In this guest blog post, Stefan Schachinger, Senior Product Manager at Barracuda Networks, explores the many advantages available in a single deployment thanks to Secure Access Service Edge (SASE) architecture.
Modern business challenges cannot be overstated. On top of the traditional pressures like cost management and changing regulatory environments, companies now must fight off threats like ransomware, which can enter the network through insecure email, web applications, and remote desktop connections, as well as any other available threat vector.
Barracuda research shows the most common method of attack varies by industry. Web applications are the most common infection point for consumer services, and network traffic leads the way for media, leisure, and entertainment companies. Email is the most common entry point in other industries, but the numbers vary widely. All these threat vectors must be protected without disrupting business operations.
The promises of digital transformation and the public cloud bring challenges of their own. Will your software-as-a-service (SaaS) applications work as well as their on-premises counterparts? Are the laptops and smartphones used by your remote workers compromised with malware that puts your business at risk? Is it safe to give your vendors virtual private network (VPN) access to your Internet of Things (IoT) devices for maintenance purposes?
It can be difficult to find the right mix of security and connectivity solutions that properly fit your current environment and will scale elegantly with your needs.
Reality of the hybrid company
Branch offices and off-premises work assignments are not new, but the pandemic-driven dispersion seen in the last few years is unprecedented. Companies were quick to move their workers into home offices, but by doing so they created or revealed unexpected security and performance gaps in their business networks. The United States Cybersecurity & Infrastructure Security Agency (CISA) reported a 127 percent increase in exposed remote desktop protocol (RDP) endpoints. These endpoints, along with unsecured virtual private network (VPN) connections, were quickly exploited in a global wave of cybercrime in pursuit of big ransoms, vaccine research, and anything else that may be of value. The remote workforce became a new national security issue, which increased the urgency to quickly secure businesses during quarantine.
Offices are bustling with employees again, but the post-quarantine workforce and business environment brought even more new challenges. Some workloads have moved to the cloud, some remain in datacenters, and a significant number of employees continue to work from home offices. Internal communications and data have moved to SaaS applications like Microsoft 365, putting sensitive information beyond the protection of “castle and moat.” The well-defined network perimeter has evolved into a fluid edge that must be secured with defenses that go wherever the company goes.
Traditional wide-area-network (WAN) and software-defined WAN (SD-WAN) solutions are not built for this type of hybridity. Most business traffic is now web-based traffic, and workers need secure internet access (SIA) regardless of their location. Companies must continue pursuing primary business goals while managing business costs and ensuring worker productivity. The adoption of Secure SD-WAN grew rapidly because of this scenario.
Secure SD-WAN is a new type of connectivity that provides cost-savings and network agility beyond site-to-site connectivity. Multiple offices, SaaS applications, public cloud workloads, and IoT devices can be securely connected without routing traffic through a firewall in a data center or branch office.
Secure SD-WAN is included in the cloud-native Secure Access Service Edge (SASE) architecture in 2019.
What is SASE?
SASE (pronounced “sassy”) combines software-based networking with network security and provides multiple benefits over traditional security and connectivity solutions. It delivers dynamic and secure access to company resources for any type of edge device, including branch offices, mobile devices, IoT systems, and edge computing locations, based on user identity and real-time characteristics.
Here’s a simplified look at the networking and security components in the SASE model:
The network security, web security, secure connectivity, and other components of a SASE platform were once deployed as separate products. SASE brings these components into a single platform and enables them to be deployed as features. Barracuda SecureEdge is a unified SASE platform that works seamlessly with the other solutions in our portfolio.
The SASE advantage
A SASE deployment provides a single, integrated service that allows network administrators to apply security and connectivity capabilities as needed. Unlike collections of WANs and security point solutions, SASE is an elegant, scalable, and agile approach that delivers many benefits:
Network complexity and deployment costs are reduced. The entire technology stack is consolidated into a single service, with centralized management through a single pane of glass. The service-oriented consumption model of Microsoft Azure makes a SASE deployment through the Azure Marketplace even more cost efficient. Overall, the combination of SASE and Azure can reduce the total cost of ownership (TCO) and increase the return on investment (ROI) of the deployment.
IoT devices and other hardware can be preconfigured by the SASE administrator for true zero-touch deployment at any location. This reduces the risk of misconfigurations and inconsistencies and makes the deployment less prone to human error. Zero-touch deployment also makes it easier to scale the infrastructure up or down as needed because there’s no need for specialized manual intervention. This fits perfectly with the Azure consumption model.
Network and application performance is improved for all users. SASE provides last-mile optimization, application prioritization, and connection redundancy or failover. Streamlining delivery through a SASE service improves the performance and reliability of any combination of user, site, and cloud connectivity. These improvements can have a significant impact on latency-sensitive applications.
Zero Trust Network Access (ZTNA) provides seamless and consistent session protection. This is true for cloud, SaaS, and on-premises resources. Zero Trust authentication is founded on the principle of “never trust, always verify.” While a VPN relies on a credential set to establish trust, Zero Trust relies on credentials, device, time, and other parameters configured by administrators. These parameters are verified each time the user requests something on the network. Zero Trust also establishes and enforces the principle of least privilege, which is a best practice that greatly improves network security.
ZTNA combined with other SASE components like firewall-as-a-service (FWaaS) and secure web gateway (SWG) addresses the security gaps revealed during the pandemic lockdown. Administrators can replace datacenter authentication and policy enforcement with ZTNA and FWaaS. Web traffic is secured through the SWG, where advanced threat protection and SSL inspection are applied. DNS-based filtering on the endpoint can reject known bad traffic (pirate sites), accept known good traffic (Microsoft 365), and direct unknown traffic to the SWG. All of this can be done for the user with a single SASE deployment.
SASE on Azure leverages the Azure Virtual WAN for backbone connectivity between corporate locations. This provides greater accessibility and improved performance, especially in large-scale or international deployments.
Managed service providers (MSPs) can create efficient and secure services for their customers through a SASE deployment. The customers benefit from the end-user advantages of SASE, while the MSP benefits from the reduced complexity and simplified management. The advantages and business use cases grow exponentially with each component that is added to the platform. A full SASE deployment can fully protect a client that might have otherwise been beyond the MSP’s ability to support.
With Barracuda SecureEdge on Microsoft Azure, you can realize all the benefits of enterprise-grade SASE right from the Azure Marketplace.
Barracuda SecureEdge on Microsoft Azure
Barracuda SecureEdge is a cloud-first SASE platform based on proven Barracuda connectivity and security solutions. It is the latest step of many in our journey with Microsoft and was developed in cooperation with its engineers to ensure the best possible integration with Microsoft Azure. This integration provides customers with a powerful SASE platform, Azure Virtual WAN connectivity, and Azure Marketplace billing.
Customers who have existing Barracuda solutions in place can use these alongside a Barracuda SecureEdge deployment. There is no need to replace the device with a SASE component. Barracuda has decades of experience developing security, connectivity, and data protection solutions that are centrally managed through a web-based portal. Our award-winning support can help companies configure their network with SASE and our other solutions as desired.
Barracuda SecureEdge on Microsoft Azure can be deployed in three simple steps:
- Subscribe to Barracuda SecureEdge for Virtual WAN in the Azure Marketplace.
- Deploy a Barracuda SecureEdge for Virtual WAN Edge Service into your Azure Virtual WAN hubs.
- Connect to the Barracuda SecureEdge for Virtual WAN from your Barracuda SecureEdge site devices or the SecureEdge Agent for remote users.
Barracuda SecureEdge connects users, sites, and things to any application and workload.
