds of connections to employees’ homes. Many home networks use easily guessed or default passwords or may be configured without encryption, providing a far easier avenue for an attacker to gain access to a corporate network. Applying security policies to each remote worker can be complex and expensive. For example, applying the same policies and controls could require deploying a firewall at each employee’s home which is not only costly but creates substantial management overheads. Alternatively, each employee could be provided with a remote VPN connection back to a central office location, but as organisations increasingly move to decentralised services with SaaS and public cloud, it doesn’t make sense to route traffic back through an office location. The role of SD-WAN Organisations now need to resolve these difficulties through the implementation of application-aware networks. Their primary route is through SD-WAN technology (software-defined networking in a wide area network) which gives visibility over applications and enables organisations to control and direct traffic intelligently and securely from a central location across the WAN. Unlike traditional WAN architectures which lack the central visibility and control required for distributed IT environments, SD-WAN delivers a step change for businesses, providing the agility for businesses to configure and make changes to multiple devices at the simple push of a button, saving time and increasing efficiency. Organisations can enforce their policy, based on user experience, with network priority given to the most business-critical applications so they avoid problems such as jitter, lag or brownouts. And because they can reduce the time required for configuration and trouble-shooting, businesses employing SD-WAN benefit from significant operational cost savings. Rolling out new applications becomes quicker and less costly across multiple sites. As more organisations adopt SaaS and cloud-based services, SD-WAN and application-aware networking are therefore becoming business-critical necessities. The role of the edge computing SD-WAN is the cornerstone of the application-aware network. By understanding what applications are used across the network, organisations can classify and apply appropriate application tuning to ensure optimum performance for each user. However, application-aware networking can also work alongside an edge computing strategy to drive further efficiencies. Edge computing is the confluence of cloud and physical data, which exists wherever the digital and physical world intersect, and enables data to be collected, generated, and processed close to the end-user to create new value. Whereas it would previously have been impossible to sustain high-speed data transfers necessary for applications using AI in almost all of the UK, edge data centres can now run analytics locally once models have been trained on masses of data in the public cloud. These advanced capabilities open the door to industrial IoT applications such as digital twin technologies that reshape manufacturing and logistics operations or advanced automation to transform the efficiency of manufacturing, extraction and refining processes, even in isolated sites. Edge either works independently of SD-WAN and application-aware networking or in conjunction with it to enable organisations to identify and prioritise application traffic. This has proved to be well-suited to the multi-cloud environment that many large enterprises increasingly adopt. SD-WAN in the core network of an edge platform and at the on-ramp to the public cloud will underpin high application performance for an organisation regardless of its location, overcoming any potential latency or congestion problems with the data that must be backhauled to a hyperscaler’s hub for processing. Security is significantly strengthened through monitoring and encryption between different sites. The advantages of application-aware networks have become obvious Triggered by the pandemic, the expansion of hybrid working has made the gains of application-aware networks obvious. As networks become increasingly software-defined and edge computing platforms expand and become fully operational, businesses benefiting from SD-WAN have access to far greater levels of application intelligence to improve connectivity, efficiency, and performance. They enjoy faster resolution of the network problems hindering application performance and reducing the strain placed on their workloads. By combining the operational and visibility benefits of application-aware networks and SD-WAN, with the low latency and high bandwidth of edge computing, businesses can offer new levels of customer experience and service. This becomes possible almost regardless of the strength of their network connection. They can deploy powerful new applications quickly and with full confidence in their performance and resilience. This is a major advantage, freeing almost everyone in an organisation to focus on creating value and advancing digital transformation.