Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "what are the reasons why the future security architecture needs SASE". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

The traditional boundary has been dispelled, how to choose the network security architecture?

Before answering this question, it is important to understand why structured frameworks are so important.

Its importance mainly comes from three main reasons:

1. It can provide a common language for enterprises to evaluate and improve their security plans.

2. It can accurately measure the level of safety risk.

3. Enable enterprises to achieve more effective communication-not only limited to the communication between IT teams, but also more effective communication and dialogue between IT team practices and other business departments and senior management teams.

At present, there are many structured frameworks, such as NIST network security framework, MITER attack framework and so on.

The concept of the structured framework of Gartner's SASE is not up to date, but the framework of SASE is the latest. In the eyes of Siddharth Deshpande, it is "the most useful framework".

So how do you decide among the many structured architectures?

First look at the NIST network security framework.

The NIST network security framework is highly sought after in the industry, mainly because it can help enterprises think about "what should be done" and achieve a tradeoff between different functions.

In terms of function, the NIST framework has two advantages: identification, protection, detection, response, recovery, etc., and help enterprises communicate with the senior management team in a more effective way.

In addition, the drawback is obvious-it just tells companies to start thinking about what to do, but not how to do it.

For example, enterprises intend to invest 60% of their security budget in "response" or "detection" activities, but do not know how to achieve this goal, which is not the original intention of the design of the NIST network security framework.

And look at the MITER attack framework.

This framework has obvious advantages, technically, it can establish threat modeling well, and can help security teams build risk roadmap very well.

However, the shortcomings can not be ignored, for example, it can not effectively communicate the effectiveness of the "security plan" and the input and budget with the senior management team, making this framework a very concrete framework at the operational and technical level, which is not conducive to organizational communication.

In the digital age, new requirements have emerged in the design of security architecture, that is, "digital business and edge computing have reverse access requirements".

What do you mean?

At present, many applications exist not only in the data center of the enterprise, but also in the internal network of the enterprise. In other words, many companies have consumers all over the world, and the traditional boundaries of "application definition" no longer exist.

In this context, because enterprises are required to return all traffic to the data center, and all deployments take the data center as a core, the traditional security architecture is difficult to work.

For example, every time an enterprise makes an "access" or "deny access" security decision, the "language" of each decision will be forwarded and rerouted back to the data center, which will cause a lot of traffic problems.

SASE: redefining network security and architecture

To solve the above problems, we need to return to the "first principle", that is, the core underlying design principle.

The "first principle" of Gartner SASE is that all traffic is no longer forced to flow back to the data center, but all security controls are distributed closest to users, applications and all consumers, and security controls are distributed through security edges.

Akamai distributes security control closest to users and applications through the SASE framework, and combines the advantages of network as a service and network security as a service through a connection framework.

"when the concept of SASE was first put forward, we found that it was very consistent with the 'first principle' and the design principle put forward by Akamai more than 20 years ago, that is, security controls are distributed all over the world, rather than using a centralized means to deal with them. This interconnected framework can make the whole framework more resilient and flexible, and can better help enterprises to achieve their security requirements." That's what Siddharth Deshpande said.

The SASE framework not only tells enterprises what to do, but also tells them how to do it, which is equivalent to combining the advantages of the two frameworks mentioned above.

Specifically, the SASE approach benefits the security plan at four levels.

1. Enable new digital business scenarios.

Through the distributed deployment of "security control", enterprises can be more convenient and more adapted to external changes, which allows enterprises to quickly adjust their security and technology policies without having to make a lot of security concessions.

During the COVID-19 epidemic last year, Akamai helped a lot of enterprises to build safe operation through SASE architecture.

Among them, an enterprise customer of Akamai has 20, 000 users and needs to move all the "localization" work to a "telecommuting" environment. Akamai completes this difficult task in two weeks and uses an edge framework to help enterprises not affect business continuity and service delivery.

The success of the company comes from the planning of the "SASE journey" before the epidemic and the thinking of "how to build a security architecture for the future".

2. Improve efficiency and reduce the complexity of security plans.

SASE framework can help many enterprises to integrate the number of security vendors well. So when choosing security vendors, enterprises will choose the vendors with the widest range of use cases and those security architecture vendors that have been proved to be effective and resilient in the past. In any case, the reduction in the number of security vendors alone has released a lot of energy for enterprises, making them more capable of engaging in higher value-added businesses in terms of bandwidth and time.

3. Designed for future threat scenarios and attacks.

In fact, no one can predict future attacks and preventive measures to be taken against future attacks. However, once the enterprise has the appropriate security architecture ready, it can respond to external risks and threats and protect its own security.

Akamai found that many enterprises were attacked by third-party malicious scripts, and sensitive data within the enterprise was stolen. So Akamai released the Page Integrity Manager solution.

It is based on a new architecture that is based on the infrastructure platform previously built in cooperation with the enterprise and does not require the re-creation of the enterprise. By building this edge architecture, enterprises can initiate new defenses on existing platforms and architectures without having to build new hardware devices or architectures.

4. Improve user experience and security.

Network security companies often face a paradox: in order to improve completeness, we need to increase security control, but this will damage the user experience. The SASE framework allows enterprises to do both-- improving both security and user experience.

SASE practice and suggestion of Akamai

Akamai's case about the SASE framework is reflected in "Zero Trust Security access".

Through "zero trust security access", Akamai helps enterprises truly deploy "cloud access" security agents to achieve consistent protection regardless of when and where their applications or users are located, and to address a wide variety of security challenges through "multi-factor authentication". In addition, Akamai can provide omni-directional protection in terms of terminal deployment security control and Web security gateway.

So in a broad sense, "trust" is not an implicit attribute, that is, enterprises can not be achieved overnight, never care about it, enterprises need to constantly evaluate, which is very similar to "zero trust".

The difference between "zero trust" and SASE is that zero trust is more targeted at a specific area of security, such as application access. On the other hand, SASE is more discussed in a broad and broader scope, and it will make recommendations on how to use the "zero trust" framework.

Another often overlooked use case is that SASE can be applied to Web, API, and security-level services. Therefore, enterprises can use SASE to deal with security risks such as DDoS attacks, API attacks or cross-site scripting attacks.

Many attackers are very clear about the IP address or domain name of the enterprise, so the protection of websites and API is also a very common use case of SASE, but often ignored.

Under the game between market demand and manufacturers, Siddharth Deshpande told Lei Feng that he could make a comprehensive trade-off for manufacturers in three dimensions.

First, the scope of the security use case. Enterprises must ensure that vendors cover a wide range of "security use cases", that is, not only for a specific security area, but also for a wider range of use cases.

Second, the resilience and accessibility of the platform. Vendors should have a range of proven resilience, whether it is the construction of platforms, frameworks, or infrastructure. You can't call this vendor a SASE vendor just because it can provide cloud services. Manufacturers should have globally distributed edge networks with proven resilience in the availability and accessibility of the entire service in order to meet the requirements.

Third, the depth of the product vision. This "vision" should be sustainable, and it should be a broad vision, both in terms of road map and planning.

This is the end of the content of "what are the reasons why the future security architecture needs SASE". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.