SASE – The next generation of services we need to protect the mobile workspace?

SASE …. or Secure Access Service Edge is a term coined by Gartner and is about providing the next generation of security and optimized network access for end-users.

When I first starting to read about this, my first thought was, so is this Zero-Trust? but no, it is a combination of multiple features, but Zero-Trust is a core part of the service stack.

Now depending on which vendor, you ask, they all will have different answers on what they see is a SASE service stack, but the main purpose is having a set of core security components which are tightly integrated.

  • Secure Web Gateway
  • Zero-Trust Network Access
  • Firewall as a Service
  • SD-WAN
  • Cloud App Security Broker

Many vendors also as part of the same service stack also provides other mechanisms such as EDR (Endpoint Detection and Response), Browser Isolation, Sandbox, DNS filtering and more.

Now imagine the following scenario, which we have seen become more and more common in this pandemic where much of the workforce is working at home.  You have a user working remote on a managed device and they want to access a SaaS based application or a service within your datacenter.

A typical scenario the login using some remote URL and then punch in their username and password and MFA token to validate their credentials. This has been the common way of access services when not in the office for a long time.

Some problems with this approach.

  • The end-user device might be compromised which can then be used to do data exfiltration or use it as a jumping point to get further inside the infrastructure.
  • The end-user might decide to download a large set of information from the services or application where we might not have any protection mechanisms against.

Another scenario, when users now are working from home, they do not have the same security policies in place as they would have in the office where the big fancy firewall is placed which does IPS and TLS decryption of traffic. So, when users now are bombarded with phishing attacks or redirected to malicious URLs or malicious domains.

  • We may have limited options to protect against malicious domains and URL’s that the end-users are accessing
  • Some URLs are used to redirect users to run malicious code either to exploit vulnerabilities within the browser or to do drive-by downloads.

Now regardless of what the users are doing on their devices, they can also be accessing SaaS services or cloud services which we have no idea that they are using, and for some SaaS services we have no insight/visibility into what they are doing. It can also be malicious actors accessing specific cloud services as well.

And lastly, is optimized access. With the rise of more SaaS services in means that Internet plays an increasingly important part (compared to the corporate local high-speed network) to provide efficiency to end-users) but sadly there are many lousy ISP and non-optimized network routes and also some lines might be congested which means that it will affect latency of the overall application.

Now looking back at these scenarios how would they act out with a SASE based solution?

1: End-user needs to access a service but has a compromised device. This would be handled by the Zero-Trust Network Access feature in combination with EDR or Device Posture. The EDR Service would notify the Zero-Trust Network Access provider in this regards Azure Active Directory to notify of the risk on the device and then because of the risk level would block access.

If there weren’t any security risk on the device and the end-user would want to access the SaaS application. The traffic would be redirected to a Cloud based SD-WAN Solution to provide an optimized traffic path to the Cloud Service. Since traffic is routed through a vendor, they can also provide decryption of the traffic to provide insight into the session itself and applying DLP policies (trough the Secure Web Gateway) to ensure that the user doesn’t download sensitive information.

Some vendors also provide browser isolation as well to ensure that no malicious code can be run directly on the end-user device but trough a browser service from the SASE vendor.

Also, the Cloud based Firewall should also provide insight into malicious IP’s and domains to ensure that users and not communicating or browsing to known bad sites as well. Some of the vendors provide web-based firewalls and in combination with DNS filtering as well.

Now we would also have a Cloud Access Security Broker to provide insight and security policies against SaaS service using API integrations as well. This is of course given that we have a CASB solution that can integrate with the SaaS service. Of course, the main idea is that these services live in harmony and provide visibility and analytics across the different services.

The interesting part is that most vendors are selling SASE now as a set of products. Now looking at the different vendors, the services they support and how the traffic flow works is different from vendor to vendor.

Therefore, I wanted to share some notes and experience from five different vendors (Microsoft, Citrix, VMware, Cloudflare and Checkpoint) which has different approaches on how they provide SASE services.

So, I’ll go into each of these different vendors on go into detail on how their product works and architecture.

  • Microsoft

Now unlike most ot the other vendors on this list, Microsoft does not provide a full SASE based services, since they do not have a SD-WAN capability directly for remote users. However, let’s look at how their architecture would look like.

One of their core capabilities is Azure Active Directory which provides identity-based context and Identity based risks. Also Azure Active Directory is also directly integrated into the device itself (at least for Windows 10) Azure Active Directory also have a lot of mechanisms to provide access to different services.

  • Azure AD Application Proxy (On-premises Web Applications)
  • SaaS applications that are integrated with Azure AD
  • App Proxy Session (Which are SaaS services which are integrated with Cloud App Security)

Microsoft also provides EDR and Device Management using Defender and Endpoint Management which provides device context, that also links into Azure AD.

Microsoft also has Cloud App Security as a CASB solution which has rather good integrations with different SaaS applications. This is also core of their DLP offering that Microsoft provides which now provides DLP offerings for SaaS, Office 365 and Windows 10 endpoints.

At the core of this is Conditional Access which ties risk indicators and access together. One thing that Microsoft is missing is secure web gateway capabilities to provide security mechanisms to any type of web address (regardless of if they are integrated into Azure AD or not) however Microsoft provides much of the security capabilities directly into the operating system such as application guard which can provide somewhat security mechanisms, but not directly inline. Microsoft is also missing SD-WAN capabilities but is however investing into their Virtual WAN Offering on Azure which can route traffic using the Azure Backbone, but it is not optimized for regular SaaS usage yet.

When it comes to application access, Microsoft is ramping up here and provides a lot of different ways of getting remote access

  • Microsoft Tunnel
  • Azure VWAN
  • Windows Virtual Desktop

Even if Microsoft doesn’t check all the marks on the SASE feature list, they are core in any zero-trust based solution but are lacking some when it comes to secure web gateway (and even DNS filtering) and SD-WAN capabilities.

  • Citrix

Citrix has ramped up their offerings to provide a full stack regarding SASE. While they have had some of the components before.

  • SD-WAN
  • Zero-Trust based Network Access (from and end-user perspective)
  • Firewall as a Service
  • Secure Web Gateway

Much of these capabilities have been available in their cloud-based offerings under the umbrella Citrix Cloud.

They have had little offerings in regard to CASB and DLP based offerings (outside of CVAD) They are expanding the offering into some main offerings, called Secure Internet Access (which provides SWG, CASB and DLP functionality) which seems to be bundled together with Microsoft Cloud App Security. They also have Zero-Trust network access and provide rich remote access capabilities and provide richer session analytics that can inspect what users are doing inside a remote session and act if it is not according to normal user behaviour (within Citrix Analytics for Security)

Citrix also supports integration of risk indicators from Azure Security Graph API which means that from a client security perspective you should be running something that supports Security Graph API such as Defender ATP to provide better zero-trust based access. For instance, if a device is marked with a risk within Defender ATP which then will raise the flag Security Graph API then that could prohibit the user to access a virtual desktop within Citrix.

Also looking at much of the networking stack that Citrix is building within Citrix Cloud much of it is sources upon Citrix ADC/NetScaler capabilities provided as a service.

Niek Boevink (@nboevink) | Twitter

Citrix also has Remote Browser Isolation features available as a service as part of the cloud offering (which many of the SASE vendors are providing)

One thing to take into consideration here is that if you want to provide device posture as part of access you would need to either have EDR capabilities from Microsoft.

Now ulike most SASE vendors Citrix and each VMware has services in context of virtual apps and desktops to embed that as part of the delivery and providing session analytics inside the end-user session like CASB does for SaaS based services.

  • VMware

VMware made a huge leap in the SASE ecosystem after they acquired Velocloud (which was one of the market leading vendors within the SD-WAN ecosystem) and is now also providing much of the same capabilities that Citrix is providing in terms of Secure Access, Secure Web Gateway and also Cloud Firewall based upon VMware NSX.

Secure Access Service Edge Home

That VMware is providing is based upon a partnership with Menlo Security such as their CASB solution and also their Remote Browser Isolation product. However much of the approach that VMware is building (like Citrix) is that some of the core capabilities is based upon NSX Cloud.

The approach that VMware has is much like Citrix that is coming from a VDI/Desktop approach which is then bundled together, so also VMware provides in-session risk detection in a service that VMware has that is called Workspace ONE Intelligence Risk Analytics. Another advantage that VMware has is their EDR product Carbon Black which can provide risk indicators based upon health of the overall device (like Microsoft Defender ATP)

VMware Secure Access also supports Azure AD Based integration which can also provide identity risk context as part of the overall access management and can provide SaaS based access to different services.

  • Cloudflare

So what is Cloudflare doing here? While most know them as a CDN vendor they have one of the largest and optimized networks on the planet and is focused on providing fast traffic flows to the end-users.

A short while ago Cloudflare announced a new service product called Cloudflare One which provides much of the SASE capabilities together. Cloudflare works mostly on a network level so they are dependent on partners to provide context where they are lacking capabilities so when it comes to Zero-Trust based access they can integrate Device Context from such as VMware and Microsoft. They also support a wide range of identity providers such as Azure AD to provide identity-based context.

SASE - The Cloudflare Blog

They also have something that VMware, Citrix and Microsoft is missing and that is DNS filtering, to filter away malicious domains. While Cloudflare does not provide the same SD-WAN capabilities they have announced a new service called Magic WAN (Magic WAN & Magic Firewall: secure network connectivity as a service (cloudflare.com)) which is aimed at providing intelligence traffic flow like regular SD-WAN vendors using the existing Cloudflare network.

Cloudflare also provides zero-trust based access using Cloudflare Access which ties together Identity and Device Posture with Cloudflare’s network capabilities. From an end-point perspective you can also provide secure web gateway capabilities using a service called WARP.

Cloudflare also acquired a company called S2 Systems as well for their remote browser isolation capabilities which is also something that will be available within their SASE offering soon.

While Cloudflare is still pretty new within the end-user space and providing these capabilities they have a long history in terms of network optimized services so it will be interesting to see how they will evolve here.

  • CheckPoint

Checkpoint is known for most as a network security company and has a long history within that space. From an end-user perspective they have a SASE service called Harmony Connect which provide much of the core SASE components.

Harmony Browse | Check Point Software

From an endpoint perspective CheckPoint has had Sandblast for some time (rebranded into Harmony Endpoint) that provides EDR capabilities but also acts as an agent for VPN, Secure Web Gateway as well (with URL filtering) however I have not yet seen any indication that they provide device posture against end-users to prohibit access from other device let’s say from a known user.

Checkpoint unlike the others provide SSL inspection of the traffic to detect threats inside the session (while the other have remote browser isolation) Checkpoint also has a nano agent which looks inside the browser session, for sessions that cannot be decrypted such as HTTP/2 & HTTP/3 traffic (which unlike the other vendors that are providing remote browser isolation. Checkpoint also provides Secure Web Gateway services as part of offering (which is hosted on AWS datacenters) which proxies all traffic through the gateway and to the different SaaS applications.

When looking at CheckPoint offering unlike the other vendors it is still pretty much a network-based approach, they do not have the extended SD-WAN capabilities on their own but can integrate with others there. They can also integrate with a wide range of identity providers and provide VPN-less access to end-user’s trough their Harmony product.

So which direction should I go?

After looking into all these vendors, they all have a different approach when it comes to integration and “support” in regard to the SASE ecosystem. While SASE itself provides a good set of pointers on how you should provide secure remote access to your end-users it shouldn’t be absolute since the SASE definition doesn’t take into consideration like how your end-users are working today, cost, application, and service ecosystem.

So where should I go? the way I see it there are some distinct categories of vendors here. (and don’t look to much into the categories, just my head trying to conclude on something :D)

  • VDI/Application Delivery SASE vendors – Which provides much of the SASE capablities but also integrated with app and desktop delivery (and also in-session security analytics) which are based upon Citrix and VMware. While their unified network security approach might not be on par like with Checkpoint it is getting there.
  • Network Security SASE vendor – Still much focused on Network Security and doing inspection of traffic with or without SVG where Checkpoint has its focus. Still unsure how strong they are on using device & identity posture from other Vendors and remote access is still based upon SaaS and or VPN.
  • Cloud SASE vendor – Cloudflare comes from a cloud based ecosystem and unlike the other vendors rely much more on partners to provide context to them from identity and device. Also access to services is solely based upon SaaS/Web and or generic services which they support. They have not the same strengths into Secure Web Gateway like Checkpoint but seems like they want to move into that direction.
  • Not Quite there yet SASE Vendor – Microsoft has what I belive is the most tightly integrated Security ecosystem from these vendors in terms of device and identity posture, however that means that you are locked into their ecosystem. Secondly instead of having agent solution on end-points their core capability is that they have the operating system so having that context is important. While Microsoft does not have the SD-WAN and full SWG capabilities they have a lot of strength into unified DLP engines and SaaS capabilities which is often part of any deployment regardless of which other vendors you choose to provide more capabilities.

In the end I belive that you need to understand how your end-users are working today, what kind of requirements from a security perspective and understanding the future state of your digital workspace to provide a future proof security and network based platform.

Leave a Reply

Scroll to Top