SD-WAN and security in one cloud strategy

A secure access service edge from one provider

What is SASE?

In 2019, Gartner coined the term Secure Access Service Edge (SASE, pronounced “sassy”) defining this new category of solutions as “converged offerings combining WAN capabilities with network security functions.” These solutions consolidate a swath of network and security capabilities into a single cloud-based service from one provider. SASE solutions typically include SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), as well as features and capabilities needed in a Zero Trust network access environment.

By uniting point solutions into one cloud platform, technology silos are broken and IT complexity is replaced by visibility and ease of management. The end result is a synergy across both IT domains; under the SASE model network and security have officially come together.

Digital transformation inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center. Security and risk management leaders need a converged cloud-delivered secure access service edge to address this shift.

— Andrew Lerner, Research Vice President, Networking, Gartner

The four tenets of SASE

Supporting the need for secure access in a simplified IT infrastructure, Gartner’s SASE model centers around four key characteristics.

Cloud based

SASE solutions are delivered as a service, helping enterprises transition from hardware to software, reducing costs with multi-tenancy, and supporting a remote, distributed, and mobile workforce.

Globally distributed

SASE offerings cater to companies doing business across multiple regions or countries with a software-defined network for low-latency routing across worldwide points of presence.

Identity focused

User identities and individual devices (not the data center) are the focus for SASE, so access to identity analytics and user activity tracking capabilities are key.

Edge flexible

SASE services place emphasis on flexibility and security at the edge, where branch locations, cloud applications, and mobile and IoT devices connect.

Masergy delivers on the tenets of SASE

Security must be intrinsic to the network, and Masergy has been uniting the two IT domains into one service strategy for years. Masergy embeds security into our SD-WAN and private SD-network, meeting the key tenets of the SASE model. Plus, clients get the freedom to choose from a wide menu of other network and security services.

Key security features: Masergy’s SD-WAN solutions

  • Next-gen firewalls built into the Fortinet SD-WAN device
  • Firewalls in the cloud or on the edge—it’s your choice
  • Three tiers of bundled security services
    • Unified Threat Management (UTM): combines logging and alerting security features visible in the SD-WAN portal and also includes anti-virus, intrusion detection/prevention, web filtering, data loss prevention, and more
    • Threat Monitoring & Response: adds upon the above with 24/7 threat monitoring and incident response of UTM events throughout the IT environment
    • Managed Security Services: adds upon the above with a comprehensive list of services including analytics, cloud security, endpoint security, vulnerability scanning, and more

CASB & cloud security

CASB monitors and controls access to cloud applications and environments

Cloud Workload Protection monitors data residing in cloud-hosted environments

Office 365 security monitoring provides managed detection and response for Microsoft’s productivity apps

Secure web gateway

Cloud-based application control and content filter

Granular per-app and per-user visibility with Identity-Based WAN Analytics

Unified threat management to inspect all north/south (server-to-server) IP traffic on your WAN

Identity-based WAN analytics

Per-user statistics across all applications

User activity tracking

Real-time analytics available on-demand

Network and security analytics all in one portal

Building security analytics into the network portal has a transformational impact across both IT domains. In 2017, Masergy started doing just that. Very quickly, clients noticed greater visibility for network performance optimization and accelerated security alerting, investigation, and threat response services. With years of maturity, Masergy’s SD-WAN portal includes these security features:

  • Shadow IT Discovery: Automatically scans and identifies potential threats from cloud-based SaaS applications running on your network
  • Identity-Based WAN Analytics: Detailed per-user statistics across all applications are essential in developing a Zero Trust security strategy
  • Full network visibility for faster security investigation and response
    • East/west and north/south (server-to-server) traffic within the data center
    • Client-to-server traffic outside the data center network

Be wary of [SASE] vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability and high latency.

— Andrew Lerner, Research Vice President, Networking, Gartner

SASE architecture really matters

While SASE’s solution medleys are refreshing in the age of IT complexity, it’s more important than ever to avoid those that leave IT teams stymied by multiple dashboards. The degree to which the underlying SASE architecture is standardized distinguishes seamless SASE platforms from mere solution sets where vendors have cobbled together parts and pieces.

The key is to have one transparent ecosystem where all SASE capabilities share a common infrastructure for superior interoperability and visibility from edge to edge. Solution providers typically use their own private network to serve as the underlying platform, and it’s here where Masergy’s underlying network architecture stands out.

  • Standardized SD-architecture: Masergy’s global, private network is entirely software defined and built on a ubiquitous SD-architecture all around the world–at our core is a pure SD-network that we operate
  • Common infrastructure: Every newly added SD-WAN feature and application interoperates as equal partners on the same operating system
  • Transparent interoperability: One transparent ecosystem combines Masergy’s SD-network, direct cloud connections, and security-centric Fortinet hardware, which together deliver superior edge performance

Consistency across the network and security

IT leaders can’t focus on innovation when they are worried about how the network and security will work together. In fact, network and security approaches should be consistent across the two IT domains.

For instance, network segmentation and data protection strategies used inside the LAN should also be mimicked in the WAN—as one unified strategy. Masergy’s SD-WAN solutions are designed to create an enterprise-wide standard for network and security, helping companies unify IT operations and adhere to convergence best practices.

  • Consistent security policies: Solutions enforce consistent security policies across all SD-WAN devices and deliver security alert metrics all within one portal
  • Simplified segmentation and limitless virtual private networks: Easily segment network environments for more security, creating a variety of VPNs without exorbitant fees (for example, segment employee Internet access from guest WiFi)
  • Segmentation and security consistency: Map a pervasive IT security posture across your multi-tenant WAN and LAN infrastructure using a centralized security deployment—Masergy’s solutions can secure users and endpoints across multiple instances of virtual routing and forwarding (VRFs) and LAN segments

Keep exploring

Answers to your frequently asked SASE questions

Free consultation with an SD-WAN expert