With the advancement of digital transformation and the accelerated development of cloud-network integration, enterprises have put forward higher requirements for network information security. How to better integrate flexible cloud network basic capabilities and comprehensive security protection capabilities has gradually become the focus of market attention.

"Currently, we find that customers not only have flexible networking requirements, but also pay more attention to security service subscription requirements. They need to simplify the deployment and operation and maintenance of network security capabilities, reduce Capex investment, and flexibly speed up and down. These requirements are increasingly reflected in bidding projects." Interconnection Xu Jie, director of technology front-line products, talked about his observations in an interview with 51CTO.

SASE was born to respond to this expectation. It is not a synonym for a single technology, but more of a concept that integrates "network + edge cloud security". As a hot word in the field of network security in recent years, SASE has changed from a popular concept to a calm one, and user acceptance is also increasing day by day, and it is beginning to seek service providers to exchange related solutions.

Players entering the SASE track include network service providers, cloud vendors, and professional security vendors. Among them, the first line of Internet technology is emerging as a force that cannot be ignored in the multi-party competition by virtue of its cloud network security integrated delivery solution.

Why choose SASE

In the past, enterprise data was stored in self-built or managed data centers. Therefore, the design of traditional network security architecture usually takes the data center as the focus of access requirements, and the architecture is complex and has delay problems.

More importantly, the current network environment and data security of enterprises are facing more uncertainties. First of all, as business is fully migrated to the cloud, the difficulty of operation and maintenance and security risks brought about by distributed deployment and multi-cloud architecture have also increased simultaneously; secondly, with the popularization of remote office and mobile office, the traditional network security boundary has been broken; finally, network construction The cost and efficiency problems caused by the separation of cloud and security construction have become more and more prominent, and enterprises are more inclined to be managed by cloud network security integrated service providers.

It is against this background that SASE emerged and received widespread attention as a new paradigm subverting the traditional architecture.

As a concept proposed by Gartner in 2019, SASE represents a new architecture that integrates wide-area networking network functions and security functions to meet the dynamic security access requirements of enterprises. Later, Gartner divided a "subset" SSE (Security Service Edge) from within SASE.

To put it simply, SSE is an integral part of SASE, focusing on the security service part, while the other half outside SSE focuses on the network service part. Gartner predicts that by 2025, 80% of enterprises will adopt a strategy of leveraging a single-vendor SSE platform to access networks, cloud services and purpose-built applications .

It can be seen that the development potential of SASE is beyond doubt, and the demand of enterprises for network security subscription services is also driven by the times. In order to meet the ever-increasing needs of users, it has previously focused on the front line of enterprise network services and opened the road to upgrade to the SASE service architecture.

Architecture upgrade: the goal refers to "integration, simplification, and flexibility"

Gartner has assessed that the SASE market is in constant flux and that no single vendor can offer the full portfolio of SASE capabilities. There are vendors that can offer some security-as-a-service, but lack the SD-WAN capabilities that SASE requires. Some suppliers can provide security as devices, but they do not have the conditions to deploy SASE services on edge nodes in the cloud-native global network. In general, single capabilities and too few POPs severely limit the implementation of SASE. The integration of cloud and network security is the essence of promoting SASE services.

To this end, the first line relies on the cloud network construction resources accumulated in the past, and the self-developed SD-WAN architecture as the basic support, and redefines and re-upgrades in terms of products, architecture, team building, and delivery models. Xu Jie made a further introduction on this:

First, promote POP nodes to support SASE security service chain function, upgrade to SASE POP , provide such as zero trust network access (ZTNA), firewall as a service (FWaaS), secure web gateway (SWG), data leakage prevention (DLP) and anti Intrusion (IPS) and other SASE security services. Enterprises can subscribe flexibly according to the needs of different scenarios. It is understood that the first line has built 200+ POP nodes in 100+ cities, and its service capabilities cover 700+ cities around the world. At present, the first line has completed the upgrade of POP nodes in core cities to SASE POP.

Second, promote the integration of SD-WAN and SASE platform management capabilities , integrate and support various functions of the SASE security service chain on the existing SD-WAN platform, and flexibly call the configuration and status of security components through APIs to help enterprises integrate network security The platform carefully controls the network and security situation.

Third, promote the capability upgrade of the entire service delivery team , cultivate the technical capabilities of security engineers, pass the technical certification of relevant security certification bodies and security vendors, improve the delivery capability of the "cloud network security" one-stop solution, and guarantee the SASE project from an overall business perspective deliver.

Fourth, upgrade from providing a one-stop network solution to a one-stop network security solution that provides "network + security planning + project implementation + post-operation response" . Build a NOC (Network Operations Center) + SOC (Security Operations Center) dual-operation response system to provide agile and efficient support for the resolution of various network failures and security incidents.

Xu Jie mentioned that in the process of SASE service upgrade, the front line mainly focuses on three points - " integration, simplification, and flexibility ".

"One is to integrate, we have SD-WAN itself, how to integrate security service capabilities with it on this basis; the other is to simplify, network services can be subscribed, security services can also be subscribed, users do not need to deploy themselves and maintenance, this is a subtraction for users, and how to achieve unified delivery for service providers; the third is flexibility, security services should be as flexible as network services, and customers can flexibly shrink within the life cycle of their contracts or expand."

Driven by this goal, the first line added "security" to the cloud network service, forming a one-stop integrated solution integrating SSE, SD-WAN networking, and unified visual management of network and security. Complete the transformation from a cloud network service provider to a cloud network security service provider.

Scenario Adaptation: Prescribe the right medicine to create zero trust protection for remote office

For the upgrade of its own positioning, the front line has a clear understanding. Xu Jie mentioned that there is still a clear difference between the front line of providing network security services and transitioning to cloud network security service providers, and professional security vendors.

"For security vendors, they are good at security technology plus security solutions, and usually sell one-off software and hardware packaged solutions. The advantage of the first line is to provide customers with professional one-stop services. Therefore , In the SASE service in the future, the first line will cooperate with leading security vendors to integrate their security functions and provide full life cycle services. Both parties will play their respective strengths."

"Service" is the core of the first-line SASE. In order to provide SASE services close to the needs of users, the front line realized from the very beginning that it needs to take root in the scene, extract the most basic scene requirements, and then design, develop and iterate.

"A large number of existing customers on the front line are networking customers. The access needs of these customers are usually to visit branches, visit headquarters/data centers, and since the epidemic, remote office users have increased, and the demand for remote access has increased. .”

Therefore, the three basic scenarios for the first-line SASE are enterprise intranet security, Internet access, and remote secure access.

For intranet security from the headquarters/data center to the branch , enterprises can quickly build an enterprise secure intranet through SASE POP, combined with IPS to realize the control and interception of intranet threat traffic, and combined with DLP to prevent key files from being illegally copied and downloaded; for enterprises To access the Internet and SaaS services , enterprises can use SASE POP as a unified access exit to narrow the attack surface and reduce the threat of intrusion and malicious attacks. Combined with SWG capabilities, it can provide dynamic classification of websites, and automatically block access to websites with security threats; for decentralized remote office workers accessing enterprises , the front-line zero trust revolves around the identity of visitors, giving them the minimum operating authority for applications, through Micro-segmentation and dynamic authentication, thereby realizing "close" protection of enterprise data access.

As far as remote office scenarios are concerned, the introduction of the zero trust model can realize differentiated application authorization based on different users and improve user access security control. Because zero trust emphasizes "never trust, always verify". However, in recent years, the topic of "zero trust" has repeatedly caused controversy, such as the cost of zero trust transformation, and whether zero trust is suspected of "excessive defense".

In this regard, Xu Jie believes that the implementation of zero trust must first pay attention to user needs . "To implement zero trust, enterprise users need to plan various application definitions and authorization policies for different users in advance to implement refined management. The effect of security control will definitely be enhanced, but this requires a change in concept and takes considerable time. If a customer does not have a particularly complex application, and the requirements are relatively simple, insisting on implementing zero trust will lead to increased costs."

In Xu Jie's view, zero trust is more like an alternative upgrade to traditional security strategies . "It is not a technology that completely subverts the past. On the whole, zero trust is an iterative upgrade of traditional security strategies. Zero trust and traditional security strategies can be integrated and symbiotic. The two complement each other in terms of capabilities and jointly provide enterprises with more complete security. protection."

Landing: Create differentiated advantages and move towards the era of cloud-network security integration

Looking at the SASE market at home and abroad, there are many entrants, but the market competition pattern is still unstable. For the front line to stand out, creating a differentiated advantage is an inevitable path. Xu Jie said that the front line will focus on the following four aspects.

First, agile delivery. "The first line has standard network nodes, but some customers still hope to have the nearest access point. How to sink the capability of the security service chain to more POP points is a problem we have been considering. At present, the first line SASE can realize the construction of SASE POP within an hour at the fastest, meeting the requirements of customers to obtain security nearby."

Second, elastic expansion and contraction. "SASE, as a form of SaaS service, must ensure that elastic scaling is implemented. Customers do not need to wait after placing an order, and can immediately subscribe to security and network services according to their own development needs to achieve optimal cost investment. "

Third, one-stop management. "Our service is to integrate and support the corresponding SSE functions on the SD-WAN platform, so that customers can visually monitor and analyze the global network security situation through the front-line SD-WAN & SASE management platform, so as to accurately deal with problems. "

Fourth, refined management and control. In addition to unified configuration, the management platform also supports the orchestration of security and network policies, based on policy-driven, so that each application can obtain the best support for network resources and security protection.

How to promote the implementation of SASE with differentiated advantages? Xu Jie introduced a consumer electronics customer as an example. The customer hopes to provide branches with a unified and secure Internet exit to access the Internet and SaaS to avoid external intrusion and malicious attacks. At the same time, customers also pay more attention to the security of data assets on the intranet, but do not want to participate too much in the security deployment, hoping to simplify the operation and maintenance management on the customer side. Finally, the first line provides customers with a unified Internet exit based on SASE POP, and enables Internet exit security subscription functions such as "firewall, intrusion detection, data leakage prevention, URL filtering, anti-virus, and anti-crawler" as needed. Overall, the client is quite satisfied with the delivered solution. First, the security policy is based on cloud unified management, and the one-stop arrangement of network security simplifies the operation and maintenance management on the client side. Second, customers can subscribe to different levels of SASE services based on the actual business scale and traffic of each branch, and can support elastic expansion and contraction during the contract period, effectively saving costs.

On the road to the integration of cloud and network security, the first line has taken a solid step. Looking forward to the future journey, facing the era of cloud and network security integration, based on the positioning of cloud and network security service providers, the front line has more blueprints to realize: continue to upgrade and expand SASE service access capabilities; deepen cooperation with leading security vendors, Create customized network security solutions; introduce AI functions to predict, detect, and warn network failures and security incidents, and enhance intelligent operation and maintenance of network security...

"The road is long and difficult, and the future is coming; if the road is not stopped, the future can be expected." To consolidate the foundation of the digital economy and promote the interconnection and innovative development of digital infrastructure, it is inseparable from the joint progress of upstream and downstream enterprises in the industrial chain . Xu Jie said that the first line will take the SASE product release as an opportunity, and will work hand in hand with more partners and enterprise users in the future to create a new win-win ecosystem for the industry.