Implement a SASE Architecture at Your Own Pace in Three Steps

Change can be daunting; many organizations don’t know where to start to transform their network and security architectures—Aruba can help.

istock 863497390

Organizations have often relied on multiple vendors to connect and secure their branch offices. Through a Do-It-Yourself (DIY) approach, they may have installed a number of disparate WAN edge appliances including routers, firewalls, and WAN optimization devices. As a result, network installations are often complex and difficult to manage. These installations are no longer optimized for the digital era. The network security perimeter is dissolving as more and more applications and workloads are hosted in the cloud and more employees connect from anywhere. However, organizations sometimes don’t know where to start to transform their network and security architectures. They may also be tied to multi-year contracts that prevent them from moving their current architecture to a cloud-first SASE architecture.

Organizations should take these simple steps to transform their network and security architectures to implement a secure access service edge (SASE) at their own pace.

Step #1: Implement SD-WAN between headquarters and branch offices

While SD-WAN adoption continues to accelerate, some organizations still rely on traditional, rigid, and expensive MPLS lines to connect their branch offices. But MPLS doesn’t provide the flexibility and the security required to directly access applications hosted in the cloud. Indeed, with most enterprise applications moving to the cloud, corporate data centers are no longer the hub of all network traffic. To deliver the highest cloud application performance, organizations should now steer the traffic directly across the internet instead of backhauling the traffic to the corporate data center.

An SD-WAN provides flexibility and reduces complexity by virtualizing the network. It can flexibly combine multiple WAN transport services including MPLS, broadband internet and 5G/LTE. Connections can also be configured based on business needs.

By leveraging an advanced SD-WAN using public internet services, organizations can easily spin up new branches and benefit from performance equal to or even better than private lines thanks to forward error correction that can rebuild packets lost in transmit and packet order correction to reorder packets delivered out-of-order across multiple lines.

Additionally, with centralized orchestration, application QoS configurations and security policies are automatically pushed to branches with zero-touch provisioning, requiring no human intervention. New branch offices can thus be set up quickly and easily, and policy changes can be automatically distributed to hundreds or thousands of branches in minutes while minimizing errors. Firewall, routers, and WAN optimization devices can now be replaced by a single SD-WAN device, simplifying the network and operations.

Step #2: Automatically incorporate best-in-class cloud security capabilities with a natively integrated SD-WAN solution

The SASE model describes many security components including Secure Web Gateway (SWG), Firewall as a Service, Cloud Access Security Broker (CASB), Zero-Trust Network Access (ZTNA), antivirus, Data Loss Prevention (DLP), sandboxing, and more.

When transitioning to a SASE architecture, enterprises must consider incorporating the best-in-class cloud security capabilities that will better protect the organization rather than an all-in-one solution that may not support equal protection against all types of threats.

As an initial phase, SD-WAN solutions simply integrate into your existing network without requiring any major infrastructure change and let you keep your existing firewalls and routers. Then, as you subscribe to new cloud-security services, an advanced SD-WAN solution can provide a native integration with these services. This integration is seamless as SD-WAN solutions automate the ‘onboarding’ of cloud security by configuring the secure tunnels (connections) to cloud security enforcement points, and intelligently steer application traffic. With intelligent steering, organizations can build security policies that backhaul data center-hosted application traffic to the headquarters, send trusted cloud application traffic, such as Office 365 or UCaaS traffic, directly to the internet, or send all other internet-bound traffic to a cloud-delivered security service, for further security inspection.

SD-WAN solutions must also include firewall capabilities to protect the branch from incoming threats. Leading SD-WAN solutions include stateful zone-based firewall and intrusion protection capabilities, paving the way to retire existing legacy branch firewalls.

Step #3: Beyond SASE: Securing IoT devices and traffic

In the post-COVID era, the complexity of the network has significantly increased with resources spreading across data centers, as well as the growing number of IOT devices, making it even more difficult to securely protect organizations from cyberattacks.

Indeed, IDC predicts that there will be 55.7 billion connected devices worldwide by 2025, and data generated from connected IoT devices to be 73.1 zettabytes (ZB), a three-fold increase from 18.3 ZB in 2019.

IOT use cases are diverse, ranging from automotive, video surveillance, smart metering, HVAC controls, healthcare, point of sale terminals, and more. These devices often lack authentication systems, and it is usually not possible to install a security agent on them. Thus, they are less secure than other computing devices. They expose organizations to increasing threats because they often share the same network paths that other enterprise application traffic traverses.

With a zero-trust policy approach, organizations assume that no device can be trusted by default. Network segmentation is essential to allow the user or device to only access certain areas of the network consistent with their role to prevent an attack from spreading across the network and hitting critical applications as well as limiting user or device access to digital resources only in accordance with business requirements.

It is critical to provide a unified approach towards zero-trust across the wireless LAN, wired LAN, and SD-WAN. Advanced unified network solutions offer role-based access policies to implement zero-trust policies based on full 802.1X and multi-factor authentication for user devices. By implementing dynamic segmentation, devices are automatically assigned the proper access control policy and the network traffic is segmented based on user or device type as well as context.

Through zero-trust capabilities, and native integration with cloud security providers, Aruba helps organizations to move to a SASE architecture at their own pace.

  • Aruba EdgeConnect provides industry-leading SD-WAN capabilities to optimize and simplify the WAN edge.
  • It automates orchestration to best-of-breed cloud security solutions by automatically establishing IPsec tunnels and intelligently steering the traffic based on the identification of the first packet.
  • It includes a stateful zone-based firewall and centrally manages the orchestration of security policies.
  • Coupled with Aruba ClearPass user/device and role based access control, EdgeConnect participates in enforcing consistent zero-trust edge to cloud security policies across the wired or wireless infrastructure, in-branch or on-campus networks, across the WAN and to the data center and cloud, all thanks to Aruba’s dynamic segmentation capabilities that protect users and IOT devices.

Related Resources

HPE (Aruba and Silver Peak) named a Leader 4 years in a row in 2021 Gartner Magic Quadrant for WAN Edge Infrastructure - Get the Report.


Copyright © 2021 IDG Communications, Inc.