Secure access service edge (SASE) has become an important part of enterprise networking and security. But what is SASE? We took a deep dive into SASE by speaking with Anand Oswal. Senior Vice President and General Manager at Palo Alto Networks. In this exclusive interview, he explains SASE and shares best practices for securing enterprise resources in today's cloud-enabled world.
What is SASE? (with Palo Alto Networks)
SVP and General Manager
Palo Alto Networks
Secure access service edge (SASE) has become an important part of enterprise networking and security. But what is SASE? We took a deep dive into SASE by speaking with Anand Oswal. Senior Vice President and General Manager at Palo Alto Networks. In this exclusive interview, he explains SASE and shares best practices for securing enterprise resources in today's Cloud-enabled world.
The conversation includes these topics:
- What is SASE?
- The five parts of SASE
- How does SASE enable business agility?
- What are the hardware and software requirements for SASE?
- SASE and zero trust security models
- SASE and multi-Cloud computing
- SASE and SD-WAN solutions
- How to deploy SASE?
- Advice on SASE for CIOs
Anand Oswal serves as Senior Vice President and General Manager at cyber security leader Palo Alto Networks where he leads the company’s Firewall as a Platform efforts. He holds more than 60 U.S. patents.
Anand Oswal: SASE is basically networking and security coming together as a massively-distributed Cloud service.
Michael Krigsman: We're speaking with Anand Oswal from Palo Alto Networks about SASE, which brings together networking and security. Hey, Anand. How are you today?
Anand Oswal: I've been great, Michael. How are you?
What is SASE?
Michael Krigsman: Good. Anand, we hear this term SASE all the time. What does it mean?
Anand Oswal: SASE is Secure Access Service Edge. But before I tell you what is SASE, let me just rewind the clock a little bit.
If you rewind the clock 20 years ago, security was mainly bolted onto networking products like a router. That solved certain problems from a layer 3 perspective. But soon, as more and more complexity was added to the network and applications, that layer 3 router wasn't enough.
Then we had a next-generation firewall. That's intrusion detection and prevention. But then we also had point products to solve particular secular use cases.
We had URL filtering appliances. We had appliances that did sandboxing for malware. And so, now we had this proliferation of these point products along with a next-generation firewall.
This led to more and more complexity for our enterprises. What we really need is a platform approach, a single platform that can secure all users accessing any application and any data sitting anywhere.
SASE is really networking and security coming together as a unified, massively-scalable Cloud service. That's what SASE means in a very simplistic manner. Consuming networking and security as a service, ensuring optimal and best user experience for any user accessing any application on any data sitting anywhere or any network.
Michael Krigsman: It sounds like it's tailormade for our hybrid working, work from home, work from anywhere environment.
Anand Oswal: If you think about the last 24 months or so in the pandemic, the two things that have accelerated the most are, of course, remote work—we're all working remotely or in a hybrid fashion now—and applications accelerating to the Cloud. These two are massive transformations that have happened in a very accelerated pace.
With SASE, we're ensuring that organizations can scale. Organizations can have more agility. They can consume both networking and security as a Cloud-delivered service. They can have consistent, best-in-class networking and security with optimal user experience.
Michael Krigsman: How does SASE deliver or create these kinds of benefits?
Anand Oswal: What SASE allows us to do is have both networking and security delivered as a service (very simplified) so organizations can focus on what they do best and consume this service. At the same, they have an optimal user experience. So, if I'm in the home, I'm in the branch office, or I'm on the go in a café shop, I have the same optimized user experience and the highest level of security experience.
The five parts of SASE
Michael Krigsman: Anand, what are the components of SASE?
Anand Oswal: SASE was coined by Gartner in 2019. SASE has five key constructs: next-generation SD-WAN, zero-trust network access, secure Web gateway, firewall as a service, and Cloud Access Security Broker. All of these five components come together seamlessly delivered as a unified Cloud service that is massively scalable.
Michael Krigsman: Are there any risks associated with this type of convergence, bringing these pieces together?
Anand Oswal: There are only advantages with this in terms of the way organizations can accelerate their transformation, accelerate network transformation, accelerate Cloud transformation, and accelerate the transformation of a hybrid workforce because users are everywhere.
Applications today are no longer only in your data center. They're in your data center, but they're in the Cloud. They're in multiple public clouds. They're SaaS applications.
Users, we are everywhere. If you think about it, in the past when you were home accessing applications remotely, sometimes you weren't able to access a certain set of applications. That can no longer happen today when the workforce is hybrid and remote. You want to access all the applications from any location and have the best user experience.
You want the security administrator to understand exactly what's happening. Who is accessing this application? Do I have the right permissions? Am I accessing the right data? Where is the data residing? Do you have the right compliance, are regulatory conditions met, et cetera?
How does SASE enable business agility?
Michael Krigsman: Can you give us an example from any particular industry to illustrate how SASE supports business agility?
Anand Oswal: We have a large healthcare organization, 100,000+ workers. As you know, in the pandemic, everybody was working remotely. At the same time, you did have doctors and nurses in the hospitals.
How do you ensure that you have new processes, for example, for the check-in of patients? Having doctors talking to patients remotely, ensuring that you can still have continuity.
We worked with a large fast-food chain restaurant that now had to change some of their practices. From users pointing to what they want in the food, they're able to use them through an app, deliver them seamlessly, and transform their business.
We have large professional organizations with over a quarter of a million users overnight working remotely and ensuring that they're able to manage all their applications, all their users, and had the right level of visibility and granular controls for the entire organization.
Numerous such examples across every single vertical.
Michael Krigsman: Given these examples, how does SASE make all of this possible, especially in contrast to the way security and networking was handled in the past?
Anand Oswal: The key construct here is that when you consume things from the Cloud as a service, you're able to scale at an extremely rapid pace. Many of our customers had to go from partial hybrid or no hybrid workers in the past, overnight, to 100% of their workforce working remotely with a light on our SASE solution to ensure that they have networking and security delivered to the user as a service.
They're able to get all the users up and running. They're able to have their businesses continue to operate the way they have, to ensure that the applications get data as secure. It enabled all their workers to be productive, to have secure access to applications, to data, and be productive.
Michael Krigsman: What about the timeframe to deploy? If you have a SASE environment, what kind of time is required to make the configuration changes that are necessary if you have something like a pandemic and, suddenly, the workforce needs to change in some significant way?
Anand Oswal: We had some of our customers, overnight, move from a small number of remote workers to close to a quarter of a million remote workers over a weekend. When you consume some things from the Cloud-as-a-Service, when you have a scalable service like we have at Prima SASE, you're able to accelerate the pace at which you can move.
Michael Krigsman: That's a big part of it then is the speed of being able to make changes.
Anand Oswal: Deploying this service at a very fast pace, which is easy for us to deploy. At the same time, having all the levels of monitoring, visibility, and control that you want to do on an ongoing basis for your users, for your applications, for your data to ensure they're all secure.
What are the hardware and software requirements for SASE?
Michael Krigsman: Anand, you've been describing (at a high level) what SASE is, what it does, the benefits. Can you drill down a little bit and tell us about the components? What kind of hardware or software needs to be in place in order to implement SASE?
Anand Oswal: If you think of SASE, I talked about SASE as basically networking and security coming together as a massively-distributed Cloud service. You can think of it in three different aspects.
- The first aspect is securing remote workers.
- Then you can think of SASE for branches. There you will always have an SD-WAN appliance because you will have an appliance connecting to some service in the Cloud. You also have that appliance providing some level of security for east-west traffic, what we call a zone-based firewall.
- Third is that we'll have components of digital experience management. What I mean by that is how do you ensure that, from the user to the application, and every single segment of the network, you had the right visibility into what's happening.
Michael Krigsman: It's the flexibility and the agility that's the common thread here when you bring together security and networking.
Anand Oswal: Also, the consistency. You want to make sure that you have consistent security, the best security, but consistent security.
SASE and zero trust security models
Michael Krigsman: Let's talk for a second about zero trust security. Where does that fit in?
Anand Oswal: Zero trust assumes that you have no notion of implied trust for the user, for the application, and the data. We talked about the fact that you need four key constructs for zero trust.
- Ensuring that you understand who the user is and authenticate the user, dual-factor authentication through some identity mechanism.
- You understand the device they're accessing it from. Is it the right device? Does that device have malware?
- Then you want to ensure, can you access the application or data? Do you have permission to access that application or data and what you can do with that data?
- The fourth is the transaction. When you're sending data, does it have malware? And do that on a continuous basis.
With SASE, when you're bringing networking and security together, we need to ensure that is done in a zero-trust fashion, which means that there is no notion of implied trust. I'm ensuring that I have the best access to the network. I'm ensuring that I have all components of security. The firewall as a service, zero-trust network access, secure Web gateway: all of those constructs are available for SASE.
SASE and multi-Cloud computing
Michael Krigsman: Now, what about multi-Cloud scenarios?
Anand Oswal: We are living in a true multi-Cloud environment. Eighty to eighty-five percent of all organizations have applications in more than one Cloud. That's just the reality, right? That's why when I talked about SASE connecting users to applications in the private data center, in multiple clouds, or SaaS applications.
Those users are also everywhere. We want to ensure that we're able to seamlessly connect these, any users to any applications over any network securely. At the same time, you want to have consistent security and consistent user experience no matter where you are.
SASE and SD-WAN solutions
Michael Krigsman: Now, if we can shift slightly and talk about networking dimensions and SD-WAN (software defined-wide area networks), which you've referred to quite a number of times.
Anand Oswal: The first versions of SD-WAN were mainly built (if you think about it) from the perspective of you had your leased lines or MPLS lines, you had broadband, and many organizations made decisions for cost arbitrage.
What we are seeing today are customers augmenting broadband to MPLS. But more important drivers for SD-WAN is Cloud transformation, is network transformation, is optimal user experience because you want to access the application in the best possible path from where you are.
If you're in the branch, you want to access the application directly from that branch. You don't want to go from the branch to the headquarters and data center, from there to the application sitting in the public Cloud or SaaS applications or a local data center. You want to optimize the optimal path for that.
That's where you get the whole notion of next-generation SD-WAN, which is not packet-based. It's based on layer 7 constructs. You have application awareness baked into that. At the same time, you have all notions of application and user monitoring available.
How to deploy SASE?
Michael Krigsman: Let's talk about the implementation of SASE and the migration from an existing network and an existing security environment.
Anand Oswal: There are many ways to transform your network to a complete SASE network. Different organizations have taken different approaches to it.
In the pandemic, you have many organizations who move through a completely remote work environment. All organized moved. Many of them optimized for having security for their remote workers from home with our offering from SASE, which enabled them to have an agent on their end device accessing applications in the Cloud, full security provided to us through our offerings of Prisma SASE.
At the same time, now, as the pandemic is trying to ease, we have many organizations opening up their branches. When they start doing network transformation, it's happening from their SD-WAN appliance, connecting it directly to our offering in the Cloud for a complete SASE solution, bringing the SD-WAN constructs and our constructs around Cloud-delivered security together.
Then organizations are layering in notions of digital experience management to ensure that they have the right level of monitoring capabilities, the right level of insights, the right level of analytics, ensuring that the bits and bytes of data on the network are converted to information. That information into insights leads to outcomes for them. So, they're ensuring that they're able to add that capability to have a complete end-to-end SASE offering.
Michael Krigsman: Is SASE a pure technology solution or does an organization need to make process changes along the way?
Anand Oswal: SASE is bringing together networking and security as a massively-distributed Cloud service, which also means that, in many organizations, networking and security could be different personnel, different departments, which requires coordination, which requires them to bring people together to ensure that they are having the right outcomes for the organization. Absolutely, that's happening as well.
Michael Krigsman: In some respects then this SASE environment is going to be simpler to operate than all of these disparate systems.
Anand Oswal: Absolutely. SASE will be a very simplified offering given that you are bringing networking and security together, operating as a Cloud service. It's massively scalable so, as you expand your organization, as you add new branches or new sites, you can easily scale that notion.
Second, you can ensure that you have consistent security. You don't need to worry about having disjointed security practices, different for branches, for different users, et cetera.
Third, you're able to ensure that you have all notions of digital experience management, which means from user to application, end-to-end. You have insights, visibility, and automated remediation for the entire network.
Advice on SASE for CIOs
Michael Krigsman: Anand, what advice do you have for CIOs, network folks, or security folks who are listening and they want to adopt SASE? How do they go about it?
Anand Oswal: First and foremost, to keep in mind is that networking and security are coming together faster than ever before.
The second is that you have two massive transformations happening in the industry. One is a hybrid workforce and the second is applications moving to the Cloud, to multiple clouds, to SaaS applications. At the same time, there's an application in the data center, so we're truly living in a multi-Cloud world.
We want to optimize any user accessing any application and data over any network. We want to make sure that it is secure, the best in class security, you have consistent security no matter where you are or who you are. You start with ensuring that all your remote workers are on the SASE umbrella, if I may call it, ensuring that they have the best in class security consumed as a service (networking and security), optimized digital experience management.
Then you start transformation on your branch environments as you are going with SD-WAN and Cloud-delivered security. Again, add the layers of digital experience management to ensure you have visibility, monitoring, and insights.
When all of this comes together, you have an end-to-end SASE network, which means your remote workers, people in café shops, people at home, people in the branches, all of them have consistent, best-in-class, Cloud-delivered networking and security.
Michael Krigsman: What are some of the pitfalls that companies may fall into or the risks that they should avoid, again, as they're going through this process?
Anand Oswal: The biggest risk that organizations have is having disjointed security solutions. I mean that you have a security solution when your users are in the branch or in the headquarters accessing applications in the data center and the Cloud. You have a different, disjointed security offering when you're having the same for accessing applications in the Cloud. You have a third different solution if you're accessing it remotely from home when accessing applications in the Cloud or then applications in the data center.
You want to have a unified offering, and that's why a platform approach is so important.
Michael Krigsman: Anand, as we finish up, where is all of this going? In other words, what are your customers telling you that they want?
Anand Oswal: Every single customer I talk to is accelerating their transformation to the Cloud. At the same time, it's a journey for them.
Not every single application that they have is sitting in the Cloud. There are still applications in the data center, and there are still applications in multiple clouds (like you said before). Then you have SaaS applications.
At the same time, everybody realizes that the future of workforce is hybrid. We'll have people at home. We'll have people in the office.
You want to have optimal, best-in-class security with no notion of implied trust. You want to have optimal and best user experience no matter where you are. And you want to have secure access to all your applications, to all the data no matter where they reside. That is key in terms of how CIOs are thinking about it today.
Michael Krigsman: SASE is the foundation for the way we're working today, the way everybody is working today.
Anand Oswal: SASE will help them ensure that any user (no matter where they are), any application can be accessed securely over any network. Then you layer in all the constructs of having visibility, monitoring, insights, all through a single dashboard for all of networking and security.
Michael Krigsman: Anand Oswal, thank you so much for teaching us about SASE today.
Anand Oswal: Thank you, Michael.
Published Date: Nov 15, 2021
Author: Michael Krigsman
Episode ID: 731