VPN's Role in SASE

In 2019, the research firm Gartner coined the term “secure access service edge” (SASE) to describe “ … network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations.” The idea that remote users can have secure access, no matter where they work, became especially appealing during the COVID outbreak. The rise of remote workforces due to the pandemic increased awareness faster than expected. With SASE front of mind for many enterprise network administrators and Chief Information Security Officers (CISOs), many people are asking, "What exactly is secure access service edge (SASE)?"

Edit: OpenVPN Cloud is now CloudConnexa^® — learn more here.

Read on for a high-level look at the SASE model and the role a virtual private network (VPN) plays in it.

What is SASE?

According to Gartner, SASE isn’t a single product; it’s an architecture or philosophy.

SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily as-a-service (aaS) and based upon the identity of the entity, real time context, and security/compliance policies.

A SASE architecture migrates security from data centers to the cloud, merging individual technologies into converged Security-as-a-Service. Because it's a combination of security functions, some vendors offer bundled solutions to accelerate SASE implementation that supports remote workers with internet access outside the corporate network. More often a multi-vendor approach is required because so few vendors offer every component of a SASE platform. The individual security services that create a SASE platform are: 

• Software-defined WAN (SD-WAN): SD-WAN applies software-defined networking (SDN) to large-scale wide area networking (WAN) for improved agility and app performance as well as easier management.
• Cloud Access Security Broker (CASB): Software (on-prem or cloud-based) between cloud users and cloud apps that monitors activity and enforces security policies. 
• Next-Gen Firewall (NGFW) and Firewall-as-a-Service (FWaaS): NGFW goes beyond protecting against the usual suspects — ransomware, viruses, worms, trojans, adware — by completely blocking malware before it gets into your network.
• Zero Trust Network Access (ZTNA): Creates a secure perimeter around application(s) with identity- and context-based access. Applications are concealed, reducing potential surface area for attackers.
• Secure Web Gateways (SWG): SWG platforms detect and prevent threats, unauthorized access, and malware using a digital barrier and filter between a website and end-point device. This blocks access to potentially harmful sites in addition to cyberattacks.

The Benefits of SASE

TechTarget contributor Terry Slattery writes, "A cloud-based distributed architecture, centralized management and endpoint-specific security policies …” are primary benefits of SASE. Additional points in SASE’s favor, included in the same article, are: 

• Applications can live anywhere: The distributed access of SASE lets applications live anywhere — a data center, public or private cloud, SaaS — and places security functions closer to end users. 
• Streamlined operations: With SASE the network perimeter is the endpoint, and security is applied dynamically using role-based policies. This simplifies networking and security for employees no matter where they’re working.
• Security and routing integration: SASE consolidates DNS reputation, remote browser isolation (RBI), ZTNA, data loss prevention (DLP), malware protection, CASB, NGFW, intrusion detection, intrusion prevention, and SWG.
• Lower WAN costs: SASE routing operation, similar to SD-WAN, helps reduce WAN costs by removing the need for costly MPLS and leased circuits. Those are replaced by a VPN. 
• Distributed architecture: SASE’s distributed architecture and centralized management produce efficiencies in security and network traffic. These same features have the potential to be more resilient when hit with denial-of-service (DOS) attacks, too.
• Speed: Cloud congestion and data center network latency are common problems, but SASE helps accelerate response times.

Some SASE service providers promote their product and service bundles as replacements for VPNs, but it’s important to note that a VPN is an essential component of good SASE architecture. When SASE vendors reference the end of VPNs, they’re referring to on-premise VPNs; but one of the biggest, maybe the single biggest, selling points of SASE is that it’s cloud-native. Remember, Gartner defines SASE as “a global cloud-based service with a truly converged network security stack that supports all edges (not just branch networks). ... Cloud Access Security Broker (CASB): A cloud-based security solution like SASE logically needs to provide security for cloud applications.” It’s easy to see why this appeals to companies undertaking digital transformations and migrating to the cloud.

Unlike legacy VPNs, OpenVPN’s next-gen VPN (OpenVPN Cloud) creates a private network in the cloud that’s hidden from the public internet. That’s a powerful support for any SASE architecture (and at lower cost and with less complexity!).

OpenVPN and SASE

VPNs are no longer limited to enabling remote access. SASE may be the hot new cybersecurity concept, but it’s important to keep in mind that modern VPNs are a component of SASE and, on their own, provide security capabilities such as access control. Another critical aspect of this discussion is that cloud-based, next-gen OpenVPN isn’t just a replacement for SD-WAN; it also has a number of SASE architecture components — ZTNA, firewall, intrusion detection, intrusion prevention, content filtering — built into it.  Want to see how easily OpenVPN Cloud integrates with, or even replaces, some of your other SASE applications? Register for three free connections today.