You might call it ‘living on the edge.’ A growing number of organizations are moving computing out of the data center, out to the edge of the network. The various reasons for this include increasing numbers of mobile devices and remote users requiring access, expanding digital opportunities, cloud adoption, reduction of network latency and backhaul costs, and more. Making this edge computing possible are technologies such as SDN, SD-WAN and cloud access service broker (CASB) capabilities, all of which provide points of presence (POPs) where distributed workforces need them.
Traditionally, however, easy provision of good security has NOT been one of the drivers for this pivot to the network edge. Hence, many companies that have transformed their network architectures haven’t yet modernized their security architectures. They continue to indirectly route traffic to security engines (tromboning, hairpinning, backhauling), defeating the whole latency advantage and racking up in-house equipment costs. Or worse, they’re not adequately inspecting the edge traffic and payload, leaving their users, network endpoints, cloud data and internal network data exposed to increasingly sophisticated cyberattacks.
That’s all changing with the convergence of computer networking and security at the edge, something IT analyst firm Gartner dubbed the secure access service edge (SASE), pronounced “Sassy.”
The secure access service edge is an emerging solution category combining wide-area network (WAN) functions with security capabilities such as secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero trust architecture (ZTA) to support a wide range of digital transformational requirements.
SASE merges edge computing’s distributed approach – bringing computation and data storage closer to the location where it is needed – along with the advanced security near or at these points of access.
Cloud Security-as-a-Service for Your Edge Computing
However, SASE isn’t a security scenario that data center-based hardware appliances are going to feasibly address. When modernizing your network, your traditional security equipment can get bypassed in your traffic’s shift to a software-defined perimeter. Alternatively, equipment deployments and reconfigurations (in your data center and remote sites) may struggle to keep up with today’s pace of secure connectivity requirements.
Your distributed workforce is accessing cloud providers for things like SaaS applications, while your branch offices and mobile workers take advantage of direct Internet access. Meanwhile, the resultant data is no longer being centrally stored on, or accessed from, the premises. More users, devices, applications, services and data are located outside of an enterprise than inside, according to Gartner. With organizations still responsible for data privacy and security of individual employees and customers, that’s a lot of scattered data to protect.
The edge requires agile management, and this is where security software and software-defined perimeters step in.
From a cybersecurity perspective, protection can now come closer to where access is needed. A software-centric SASE approach can deliver zero trust security best practices over Web gateways, cloud access points, tunnels, and the devices themselves, while eliminating inefficient hairpinning of traffic inspection to your data center or nearest branch-office hardware.
The OPAQ SASE Cloud provides more ubiquitous and local points of presence, with the zero trust architecture capabilities you need to ensure secure access, control and segmentation.
The OPAQ Zero Trust Secure Access Service Edge (SASE)
Whether it’s a branch office, remote workstation, router, or VM, all of these endpoint identities need network access. Before they connect into your private network and data, they must be identified, authenticated, and properly segmented.
OPAQ delivers a Zero Trust Secure Access Service Edge that bases decisions on the identity of the entity at the source of the connection (user, device, branch office, edge computing location, time of day, risk assessment of the user device, and the sensitivity of the data or app being accessed).
Primary components of this Zero Trust SASE architecture include:
- User Authentication: IP spoofing, phishing, social engineering, identify theft, and bot break-ins demand a zero trust view of access. Is the device, person, or service attempting to enter into the network authentic? If access is allowed, what might happen next from a security impact perspective? OPAQ checks for a number of factors including user credentials, MFA, access privileges, device certificates, and more.
- Access Control: Access has moved out to the edge, largely outside of the reach of a perceived private enterprise network. The OPAQ Cloud keeps inspections away from your private data containers, and secures traffic and performance at the edge closer to where access and QoE is sought. Tunneling to the nearest POP, OPAQ SASE provides end-to-end encryption of each session, including over public Wi-Fi networks (cafes, airports, malls, etc.).
- Segmentation: Ransomware and other malware seek to spread and capture data and control as they go about their damaging business. Endpoint connections are underdefended by basic on-device antivirus updates, opening the door for the latest sophisticated attacks. OPAQ continuously extends layered next-generation security across the dissolving network perimeter, reinforcing workstations, VMs and other endpoints, and then making sure that distributed endpoints don’t expose vulnerable in-roads into your core network and data.
- Device State: What are your wandering workstations connecting to? Are these devices adequately protected with antivirus, anti-malware, intrusion detection, and more? How are the devices behaving, and are they putting your network and data at risk? OPAQ device state analysis and control secures multidirectional access for your wandering workforce and stationary endpoints and what they can safely connect to.
Transformational edge computing requires a rotating shield of SASE protection.
Four Steps Toward Securing Your Digital Transformation
The term SASE, pronounced ‘sassy,’ is kind of cute, isn’t it? But secure access service edge (SASE) is a serious focus for organizations seeking to protect their data in the cloud, across the Internet, and within private networks.
In its Research Note, “The Future of Network Security Is in the Cloud,” global IT research and advisory firm Gartner defined SASE as “a converged cloud-delivered secure access service edge.”
Why is this security edge so important in defending data?
Best practice security is multi-layered, and establishes security intricacies along the way, seamless and nonintrusive to the digital user experience, but which effectively make it difficult for malicious parties including bots to breach the network.
Whether you believe in the cute SASE term or not, the edge (aka your network endpoint connections) is integral in perimeter security and for protecting against threats, the spread of malware, loss of control, and massive contamination and business damage. The edge is almost always the initial point of digital infection; a vector for infiltration.
In what Gartner characterized as its early stages of adoption, SASE is being driven by digital transformation, the adoption of cloud-based services, software-as-a-service (SaaS), and mobile and distributed workforces. We have to connect to do our jobs, but along the way, we might ingest malware, which can lay dormant, waiting to spread. Spoofing the identity, looking for that next jump… We all know those unfortunate individuals on Facebook, whose identities have been used to spread contagious links.
Understanding the risk that comes with digital business growth, you definitely want to filter all this traffic coming into your network, so you might run it back through your on-premises security appliances and over network resources. This eats up a lot of network bandwidth and costs more than use of the public internet, IaaS, and the cloud.
SASE enables organizations to overcome this difficult security-versus-Internet-access tradeoff; this business transformation hurdle.
SASE Business Drivers
Why get SASE in your security approach?
When the data center is the center of your network universe, it can inhibit transformational business architectures. A social, non-engineering side of your “network” wants to grow: A workforce cost-effectively using the Internet to amplify business potential, and partners and customers plugging into your network, making transactions. But amid all these new connection points, is it really your network anymore? It’s understandable to have sudden network blind spots as connections outside your visibility test you for access versus maintaining digital security.
Gartner reports, “More users, devices, applications, services and data are located outside of an enterprise than inside.”
How do you encrypt and inspect all this traffic and filter all those packets and links before you allow them into the business’s bloodstream?
Rather than hairpin traffic back through your datacenter, smart and more cost-efficient network service can be achieved through software-defined networking (SDN) and SD-WAN deployments that are secured through the infusion of security-as-a-service from the cloud.
Why Evaluate OPAQ SASE?
Digital business transformation requires anywhere, all-the-time access to business IT services, many now located in the cloud.
OPAQ enables organizations to:
- Shift inspections out to the session layer vs. routing the sessions to software engines that have to centrally inspect and then reroute communications. Network traffic and sensitive data storage is shifting to cloud platforms vs. enterprise data centers. Why haul it all in for costly inspection when the OPAQ SASE cloud provides a safe, cost-effective barrier?
- Get over the business transformational hurdle of risk aversion. Use SD-WAN and MPLS backhaul offload projects as catalysts to modernize and optimize security through enterprising software-defined perimeters. Cloud-based SASE offerings heavily reduce the need to update security at the physical or software level. Network and IT staff won’t have to spend all their time setting up equipment and performing maintenance and instead can focus on business transformation, business tools, privacy requirements, as well as advanced, next-generation security schemas.
- Reduce network security complexity by moving to one or two third-party providers for the key components of SASE: i.e., secure web gateways, DNS, zero trust network access (ZTNA), and workstation segmentation. This favorable software portfolio reduction can reduce agent bloat and performance issues at the end-user level. OPAQ also provides the requisite peering partnerships critical for points of presence, reducing latency for performance-sensitive apps such as video, web conferencing and VoIP.
- Easily bolster network segmentation to avoid kill-shots as you connect with new data sources as part of digital business transformation. OPAQ protects your organization with separate secure tunnels for: A) private enterprise data access (through MFA and monitoring for sensitive data and malware) and B) always-on protection for remote employees surfing the web for business connections and while on public WiFi.
OPAQ delivers the core SASE components to protect your digital business transformation investment:
- Secure Web Gateways
- Firewall-as-a-service (FWaaS)
- Leading advanced endpoint protection and segmentation
- ZTNA (Zero Trust network architecture)
- CASB capabilities
Enterprise data centers, which traditionally scrubbed the network from contagion, aren’t suddenly vanishing; they just aren’t the center of the universe anymore when it comes to granting secure access. To protect endpoint connections, SASE clouds can drift more flexibly and cost-effectively to secure the fluctuating perimeter
Get secure where the user requires access with OPAQ.
Download the Secure Network Modernization white paper
Download the Securing Remote Workers solution brief
Regardless of what you call it, the VPN concept remains crux in your defensive blueprint for secure Internet access.
The virtual private network (VPN), which must have more lives than a cat, has reportedly died again, and according to some industry prognosticators and influencers, VPN is now a bad word. It’s a term to be avoided by unblinking believers of the marketing-driven sleight-of-digit and word-wizardry mesmerism claiming the VPN is no longer an important concept for security. Don’t say VPN, they tell you. Be cool and use alternatives such as software-defined perimeter and secure Internet access instead.
Okay, I’ll try to remember that, I tell myself.
Then I see the new Spider-Man movie, “Spider-Man: Far From Home,” and the VPN term comes up in dialogue between the two main characters. Mary Jane advises Peter Parker (aka Spider-Man) to download a VPN on his phone so he can’t be digitally spied on. So, the hottest new movies are treating VPNs as still relevant, and even Spider-Man is consuming a cool VPN app that he can use to protect himself when ‘far from home.’
VPN. There, I said it. It’s just a word, right? A word we should be able to continue to use to describe a discipline and extended-zone principle that means more than Vendor A and B’s product marketing du jour. From a sound security standpoint, VPN is not just some product you have to buy and manage. It is still an important scheme in your WAN without boundaries defensive strategy.
The technical definition of VPN is a secure, often encrypted connection between trusted device and private network or server. With the network expanding and your mobile employees going wider into unsafe waters, do you want to stop focusing strategically on virtual private networks? All a VPN is an extended zone of protection. You can’t just magically wave a wand and say you’re protected without extending network security policy out to endpoint devices.
Industry projections support the VPN’s immediate survival, dispelling some of this zeitgeist semantical doomsday talk which can be misleading from an overall security perspective. As organizations expand their networks, or outsource some or all of their IP backbone, applications or services in the cloud, the VPN doesn’t disappear; it just gets more virtual like the cloud itself.
The cloud VPN market is estimated to grow at a CAGR of over 21% by 2024, led by increasing shift toward virtual applications and the surge in demand for cloud services, according to Global Market Insights. Another report from Market Research Future puts the VPN market CAGR at 18% through the end of 2022.
So what is all this hog-splash about VPN being a dirty word, a nonexistent thing, a strategy component that some vendors would have you strike from your lexicon, something to be hidden from your transformative security strategy?
Authentication: A Pain in the Protective VPN Ring
Maybe this sustained campaign to bury the VPN – or call it something else – is because the VPN carries associations in which remote user traffic is backhauled to data centers hundreds of miles away, resulting in latency and the use of expensive private lines.
Maybe it’s because traditional VPNs often hassle end-users for constant sign-ins and additional passwords, and users don’t bother using the VPN when they work on company devices, leaving the organization exposed. Although organizations strongly encourage employees to use the VPN when remote or using public networks, the majority of the time employees don’t bother. Requiring additional authentication by end-users can mean more pain, and this has emboldened some vendors to get into semantics hype, or maybe they’re attempting to skirt privacy issues. There’s no more VPN, but you’re safe, they say. Voila. Never mind the man behind the curtain.
What product marketers are actually getting at is they are replacing the traditional prompt-based authentication and authorization with less-jarring solutions under the veil of buzzwords like software-defined networking and software-defined perimeters (SDPs). We’re doing SDN and SDP, too, but for those looking to protect all traffic from the IP layer (Layer 3) and up, VPN is still a requirement.
Engaged employees want access to data and tools that empower them to get the information they need, without being pulled aside for additional verification.
Whether it’s a VPN that is always on, or the same principle through SDP, when your employees use the Internet, protection should follow them wherever they go.
Virtual private network (VPN) is a concept, a best practice, not a now-obsolete product term as some would play you a fool for in telling you to strike from your vocabulary. Virtual private networks still provide us with structure, an easy-to-grasp overall term meaning extended private network security and protection across a constantly flexing network perimeter.
Our world feels less physical… Even venerable virtual private networks are getting more virtual, more seamless and less overtly intrusive for end users. VPNs help to defend us, and in instances where they require interaction with us for additional verification, we tolerate the balance between our productivity, privacy, and enterprise security.
Always-On Internet Protection
Always-on secure Internet access can be achieved through virtual private networks: VPNs that have harnessed the cloud and evolved to eliminate needless password authentication. When it comes to remote workers or devices trying to connect to enterprise jewels or taking unusual actions on the computer network, extra security and verification beyond software-defined device recognition is still warranted. Neither highly automated SDP nor SD-WAN is a security solution in itself, and you want to ensure the person on the client device side is who he or she claims.
OPAQ offers industry-leading Palo Alto Networks endpoint security-as-a-service from the cloud. This OPAQ endpoint security strategy leverages layered security including antivirus, advanced malware protection, and website and URL exclusion lists, as well as software-defined network segmentation, to keep perimeter breaches from going viral and compromising the core network and enterprise data.
VPN is still a valuable discipline in the digital and social networking growth of organizations. Just because your employees may not sign in to use your VPN, you don’t have to throw the baby out with the bathwater. You still want to provide extended-zone protective coverage (similar to an always-on VPN), software-defined network segmentation, and other advanced protections, so your roaming or remote end-users enjoy always-on secure Internet access while vastly reducing the risk of untrusted connections penetrating your precious enterprise data.
Find out more.
Read the Securing Remote Workers report.