Secure access service edge (SASE) is a network architecture that combines virtual private network and software-defined wide area network (SD-WAN) capabilities with cloud security functions su­ch as secure web gateways, cloud access security brokers, firewalls and zero trust network access (ZTNA). It allows organisations to consolidate their network and security tools via a centralised management con­so­le, providing a user-friendly se­curity and networking tool regardless of an em­ployee’s location. SASE leverages the scalability and connectivity of cloud technology without any hardware limitations to integrate SD-WANs with network security functions. These may include firewall-as-a-service, software-as-a-service, secure web gateways, cloud access security brokers and ZTNA. Gartner has declared SASE as a visionary secure networking model that en­ter­prises should strive for. As businesses tr­ansition from on-premises to hybrid soluti­o­ns, public cloud solutions and managed networks, it is essential for companies to evaluate the challenges and implement appropriate testing methodologies for networks.

Operational challenges

  • SASE assurance: Managed service providers (MSPs) are required to provi­de enterprise end-users with comprehensive service-level agreements (SLAs). How­ever, key performance indicators (KPIs) for SASE have not been standardised like the network/infrastructure SLAs, and consequently exhibit variations depending on the specific service and application. As the SASE testing sta­ndards are in their nascent stage, it is cru­cial to establish a methodology for validating end-to-end SASE behaviour. This is particularly important due to the numerous proprietary SASE-based clo­ud-native network functions, network function virtualisation infrastructure variations and lack of purpose-built tools, which can result in expensive and time-consuming endeavours.
  • Network functions and applications assurance: In order to effectively deliver SASE end-to-end service-level management, MSPs must validate each network function deployed in the SASE edge clo­ud. The complexity will be exacerbated by additional proprietary network fu­nc­tions, as these application programming in­terface and management tools lack a standardised assurance methodology.
  • SASE service applications behaviour: When choosing cloud security controls such as next-generation firewalls, web ap­p­lication firewalls or secure web gatewa­ys, it is crucial to consider factors su­ch as their footprint, scalability and ro­bust­ness in various cloud environments. Vali­da­ting the effectiveness of security cont­rols is of the utmost importance, but re­qu­ires specialised expertise and re­alistic em­ulation of both legitimate and malici­ous traffic pro­files. This enables the validation of not only their effectiveness and perfor­ma­nce, but also the ability to find the op­timal balance between quality of ex­pe­rience (QoE) and security effectiveness.

The successful roll-out and policy configuration of SASE environments re­lies heavily on security ruleset validation, or the continuous assessment of security rulesets due to the ever-changing threat landscape. This process is essential to ad­d­ress new threats and vulnerabilities, evolving policies and changes in network configuration and inventory.

  • ZTNA: ZTNA behaviour relies on trust brokers for access based on identity, policy and context, rather than relying on net­work connections. MSPs should be able to validate the scalability and sustai­nable access request rate of zero trust architecture elements. Additionally, they need to ensure that policy criteria are co­n­tinuously enforced by security controls such as next-generation firewalls and data loss prevention (DLP) for applications and data access. The lack of standardisation in ZTNA has led to the existence of proprietary products or services with differing capabilities, making it harder to compare and contrast different solution options. Consequently, these challenges necessitate diverse strategies for operationalising SASE deployments.

Testing SASE deployments

Due to the multi-domain, hybrid and distributed nature of SASE architecture, its deployment requires end-to-end validation from remote users and branches th­rough SASE points of presence to end-ap­plication servers. SASE-managed service offerings can be connected across multiple intrusion prevention system networks and various public and private clouds. As a result, it is necessary to characterise the latency and performance profiles, including throughput and transactions per second, of these interconnected networks. This is necessary to assess whether the SASE architecture im­proves or hinders the overall performance and latency. Ir­respective of the underlying architecture, holistic testing and assurance capabilities are essential.

By selecting appropriate SASE test traffic patterns that accurately represent network traffic and applications, organisations can effectively characterise the performan­ce under realistic conditions, avoi­ding the false confidence that comes with simplistic traffic patterns offered by open-source tools. The testing of all security compone­nts within the SASE framework such as the network underlay, cloud infrastructure services and business applications, requires the use of multiple KPIs ac­ross various technology and service levels. In these scenarios, QoE is the most appropriate unit of measurement because it directly indicates end-user satisfaction. This system is based on performance, de­tection of errors, variability for secure so­ck­ets layer/ transport layer security (TLS)-based services and overall transacti­onal latency. This metric is optimal for adjusting the underlays through which application flows will forward across the SASE environment. In addition, metrics such as bandwidth/ throu­ghput, concurrent users and connections, and connection and rate are good baseline indicators to align infrastructure with business requirements. Co­ntinuously monitoring and baselining these metrics as part of the continuous in­tegration/continuous de­li­ve­ry/continuous testing practice allows for a measured app­roach in operationalising the change management process.

In addition to validating realistic application traffic profile performance and QoE, there is also a need for realistic mo­del threat vectors to validate the security efficacy of the SASE security stack. It is imperative to have access to a constantly evolving library of high-quality content that covers vulnerabilities, malware and ex­ploits. This enables organisations to en­hance their security measures and address gaps in SASE deployments while ensuring alignment with security industry frameworks such as MITRE Adversarial Tactics Techniques and Common Know­ledge. It is important to emulate hacker-like behaviour using evasion or obfuscation techniques such as cloaking threat vectors in TLS, in order to comprehensively evaluate security effectiveness. Ad­ditionally, it is crucial to assess the impact of security po­licies on end-user experience by simulating legitimate app­lication traffic on a large scale by incorporating malicious threat vectors. If security controls and policies impact critical business activities, organisations will have to seek alternative methods to bypass controls that could severely affect their security posture. Furthermore, it is also important to evaluate the scalability of the zero-trust architecture by assessing its authentication rate for concurrent users and determining the capacity that the identity and access management system can support. Moreover, it is important to evaluate the effectiveness and impact of zero trust policies such as micro-segmentation, lateral threat movement and DLP on performance and end-user QoE.

SASE testing tools can dynamically sc­a­le, support real traffic and inject malware in order to assess the functionality and ef­fectiveness of security protocols. For example, TeraVM is a fully software-ba­sed, virtualised and containerised next-generation firewall and network validation tool that runs across labs, data centres and servers (both cloud-based and on-premises environments). It identifies vulnerabilities across networks and cloud infrastructure and replicates a wide array of potential se­curity breaches from viruses, spyware, and malware, which can arise from weak br­ing-your-own-device policies and im­pe­rs­onation. This tool is additionally deploy­ed in a distributed and hybrid network architecture, enabling centralised central control over its operations.

Future adoption trends

The outbreak of the Covid-19 pandemic in 2020 demonstrated the need for businesses to transition their network security to an outside-to-outside approach in or­der to effectively support the requireme­n­ts of a remote workforce. SASE is regarded as the future of remote access, offering nu­merous advantages such as minimising the complexity of WAN functions, facilitating access from diverse entities at any location, optimising costs and resource allocation and enhancing application performance. Gartner predicted that by 2025, at least 60 per cent of enterprises will have well-desig­ned strategies and established timelines for adopting SASE, encompassing various aspects such as user, branch and edge access. Meanwhile, the global SASE market size is projected to almost double from $5.36 billion in 2027 to $11.29 billion by 2028. Given the positive developments in this field and the continuous growth of the online solutions market, it is reasonable to expect that In­dia will emerge as a hub for providing SASE solutions, as an increasing number of companies adopt them.