Secure access service edge (SASE) is a network architecture that combines virtual private network and software-defined wide area network (SD-WAN) capabilities with cloud security functions such as secure web gateways, cloud access security brokers, firewalls and zero trust network access (ZTNA). It allows organisations to consolidate their network and security tools via a centralised management console, providing a user-friendly security and networking tool regardless of an employee’s location. SASE leverages the scalability and connectivity of cloud technology without any hardware limitations to integrate SD-WANs with network security functions. These may include firewall-as-a-service, software-as-a-service, secure web gateways, cloud access security brokers and ZTNA. Gartner has declared SASE as a visionary secure networking model that enterprises should strive for. As businesses transition from on-premises to hybrid solutions, public cloud solutions and managed networks, it is essential for companies to evaluate the challenges and implement appropriate testing methodologies for networks.
Operational challenges
- SASE assurance: Managed service providers (MSPs) are required to provide enterprise end-users with comprehensive service-level agreements (SLAs). However, key performance indicators (KPIs) for SASE have not been standardised like the network/infrastructure SLAs, and consequently exhibit variations depending on the specific service and application. As the SASE testing standards are in their nascent stage, it is crucial to establish a methodology for validating end-to-end SASE behaviour. This is particularly important due to the numerous proprietary SASE-based cloud-native network functions, network function virtualisation infrastructure variations and lack of purpose-built tools, which can result in expensive and time-consuming endeavours.
- Network functions and applications assurance: In order to effectively deliver SASE end-to-end service-level management, MSPs must validate each network function deployed in the SASE edge cloud. The complexity will be exacerbated by additional proprietary network functions, as these application programming interface and management tools lack a standardised assurance methodology.
- SASE service applications behaviour: When choosing cloud security controls such as next-generation firewalls, web application firewalls or secure web gateways, it is crucial to consider factors such as their footprint, scalability and robustness in various cloud environments. Validating the effectiveness of security controls is of the utmost importance, but requires specialised expertise and realistic emulation of both legitimate and malicious traffic profiles. This enables the validation of not only their effectiveness and performance, but also the ability to find the optimal balance between quality of experience (QoE) and security effectiveness.
The successful roll-out and policy configuration of SASE environments relies heavily on security ruleset validation, or the continuous assessment of security rulesets due to the ever-changing threat landscape. This process is essential to address new threats and vulnerabilities, evolving policies and changes in network configuration and inventory.
- ZTNA: ZTNA behaviour relies on trust brokers for access based on identity, policy and context, rather than relying on network connections. MSPs should be able to validate the scalability and sustainable access request rate of zero trust architecture elements. Additionally, they need to ensure that policy criteria are continuously enforced by security controls such as next-generation firewalls and data loss prevention (DLP) for applications and data access. The lack of standardisation in ZTNA has led to the existence of proprietary products or services with differing capabilities, making it harder to compare and contrast different solution options. Consequently, these challenges necessitate diverse strategies for operationalising SASE deployments.
Testing SASE deployments
Due to the multi-domain, hybrid and distributed nature of SASE architecture, its deployment requires end-to-end validation from remote users and branches through SASE points of presence to end-application servers. SASE-managed service offerings can be connected across multiple intrusion prevention system networks and various public and private clouds. As a result, it is necessary to characterise the latency and performance profiles, including throughput and transactions per second, of these interconnected networks. This is necessary to assess whether the SASE architecture improves or hinders the overall performance and latency. Irrespective of the underlying architecture, holistic testing and assurance capabilities are essential.
By selecting appropriate SASE test traffic patterns that accurately represent network traffic and applications, organisations can effectively characterise the performance under realistic conditions, avoiding the false confidence that comes with simplistic traffic patterns offered by open-source tools. The testing of all security components within the SASE framework such as the network underlay, cloud infrastructure services and business applications, requires the use of multiple KPIs across various technology and service levels. In these scenarios, QoE is the most appropriate unit of measurement because it directly indicates end-user satisfaction. This system is based on performance, detection of errors, variability for secure sockets layer/ transport layer security (TLS)-based services and overall transactional latency. This metric is optimal for adjusting the underlays through which application flows will forward across the SASE environment. In addition, metrics such as bandwidth/ throughput, concurrent users and connections, and connection and rate are good baseline indicators to align infrastructure with business requirements. Continuously monitoring and baselining these metrics as part of the continuous integration/continuous delivery/continuous testing practice allows for a measured approach in operationalising the change management process.
In addition to validating realistic application traffic profile performance and QoE, there is also a need for realistic model threat vectors to validate the security efficacy of the SASE security stack. It is imperative to have access to a constantly evolving library of high-quality content that covers vulnerabilities, malware and exploits. This enables organisations to enhance their security measures and address gaps in SASE deployments while ensuring alignment with security industry frameworks such as MITRE Adversarial Tactics Techniques and Common Knowledge. It is important to emulate hacker-like behaviour using evasion or obfuscation techniques such as cloaking threat vectors in TLS, in order to comprehensively evaluate security effectiveness. Additionally, it is crucial to assess the impact of security policies on end-user experience by simulating legitimate application traffic on a large scale by incorporating malicious threat vectors. If security controls and policies impact critical business activities, organisations will have to seek alternative methods to bypass controls that could severely affect their security posture. Furthermore, it is also important to evaluate the scalability of the zero-trust architecture by assessing its authentication rate for concurrent users and determining the capacity that the identity and access management system can support. Moreover, it is important to evaluate the effectiveness and impact of zero trust policies such as micro-segmentation, lateral threat movement and DLP on performance and end-user QoE.
SASE testing tools can dynamically scale, support real traffic and inject malware in order to assess the functionality and effectiveness of security protocols. For example, TeraVM is a fully software-based, virtualised and containerised next-generation firewall and network validation tool that runs across labs, data centres and servers (both cloud-based and on-premises environments). It identifies vulnerabilities across networks and cloud infrastructure and replicates a wide array of potential security breaches from viruses, spyware, and malware, which can arise from weak bring-your-own-device policies and impersonation. This tool is additionally deployed in a distributed and hybrid network architecture, enabling centralised central control over its operations.
Future adoption trends
The outbreak of the Covid-19 pandemic in 2020 demonstrated the need for businesses to transition their network security to an outside-to-outside approach in order to effectively support the requirements of a remote workforce. SASE is regarded as the future of remote access, offering numerous advantages such as minimising the complexity of WAN functions, facilitating access from diverse entities at any location, optimising costs and resource allocation and enhancing application performance. Gartner predicted that by 2025, at least 60 per cent of enterprises will have well-designed strategies and established timelines for adopting SASE, encompassing various aspects such as user, branch and edge access. Meanwhile, the global SASE market size is projected to almost double from $5.36 billion in 2027 to $11.29 billion by 2028. Given the positive developments in this field and the continuous growth of the online solutions market, it is reasonable to expect that India will emerge as a hub for providing SASE solutions, as an increasing number of companies adopt them.