Making Sense of Multicloud Network Security


By: R. Scott Raynovich

(This blog series is sponsored by Megaport.)

In the first part of our multicloud series, we explained why neutral, third-party network services would be one of the keys to helping organizations build multicloud services -- including saving on cloud costs. But these new multicloud networking services would not be possible without high levels of security – which is why cloud-based networking and network as a service (NaaS) are being combined with Secure Access Service Edge (SASE) technology to give enterprises a wide range of networking and security services that can be consumed from the cloud.

First, let’s take a look at where SASE came from and how it relates to cloud networking. SASE evolved from the software-defined wide-area networking (SD-WAN) market, which made it easier for customers to connect branches or remote offices to data centers and cloud-based applications using cloud-based orchestration and secure overlays. In many cases, SD-WAN could also be used to leverage multiple connection types including the internet, LTE, or broadband to reduce the cost or back up traditional private circuits such as multiprotocol label switching (MPLS).

Just as SD-WAN enabled network managers to more quickly connect offices, data centers, or remote offices using software-based secure overlays, SASE brought even more security services to market -- enabling customers to integrate cloud-based security services or even on-prem security functions with their SD-WAN network orchestration.

What Does SASE Mean for Multicloud?

You might ask: Why is this important – and what does it mean for cloud networking or multicloud?

Cloud and software-orchestrated networking is much more nimble and enables customers to build secure, flexible networks on demand. As an example, an organization might be taxed with supplying hundreds or thousands of employees looking for access to cloud applications or enterprise resources – and not have the time or resources to install the hardware and software to set up private connections. With the proliferation of third-party cloud infrastructure NaaS, organizations can spin up networks on demand. They can also use existing SASE services to build security directly into these NaaS connections, instantly creating secure, multicloud networks.

Years ago, organizations wouldn’t have trusted a third-party service or even the internet to carry their traffic. But with advances in SASE, which combines security and networking services using a zero-trust model, all traffic can be encrypted and confidently connected to any cloud service using a virtual overlay.

Here is an example of how SASE is helping networking and security professionals deal with the changing dynamics of the networking environment:

  • Cyber professionals and chief information security officers (CISOs) must now shift their focus to protecting access to public networks, remote connectivity, and applications inside the cloud, rather than access to private networks and data centers.
  • Branch offices are looking to refresh their access technology – largely architected for the client/server and WAN world – to be equipped to process and defend threats in many new attack vectors, including mobile, the cloud, and the internet.
  • WFH and hybrid work have put new demands on organizations that must architect their networks and security for a mobile workforce that might be working anywhere.

For cybersecurity professionals, SASE has provided an answer. Whether at the world’s leading telcos or cloud hyperscalers – or at the enterprises they serve -- they need to focus on bringing faster and more secure multicloud networking services to customers.

SASE does this by providing an integration of security services which can be deployed with NaaS at the same time. Here is a list of some of the functions delivered with SASE: advanced threat protection (ATP), cloud access security broker (CASB), data loss prevention (DLP), firewall as a service (FWaaS), intrusion detection system/intrusion prevention system (IDS/IPS), next-generation firewall (NGFW), software-defined wide-area networking (SD-WAN), secure web gateway (SWG), unified threat management (UTM), zero trust network access (ZTNA).

SASE Use Cases Evolve

Another way to think of SASE is as a best-of-breed approach to networking and security to address many different networking scenarios, including connecting hybrid workers, branches, or multiple cloud services.

Below are some of the new use cases and targeted applications of SASE products:

Hybrid workforce access. VPN augmentation or replacement to provide better scalability, management, and security for hybrid or remote work.

Compliance. This will be an important benefit to many early adopters who are driven by COVID-19-related changes to remote-work policies. Security policies can be tailored to geographies, specific industry regulations, and generalized privacy needs, such as data disclosure restrictions and anonymization.

Multitenancy for managed services. As a software- and cloud-based platform, SASE is naturally suited to multitenancy. The economics of multitenancy will remain extremely attractive. Cloud providers that can spread costs over multiple customers can have extremely competitive cost structures. The degree to which a SASE solution utilizes hardware will be one consideration when looking at bundled solutions. A chief appeal of SASE is also the low latency and scalability that is inherent in creating a stack of network security capabilities that can be invoked using a “single pass” architecture that runs multiple policy engines in parallel rather than as a series of discrete inspections.

Security for edge Internet of Things (IoT) applications. As is discussed throughout this report, SASE is an important component of enabling organizations to fully embrace network transformation. Increasingly, SASE engagements will be driven by adoption of 5G and IoT.

ZTNA/software-defined perimeter (SDP) adoption. This market is currently driven by VPN augmentation or replacement, which is a key target of SASE. Zero trust network architecture (ZTNA)/software defined perimeter (SDP) products and services reduce the attack surface of assets by limiting access to and visibility of resources. For example, ZTNA/SDP solutions provide application-level, instead of network-level connections to applications, and by using a trust broker, many organizations can reduce the threats posted by direct Internet connections.

CASB functionality. Cloud access security brokers (CASBs) control access to cloud applications by managing security policy enforcement requirements. They can manage single sign-on, authentication and authorization, device profiling, encryption, and audit and logging. CASBs can also support data loss prevention (DLP) and anti-malware capabilities. Specific use cases include uncovering shadow, cloud-based IT and identifying account takeovers. As described in the section on M&A activity, the CASB functionality is being rapidly subsumed by SASE vendors and is likely to go away as a standalone market in the future.

MPLS replacement. The software-defined wide-area network (SD-WAN) market has expanded into cloud security and SASE. The first high-value use case for SD-WAN was using software and cloud services to secure private IP and internet circuits as an adequate replacement for more expensive MPLS services, which turned out to be a hit with enterprises, fueling its growth.

These are just a few of the key use cases that have been bundled into the SASE value proposition.

NaaS and SASE Together: Secure Networks on Demand

The great thing about the combination of SASE and NaaS is that when integrated, they can bring the customer a full slate of security and network services to connect to cloud services or infrastructure.

For example, a customer might not have the resources or the connectivity to build global connectivity to dozens of branch offices around the world. Or they might want to enable hybrid workers or any employee to securely connect to a number of cloud services using NaaS – from anywhere – without having to deploy their own infrastructure.

An example of this is Megaport Virtual Edge (MVE), Megaport’s Network Function Virtualization (NFV) hosting service developed to allow customers to spin up virtual networking devices on demand. Through the company’s partnerships with Cisco and Fortinet, for example, customers can use MVE with both Cisco SD-WAN and Fortinet Secure SD-WAN for a full suite of SD-WAN and SASE functions, building their own secure, high-performance virtual networks.

When NaaS providers partner with SASE providers to offer a variety of secure NaaS services on demand, organizations can connect safely to any network, to any cloud, anywhere in the world.