Peggy的實驗空間: 資安｜ What is Gartner SASE (Secure Access Service Edge)

Source: Gartner

在2019年，Gartner所定義最新的市場，也是一個新的模式與商機，因應digital business與組織企業越來越複雜的動態安全存取需求(dynamic secure access needs)而生。

It's pronounced “sassy”

在進入SASE的世界前，先很快地、簡單的理解幾個相關名詞。

SD-WAN: Software-defined wide area networking
- 發生時機：企業把data與營運需要的application 往Cloud移動，傳統的WAN solution 面對此趨勢帶來的新需求而顯得不敷使用。面臨到的挑戰包含複雜度增加、有限的安全防護、持續增長中的 MPLS 成本、頻寬不夠、越來越嚴重的latency、有限的visibility...。
- 主要概念：將軟體定義網路的相關技術應用在管理廣域網路。軟體定義網路技術使用虛擬化技術，簡化資料中心的管理及維運的工作；延伸這個概念，將相關技術應用於廣域網路之上，可簡化企業對於廣域網路的控管。
SWG：Secure web gateway
- Protect Web-surfing PCs from infection and enforce company policies.
- It is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance.
- These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. Native or integrated data leak prevention is also increasingly included.

CASB : Cloud Access Security Brokers
- CASBs provide a central location for policy and governance concurrently across multiple cloud services for both users and devices and granular visibility into and control over user activities and sensitive data.
- 現今企業常用的Dropbox、Salesforce、Box、Office365 等SaaS 服務，分屬不同公司，且使用這些服務的企業常只有基本的帳密check，而沒有記錄更多登錄資訊，也沒有對資料的操作和傳輸進行嚴謹的記錄，形成的防護的漏洞與死角。

ZTNA: Zero Trust Network Access
- Enable secure access to internal applications based on identity, context, and policy adherence — regardless of user or application type or location.
- Zero trust network access replaces traditional technologies, which require companies to extend excessive trust to employees and partners to connect and collaborate. Security and risk management leaders should plan pilot ZTNA projects for employee/partner-facing applications.
- According to Gartner, “ZTNA improves the flexibility, agility, and scalability of application access, enabling digital businesses to thrive without exposing internal applications directly to the internet, reducing risk of attack.”

FWaaS: Firewall as a service
- refers to a cloud firewall that delivers advanced Layer 7/next-generation firewall (NGFW) capabilities, including access controls, such as URL filtering, advanced threat prevention, intrusion prevention systems (IPS) and DNS security.

有了以上基本概念，接下來看看SASE......

SASE is a new package of technologies including SD-WAN, SWG, CASB, ZTNA and FWaaS as core abilities, with the ability to identity sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels.
With SASE, security services and networking functions are run in the cloud or a security agent on the end user’s device
SASE uses a software stack in the cloud to run multiple security functions on data at once in multiple engines.
Secure access is a key element of SASE architecture.
主要有四個面向：Identity-Driven、Cloud Native、Globally Distributed and Supports All Edges.
Gartner : By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% in late 2018
Inspecting and understanding data context will be required for applying a SASE policy

Ref:

///

根據至今的study看到的information，因為SASE 還很新，多數 Vendor 都還在設計、研發與整合的過程中，許多相關功能的細節也都還在各自解釋與演繹。

本篇SASE相關的整理，Peggy依然以容易理解為主，也歡迎來信建議與討論。

若有您轉貼需求，請來信討論。轉貼時禁止修改內容及標題且保持所有連結。禁止商業使用，請註明原文標題、連結以及作者。

Peggy的實驗空間