SASE architecture - a blueprint for MSSPs

Managing IT security and connecting branches and remote users - in an age when more and more applications and data are moving to the cloud - requires an increasing amount of time for configuration, patching, user provisioning, etc. Securing all users wherever they are is a challenge for Managed Service Providers (MSSPs) that maintain firewalls and other elements of IT infrastructure.

MSSPs must offer a scalable and secure service that will be profitable, i.e. require the least amount of time to maintain, so that the business can focus on expanding the customer base.

It's not getting easier: for ex. vulnerabilities are being exploited as soon as disclosed, so anybody maintaining IT infrastructure and applications must react even sooner than before. As an example, see the recent vulnerability with Fortigate devices: more than a month since its discovery, most of the devices are still left unpatched in the Adriatics region, essentially allowing malicious users to deploy malware, including ransomware. This points to a deep problem with IT maintenance: it's not scalable and evidently not profitable enough to justify a level of service that is essential in today's threat landscape, such as prompt patching.

SASE (shorthand for Secure Access Service Edge) SASE stands for "Secure Access Service Edge." It is a network architecture concept that combines wide-area networking (WAN) and network security services into a unified cloud-based platform managed by the SASE vendor. That increases productivity and frees up time for the MSSP to focus on actual security and customer acquisition.

Recognizing the need for a more scalable approach, even Microsoft is belatedly re-entering the network security market with a new SASE approach.

A mature SASE solution converges three basic elements:

1. Secure Private Access - connecting locations, branches and remote users allowing access to the organization's IT infrastructure, without manually managing legacy VPN configurations. Instead, connectivity is provided with automated SD-WAN and more granular ZTNA based access to organizational resources.

2. Secure Internet Access - this is about protecting users when "surfing" online, i.e. accessing resources on the internet. The old school way is to manage firewall policies at each office location with complex URL filtering and SSL decrpytion policies. Remote users are either backhauled to an office location or managed separately. With SASE, all these management points are converged into a single pane of glass by steering all traffic to a Firewall-as-a-service (FWaaS) or Secure Web Gateway (SWG)-as-a-service solution.

3. Secure SaaS Access - increased usage of SaaS applications such as Microsoft365 or Google Workspace is also becoming a threat vector which facilitates malware deployment or data loss, but also offers opportunity to enforce security policies. Decreased visibility into what happens within, say, OneDrive or Outlook inboxes is an increasing blind spot. That's why SASE vendors are complementing the above with a Cloud Access Broker (CASB) solution that tightly integrates with popular SaaS providers' APIs.

A SASE solution delegates these functionalities to the vendor who manages the infrastructure and exposes a SaaS-like scalable and secure service. The MSSP can thus concentrate on expanding its user base, but also on the actual security and monitoring of its users' infrastructure.

FortiSASE: A comprehensive SASE solution