Network edge security: SASE changes the game

Cloud-based applications and remote work have pushed corporate networking beyond the traditional perimeter to multiple edges—making traditional network edge security obsolete. See how Secure Access Service Edge (SASE) protects every user and endpoint anytime, anywhere.


7 minute read time

As more remote workers access the network from home or public WiFi hotspots, security risks to enterprises have increased dramatically.

The traditional corporate network perimeter has evolved into three perimeters: the cloud service edge, the branch edge and the end-user edge. That’s created a need for cloud network security, branch office network security and remote network security. We’ll explore how to deliver robust security at all those endpoints.

Cybersecurity statistics indicate that there are 2,200 cyberattacks per day, with a cyberattack happening every 39 seconds, on average. In the U.S., a data breach costs an average of $9.44M.1

Network security in the cloud: What’s driving it?

Following a surge in remote work, organizations have become more reliant on technologies that operate outside of a traditional hub-and-spoke network structure.

From an enterprise IT perspective, the organization’s network perimeter no longer resides in a single location. It has dispersed into multiple cloud-based endpoints, branch sites and remote end users.

As a result, the intersection of networking and security has grown more complex than ever. While workplace flexibility provides new opportunities for organizations and their employees, it also poses increased security risks as remote employees log on from home or any public WiFi hotspot using a mix of personal and company devices.

What is network edge security?

Traditional network edge security relies on firewalls—installed as customer premises equipment (CPE)—that reside on the network edge. These firewalls are designed to prevent unauthorized access into or out of a network. To remain effective, they need to be manually updated with the latest security signatures to protect against next-generation malware. Firewall protection does not extend beyond the fixed network edge.

Network edge security in a traditional corporate network with firewall and router inside the perimeter
Network edge security in a traditional corporate network with services and routing functions inside the perimeter.

Traditional network edge security tends to be “data-center-centric” and dependent on physical CPE. Secure access to cloud resources is typically handled by a centralized firewall and on-premises firewalls located at each branch office.

When granting remote employees access to company resources, these networks rely on virtual private network (VPN) access. Identity management gives user permissions to the appropriate workplace systems and resources, while access to cloud resources is handled using traditional firewalls, proxies and routing controls—all based on CPE.

Edge security challenges: Why yesterday’s approach won’t cut it

“The assumptions underlying legacy WAN architectures—that most users work from branches, that almost everything lives in a central data center—no longer apply.”3

As a way of enabling secure, reliable access to cloud-based resources and applications, traditional WAN edge network security falls short in these areas:

Geography

With VPN connections into the data center, these networks aren’t equipped to serve a remote workforce that’s more geographically distributed. As more users try to access the network through a single VPN concentrator, the incoming traffic creates a bottleneck at the WAN edge that leads to network latency.

Security

Traditional WAN edge security models were designed to accommodate employee devices and systems that were located within a physical perimeter— assumptions that no longer hold true. In addition, enabling security at each branch site using CPE would require a multi-component security stack at each location, resulting in costly time- and labor-consuming upgrades at each site every time updates are required.

Traffic

These networks aren’t built to scale with the increased volume of traffic that traverses public, private, hybrid and multi-cloud environments en route to its destination. T1 lines are insufficient to support the increased traffic from cloud applications—and adding T1s is prohibitively expensive compared to broadband.

Flow

Constantly routing traffic to and from data centers through a static centralized security stack—and ultimately out to the Internet—creates network congestion.

Speed

All these factors and the resulting congestion combine to hinder application performance, which affects end users’ experiences and productivity.

The difference between traditional network edge security thinking versus a Secure Access Service Edge (SASE) approach

To enable security in the cloud, at branch sites and for remote users, enterprises are turning to SASE, a layered, interwoven fabric of network and security technologies that ensures users and devices have secure cloud access to applications, data and services at any location.

In contrast to traditional network edge security, all SASE-based security functions reside in the cloud. Further, all SASE security functions are synchronized and centrally managed from a single portal, while point solutions in a legacy network aren’t integrated.

As a combination of network connectivity and Security Service Edge (SSE) features, SASE enables distributed organizations to deliver protected networking and security services consistently to branch sites and remote users, anywhere and anytime.

The core components of SASE

SASE includes five core components—four key SSE features supported by SD-WAN:

Additional security features

Secure Web Gateway (SWG) Icon

Data Loss Prevention
(DLP)

Help ensure PCI and HIPAA regulatory compliance while protecting sensitive information.

Threat Prevention

Block malicious files, defend against advanced cyberattacks and stop the spread of ransomware.

Managed Detection & Response (MDR) icon

Managed Extended Detection & Response (MXDR)

Offload the resource-intensive and skill-dependent process of detecting compromised endpoints.

End Point Protection (EPP)

Simplify management
of end point security by automatically responding
to events with multiple mitigation actions.

Remote Browser Isolation (RBI)

Enable users to safely browse uncategorized websites, neutralizing the dangers from malicious content.

Security as a Service API (SaaS API)

Provide secure connectivity to sanctioned third-party apps with out-of-band visibility and control.

How SASE improves security at each edge

SD-WAN

SASE leverages SD-WAN capabilities to provide cloud network security with optimized application performance, network routing, global connectivity, WAN and Internet security, cloud acceleration and remote access.

Firewall as a Service (FWaaS)

As a next-generation firewall, FWaaS eliminates the appliance form factor, making network security capabilities such as URL Filtering, Intrusion Prevention System (IPS), next generation anti-malware (NG-AM) and Managed Detection and Response (MDR) available everywhere.

Secure Web Gateway (SWG)

SWG solutions protect users against malware, phishing and other web-borne threats. SASE offers SWG protection for branch office network security at all locations and eliminates the need to maintain policies across multiple point solutions.

Zero Trust Network Access (ZTNA)

ZTNA offers a modern approach to securing application access for users replacing legacy VPN and ensuring remote network security. It embraces a zero-trust policy, where application access dynamically adjusts based on user identity, location, device type and more.

Cloud Access Security Broker (CASB)

CASB helps enterprises adapt and protect against new threats that come with cloud computing like when connecting to IaaS and SaaS. CASB applies security policies as users access cloud-based resources to protect against cloud security risks, comply with data privacy regulations and enforce corporate security policies.

Secure all your edges with SASE from Windstream Enterprise

Together with Cato Networks, Windstream Enterprise is the first and only North American managed service provider to converge cloud-native network and security into a fully integrated SASE solution. This comprehensive architecture enables businesses to adapt to constantly shifting users, applications and work environments while keeping all application and security policies synchronized with these changing endpoints—all from a single pane of glass.

When granting remote employees access to company resources, these networks rely on virtual private network (VPN) access. Identity management gives user permissions to the appropriate workplace systems and resources, while access to cloud resources is handled using traditional firewalls, proxies and routing controls—all based on CPE.

Check out our comprehensive guide:

Return to top


Citations

  1. 160 Cybersecurity Statistics 2024, Astra, Sanskriti Jain, February 8, 2024
  2. Andrew Lerner, “Magic Quadrant for Single-Vendor SASE”, July 3, 2024