If there’s one thing, we can all agree on, it’s that flying should be smooth sailing, right? But behind the scenes, there’s a lot of tech network and security wizardry at play, especially when it comes to keeping our favorite airlines running seamlessly. So, fasten your seat belts, as we jump into why Cathay, a travel lifestyle brand that includes the Cathay Pacific airline, chose Aryaka’s Unified SASE solution to help modernize its IT global network infrastructure.

What’s the Big Deal?

Cathay is no stranger to the skies, with over 77 years of flying experience under its belt. But even seasoned pros need an upgrade now and then. By embracing Aryaka’s secure, high-functioning network that co-exists with Cathay’s current technology, Aryaka will improve overall network performance, offer increased scalability, and minimize downtime. Further enhancing the business and customer experiences. Additionally, fully managed services and last-mile circuits from Aryaka will provide Cathay with an end-to-end solution that simplifies its digital transformation journey.

Why Aryaka?

When Cathay went searching for the perfect partner to level up its network game, Aryaka stood out from the crowd. With its unrivaled expertise in networking, security, and observability, Aryaka was the clear choice for Cathay’s ambitious plans.

“Aryaka’s Unified SASE solution and managed services will support Cathay’s growth as network demand increases, while allowing us to remain agile and secure in the process,” said Rajeev Nair, General Manager of IT Infrastructure and Security, Cathay.

“As we continue to rebuild our business, we need a partner that could have an impact on our network and security, limit downtime and interruptions, and give us the flexibility to expand our network and bandwidth with less lead time. Aryaka provides all of that and more, and we look forward to working with them to further modernize our business for our employees and customers.”

The Sky’s the Limit

As Cathay prepares to embark on this exciting new journey, the future looks brighter than ever. With Aryaka by its side, Cathay is ready to conquer the skies and set a new standard for excellence in the airline industry.

Related Articles

• Airline Gets SASE to Modernize Operations, Dark Reading
• Cathay Pacific to take cloud journey to new heights, CIO.com
• Cathay Chooses Aryaka for Major Global SASE Deployment, eChannelNews

The post Cathay Takes Flight with Aryaka: A High-Flying SASE Partnership appeared first on Aryaka.

Problem # 1: Over emphasis on security at the expense of networking – we all agree that security is critical; it is non-negotiable. However, performance is as well, and many companies find it hard to balance both. As one layers in more security, this can come at a cost and so a foundational requirement for a successful SASE solution is a high performant SD-WAN solution. This must come first and the better network solution you have, the more security you can layer in to protect your applications.

Problem # 2: Lack of integration between security and networking functionality – buying best of breed is a commonly accepted approach, like best of breed SWG, CASB, DLP, NGFW, etc.. This will get you the right standalone functionality, however stitching together solutions from different vendors will come at a cost – a people cost, a time cost, a performance cost. Integrating best of breed solutions costs more than you think, and most importantly, it slows you down. Integrated solutions work better – they are faster, cheaper and they enable your business to be more agile.

Problem # 3: Too much focus on the last mile – not enough focus on the middle mile and multi-cloud compute edges. The starting position is always the end user. Security for the end user is important but so is securing the application at the cloud edge. The closer security is to the application, the less risk of having someone compromise the application. Therefore, what happens in the middle mile and what happens at the cloud edge matters. It is like locking your door but keeping the windows open. Security risks are minimized when you protect all three areas equally.

Problem # 4: Challenged network and security workflows – what is meant by this? Your end goal is to configure and deploy fast. To ensure policies are easily changed and maintained. Administrators want to scale fast – new employees, new locations, new business needs. Scale up and down as the business demands. The more complex policy management is, the harder this goal is. Also, the more solutions and the more dashboards you deal with, the more complex everything is. The end result is increased complexity for administrators and operators alike.

In order to help make your SASE Journey in 2024 more simple and more successful, I suggest we look at overcoming these 4 common challenges. Did I miss any? Are there more out there? Or do these 4 common challenges address the bulk of the challenges faced by organizations who are trying to improve their networking and security postures by implementing SASE?

Finally, this white paper has much more valuable content and so if these challenges resonate with you and you want to learn more, then reach out to us. Looking forward to your thoughts and feedback.

The post Overcoming SASE Challenges: Dell Oro’s 2024 White Paper Unveils 4 Key Hurdles to Clear appeared first on Aryaka.

Shared Processes for Packet-level Security Technologies

Networking and security technologies at the packet level, such as stateful inspection firewalls, IPSEC, and load balancing, impose lower computational demands in terms of the number of CPU cycles required for each packet. Furthermore, the processing per packet is highly consistent, simplifying performance prediction.

In today’s landscape, security functions (e.g., FWaaS) are delivered as services by service providers who deploy these functions in the Cloud/Points of Presence (PoPs). To cater to multiple tenants, the underlying security technology implementations leverage a Virtual Routing and Forwarding (VRF) tenancy model. Under this model, traffic from multiple tenants traverses the same security device or container/process, effectively addressing challenges related to overlapping IP addresses among tenants. Tenant traffic is identified either through tunnel interfaces or other mechanisms, and specific configurations tailored to each tenant, such as tenant-specific security policies, are then applied accordingly.

To mitigate any potential “noisy neighbor” issues, packet rate limiting is applied at the ingress on a per-tenant basis. This strategy guarantees that the security performance of each individual tenant remains unaffected by the activities of other potentially problematic tenants. Given the consistent per-packet processing, rate limiting proves effective in ensuring equitable processing treatment for all tenants.

Another significant concern for organizations is the potential leakage of sensitive data resulting from the exploitation of vulnerabilities within shared processes or containers by malicious packets from other tenants. One argument often presented by security service providers is that the processing on a per-packet basis is straightforward, reducing the likelihood of vulnerabilities and corresponding exploitation. It is indeed true that packet-level security technologies are simpler, and this argument has some validity.

Both challenges mentioned earlier, namely the “noisy neighbor” problem and “shared resource vulnerabilities,” may not pose significant issues for packet-level security technologies that utilize shared processes. However, we believe that these challenges can be more pronounced and substantial for SASE (Secure Access Service Edge) or SSE (Secure Service Edge) security technologies.

Distinguishing SASE/SSE Security from Packet-Level Security Technologies and Challenges

SASE/SSE (Secure Access Service Edge/Secure Service Edge) security technologies transcend traditional packet-level security, offering a comprehensive suite of features:

• Comprehensive Security Functions: SASE/SSE encompasses a wide array of security functions, including IDPS (Intrusion Detection and Prevention), DNS Security, SWG (Secure Web Gateway), ZTNA (Zero Trust Network Access), CASB (Cloud Access Security Broker) with IP/URL/Domain/File reputation firewall, access control with deep traffic-level attributes such as URI, request headers, response headers, Anti-Malware, and DLP (Data Leak Prevention). Zero Trust Networking (ZTN) in SASE/SSE is fundamental, ensuring access only upon user authentication and authorization, with granular control over application resources while considering identity and device context.
• Deep Content Inspection: The core of SASE/SSE security lies in deep content inspection. Utilizing proxies that manage client connections, initiate server connections, decrypt streams, extract relevant data from traffic, perform security functions, and prevent the transmission of malicious content.

Now, let’s delve into the execution differences between SASE/SSE and packet-level security technologies:

• Shift from Per-Packet to Session-Based Processing: In the context of SASE/SSE, security execution no longer operates at the per-packet level but rather at the level of traffic session streams. Unlike per-packet technologies, there is variability in the number of compute cycles used in SASE/SSE security processing across tenants, for the following reasons:
  • Security functions applied to the traffic stream can vary among tenants.
  • Even when similar security functions are applied, the nature of the data being exchanged can necessitate more intensive processing. For example, consider scenarios involving Anti-Malware and DLP, which require extracting text from various file types, decompressing transferred files, untarring file collections, and more. Some tenants may transfer compressed files, resulting in extensive processing, impacting throughput and latency for other tenants. Noise generated by a particular tenant, whether due to infection or high business traffic during a significant event, can affect other tenants’ traffic performance.
• Complex Security Processing: SASE/SSE security processing is inherently intricate, often incorporating various libraries, including third-party and open-source components. These encompass functions such as OIDC (OpenID Connect) clients, Kerberos clients, SAMLv2 clients for authentication, complex policy engines for enforcement, SDKs from threat intelligence providers, data extraction , JSON/XML decoding, base64 decoding, data decompression engines, and text extraction via open-source projects like Tika, among others for data level security such as Anti-Malware and DLP. This complexity increases the attack surface for potential exploitation. Although SASE/SSE providers prioritize swiftly addressing vulnerabilities, a time gap may exist between exploitation and resolution. When shared processes are employed for multiple tenants, attackers can potentially exploit vulnerabilities and access sensitive information from not only the intended tenant but also all tenants’ data sharing that execution context.
• Bring your own Security Function: While SASE/SSE services offer comprehensive security features out of the box, they also provide organizations with the flexibility to introduce their custom security functions using Lua modules or WebAssembly (WASM) modules. However, in such cases, shared processes pose significant challenges, as they can potentially lead to data exfiltration from other tenants if not managed carefully. Addressing this concern becomes more complex when shared processes are employed, and there may always be potential ways to circumvent these controls.

In summary, SASE/SSE security offers a comprehensive security framework beyond packet-level security, but it introduces complexities and challenges related to variable compute usage, intricate processing, and shared resources. Maintaining robust security in such environments is critical to safeguard against performance challenges AND data breaches & privacy violations.

Seek SASE/SSE Solutions that Offer Execution Isolation

Organizations undoubtedly value the rationale behind SASE/SSE providers employing shared processes for multiple tenants. This approach efficiently utilizes compute resources among tenants, contributing to sustainability and cost-effectiveness. Service providers can, in turn, pass on these cost savings to their customers.

However, certain industry segments are reluctant to accept the security risks associated with multi-tenancy architecture and shared processes. Some organizations may anticipate future needs for a more risk-averse approach. In such cases, organizations should seek SASE/SSE services that offer flexibility, providing options for both shared processes and dedicated processes/containers.

Dedicated execution contexts with dedicated processes/containers for traffic processing, can effectively address the challenges outlined in the previous section:

• Performance Isolation: Achieving deterministic performance becomes feasible without concerns about disruptive “noisy tenants.” With a dedicated execution context, it is relatively straightforward to allocate dedicated compute resources to individual tenants. One can also configure resource caps from noisy neighbors using up all resources in the compute nodes.
• Security Isolation: A dedicated execution context ensures that any malicious intent or insider threats attempting to exploit SASE/SSE services of one tenant will not lead to data leakage for tenants that opt for dedicated execution contexts.
• Worry free ‘Bring your own security function’: A dedicated execution context unquestionably ensures that Lua scripts/WASM modules are exclusively executed within dedicated processes. Consequently, any processing or data exfiltration challenges are confined to the tenant bringing their custom security functions, providing peace of mind for other tenants in this regard, if service providers enable this feature only for dedicated processes.

Anticipating Future Needs: The Importance of Confidential Computing

As we look ahead, some organizations are becoming increasingly aware of the growing importance of confidential computing. This awareness is particularly relevant in the context of TLS inspection and the management of numerous sensitive data, including secrets and passwords, within SASE/SSE services. A recurring concern revolves around the possibility that personnel with access to the server infrastructure, including service provider staff, might gain unauthorized access to the memory of processes and containers. Additionally, even attackers who manage to exploit server operating systems may potentially breach the memory of these containers and processes. This concern becomes more pronounced in situations where services are available in multiple Points of Presence (POPs) across different countries with varying levels of legal definitions and implementations.

Modern processors, such as those equipped with Intel Trust Domain Extensions (TDx), offer advanced features for trusted execution. These technologies play a crucial role in ensuring that even infrastructure administrators or attackers with elevated privileges cannot decipher the memory content, as it remains securely encrypted by TDx hardware.

SASE/SSE providers that offer dedicated execution contexts are better positioned to provide this essential confidentiality feature compared to others. Therefore, organizations are strongly advised to consider providers that offer the flexibility of both shared processes and dedicated execution contexts. This flexibility will help future-proof their risk mitigation strategies and ensure the highest level of data security in evolving landscapes.

The post Choosing the Unified SASE Provider: The Execution Isolation Factor appeared first on Aryaka.

Businesses’ desire for efficiency is the key motivating factor encouraging the adoption of innovative technologies. Recently, I read the stat that said two thirds of businesses cite the need to increase efficiency and productivity as a primary driver and one third highlighted cost savings. But what if you can get both?

SASE has been this promise that can help accomplish both. It reduces the total cost of ownership by integrated technology for network (SDWAN) and security (SSE). But how exactly does SASE (Secure Access Service Edge) work? Where do you start, and does it require additional budget?

In a Total Economic Impact^TM (TEI) study conducted by Forrester Consulting and commissioned by Aryaka with multiple Aryaka customers, Forrester examined the financial and operational impact associated with implementing Aryaka managed solutions including SD-WAN, last-mile access, middle-mile access and managed SASE.

Even for us, the results were substantial.

As a composite, the four businesses studied experienced the following key outcomes (among many others):

• Payback on their initial investment in <6 months
• 113% ROI and $2.48M in net present value over 3 years
• 45% reduction in effort from NetOps to manage WAN services
• $4.67M in total benefits (present value)

These positive impacts are attributable to a variety of factors including operational efficiency improvement, uptime improvement, sunset of existing multiprotocol label switching (MPLS), scaling acceleration with less effort, and more.

Overall, this study indicates that the rewards from adopting SD-WAN and SASE may be greater and far more within reach than many realize, when supported by the correct partner.

“Aryaka gives us an all-encompassing solution, with their own network, PoPs, managed services, SASE, etc. The other vendors had excellent technology, but they were just selling boxes.”
– Technical architect, transportation

Adoption of a SASE architecture is not an overnight undertaking. The process of converging networking with security, in an as-a-service model, requires incremental steps and deep collaboration across networking and security teams within a given organization, and with external SASE providers.

Part of what makes Aryaka’s SD-WAN and SASE offering so impactful is that it’s offered as a unified service. There is no shortage of vendors selling boxes and stitched-together options out there when it comes to SASE, but a measurable advantage can be found in our unified, all-in-one approach.

The simplicity of use with single-pane-of-glass visibility – from one singular provider – across your network and security infrastructure is a true game-changer. This unlocks substantially more time and productivity from your internal team, while making your network and business substantially more efficient.

You can find the full Forrester TEI study here

The post Forrester Total Economic Impact^TM Study Attributed 113% ROI for Aryaka SD-WAN & SASE Services appeared first on Aryaka.

The Secure Access Service Edge (SASE) service, along with its associated architecture, comprises a powerful amalgamation of multiple security components. These include a stateful inspection firewall, Intrusion Detection and Prevention System (IDPS), DNS security, DoS/DDoS protection, Secure Web Gateway (SWG), Zero Trust Network Architecture (ZTNA), Cloud Access Security Broker (CASB), and many more. These components grant administrators the ability to configure them through policies, offering a robust shield to protect an organization’s assets against threats while adhering to specific access requirements.

The Role of Policy Configuration

Policy configuration plays an indispensable role in enforcing security within the SASE framework. The repercussions of badly configured policies can range from resource threats and data leaks to unintended, overly permissive access. In today’s industry landscape, organizations grapple with two predominant approaches to security policy management:

1. The Single Table Approach: A consolidated policy table containing a myriad of policies that span threat management and various access control scenarios across all SASE components.
2. The Multi-Table Approach: Multiple policy tables, each addressing specific aspects such as threat protection, access control, different applications, and user groups.

Striking a Balance in Policy Management

The expectation from SASE is clear: it should offer easily manageable security policies and simplified troubleshooting procedures. Achieving this necessitates a balanced approach. One effective strategy to mitigate policy complexity based on organizations requirements. Bigger organizations may require compartmentalization with multi-Table approach where policy table granularity is defined based on security functions, application resources, and subject (users/groups). Smaller organizations may prefer compartmentalization with a lesser number of policy tables combining multiple types of access controls or even combining threat protection with access control. This flexible approach minimizes the number of policies requiring simultaneous management, rendering them more manageable.

However, it’s important to exercise caution to avoid excessive compartmentalization, which can introduce its own set of challenges. Administrators may find themselves navigating through multiple policy tables to identify and address issues, potentially causing delays in resolution.

Understanding the Key Requirements

Before delving deeper into the intricacies of policy management, it’s crucial to understand the specific requirements that organizations must address within the SASE framework. Key areas include:

Need for Role-Based Security Configuration Management in SASE Environments

Secure Access Service Edge (SASE) components offer comprehensive security, encompassing threat protection and access control for a wide range of resources across diverse organizations, including their workforce, partners, and guests. Within this security framework, organizations often have distinct categories of administrators responsible for different aspects of security.

For example, an organization may have one group of administrators dedicated to managing threat protection while another group focuses on access controls. Within these broad categories, it’s common for organizations to establish various administrative roles tailored to specific types of threat protection and access control. Let’s delve into some practical examples:

Threat Protection Roles:

• Intrusion Detection and Firewall Configuration: Administrators with the “threat-protection-ngfw-role” are granted access to configure Intrusion Detection and firewall settings within the SASE environment.
• Reputation Controls: Administrators holding the “threat-protection-reputation-role” can manage settings related to IP reputation controls, URL-based reputation controls, domain-based reputation controls, file reputation controls, as well as cloud-service and cloud-organization reputation controls.
• Malware Protection: Administrators with the “threat-protection-malware-protection-role” have the authority to configure settings specifically pertaining to malware protection controls.

Access Control Roles:

• SWG Configuration: Administrators designated as “access-control-Internet-role” are responsible for managing Secure Web Gateway (SWG) configurations.
• SaaS Application-Specific Access Control: Roles like “access-control-saas1app-role” and “access-control-saasNapp-role” focus on configuring access control policies for specific applications (SaaS Service 1 and SaaS Service N), ensuring fine-grained control.
• Enterprise Application Management: Roles such as “access-control-hostedapp1-role” and “access-control-hostedappM-role” are dedicated to handling access control configurations for enterprise-level applications, app1 and appM.

In cases where an organization uses multi-tenant applications, additional roles may be introduced to manage security configurations effectively. For instance, roles can be established to configure policies for the organization’s workforce, per-tenant workforce, and even guests. Consider an application “X” with security configurations managed by different sets of administrators:

• Owner Workforce Security: Administrators with “access-control-hostedappX-role” and “access-control-owner-workforce-role” collaborate to manage access control configurations for application “X” for the owner’s workforce.
• Application Tenant-Specific Workforce for Tenant: Roles like “access-control-hostedAppX-role” and “access-control-owner-tenantA-workforce-role” enable administrators to configure access control settings for tenant A’s workforce.
• Application Tenant specific workforce for Tenant B: For a multi-tenant application “X,” various roles, such as “access-control-hostedAppX-role” and “access-control-owner-tenantB-workforce-role,” facilitate the management of access control configurations for tenant B’s workforce.

Additionally, even non-multi-tenant enterprise applications may require separate administrators for different workforce segments. For instance:

• Engineering Department: Administrators with “access-control-hostedappY-role” and “access-control-eng-role” focus on managing access control configurations for application “Y” within the engineering department.
• Sales & Marketing: Roles like “access-control-hostedappY-role” and “access-control-sales-role” are designated for configuring access control settings for sales and marketing teams.
• IT Department: Administrators with “access-control-hostedappY-role” and “access-control-it-role” have responsibilities for access control configurations pertaining to the IT department.

A significant advantage of role-based security configuration management is its ability to provide granular control tailored to specific responsibilities. Contrast this approach with the challenges that can arise when using a single, all-encompassing policy table:

• Error-Prone: Multiple administrators working with the same policy table and overlapping permissions may inadvertently introduce errors when adding, deleting, or modifying policies.
• Troubleshooting Complexity: Resolving issues within a monolithic policy table can be time-consuming and challenging.
• Policy Overload: Consolidating all policies into a single table, covering various applications and threat protection scenarios, can lead to a cumbersome and unwieldy policy management experience, as well as potential performance challenges during policy evaluation.

In conclusion, adopting role-based security configuration management within SASE environments empowers organizations to efficiently delegate responsibilities, enhance security, and streamline policy management while avoiding the complexities associated with single-table approaches.

Working alongside with Configuration Change Control Management

Organizations are increasingly embracing change control management for all configurations, including SASE configuration, to proactively detect and rectify configuration errors before they are implemented. This practice not only serves as a safeguard but also introduces a secondary layer of scrutiny, allowing a second set of eyes to review and approve configurations before they take effect.

Security policy configurations are applied directly within the traffic flow, making any errors in policies potentially disruptive to services and incurring direct financial consequences.

To cope with the inherent complexity of security policy configuration, it’s common practice to serialize changes. This means that when modifying one type of configuration, no other configuration sessions of the same type are initiated until the previous one is either applied or revoked. However, when using a single policy table that encompasses all threat and access control functions, serializing changes can introduce delays in configuration adjustments performed by other administrators.

In contrast, a multi-table approach can effectively address this scenario, allowing different administrators to concurrently work on distinct tables, thus streamlining the configuration change process.

Not all organizations share the same requirements:

SASE is typically offered as a service, and SASE providers may serve multiple organizations as customers. These organizations can vary significantly in terms of size, regulatory requirements, and the diversity of roles within their structures. Some organizations might host multiple applications, either On-Premises or in the cloud, while others may exclusively rely on services from SaaS providers, and some may incorporate a combination of both.

Furthermore, certain organizations may not have a need for various administrative roles or multiple administrative users. In scenarios where organizations have only a limited number of applications and lack the complexity of multiple administrative roles, they may find value in using fewer policy tables.

SASE is expected to be designed to offer the flexibility required to accommodate these diverse needs, including the option of using consolidated policy tables for multiple relevant security functions and applications.

Avoiding confusing configurations:

Certain SASE solutions, in their pursuit of simplification as discussed before, opt for a single, all-encompassing policy table where policies can be configured with values for various matching attributes. During traffic processing, policy selection is based on matching the values from the incoming traffic and other contextual information against the attribute values specified in the policies.

However, it’s crucial to recognize that during traffic processing, not all attributes of the traffic are readily known. For instance, in the case of stateful inspection firewalls, only a limited set of traffic values can be extracted, such as the 5-tuple information (source IP, destination IP, source port, destination port, and IP protocol). Meanwhile, for proxy-based security components like SWG, ZTNA, and CASB, the extraction of attribute values can vary and may involve distinct stages, notably the Pre-TLS inspection and Post-TLS inspection phases.

Before TLS inspection/decryption, many HTTP attributes remain unknown. It’s only after TLS decryption that additional attributes, such as access URI path, HTTP method, and request headers, become available for evaluation.

As administrators responsible for configuring security policies, it is impractical to expect administrators to keep track of which attributes are valid at various stages of packet processing while defining policies. While some security solutions claim that irrelevant attributes are not considered in policy evaluation, determining which attributes are pertinent and which are not can be challenging when inspecting complex policies.

We firmly believe that amalgamating policy tables across multiple stages into a single table creates complexity and confusion for administrators. Such an approach can be challenging to comprehend and lead to potentially perplexing configurations. To ensure clarity, it is advisable to create policies within a given table that include only relevant attributes for consistent and straightforward evaluations.

Optimizing Deny and Allow Policy Tables:

Certain security solutions adopt a structure where they maintain separate “Deny” and “Allow” policy tables. Within this setup, policies defined in the “Deny” list take precedence and are evaluated first. If no matching policy is found in the “Deny” table, the evaluation proceeds to the “Allow” policy table. However, this division of policies into two distinct tables can pose challenges for administrators.

We firmly advocate for a more streamlined approach, where any given policy table is presented as an ordered list of policies. In this arrangement, each policy explicitly specifies its action—whether it’s “Deny,” “Allow,” or any other desired action. During traffic processing, policy evaluation follows a logical progression from the highest priority policy to the lowest priority policy until a match is found. Once a matching policy is identified, the corresponding action is applied to the traffic. In cases where no matching policy is encountered, a default action, such as “fail open” or “fail close,” is triggered as defined by the organization’s security policy.

This approach simplifies policy management and enhances clarity for administrators by consolidating policies within a single and ordered list irrespective of the policy action values, thereby minimizing complexity and streamlining the policy evaluation process. Not separating policy tables based on action values also enabled SASE solution providers to introduce new action values in future relatively easily.

Creating Flexible and Expressive Policies:

As you’ve gathered, administrators craft policies by defining sets of values for matching attributes. Traditionally, there has been a common understanding of how policy matching operates during traffic evaluations: a policy is considered a match only when all the attribute values specified in the policy align perfectly with the values of the incoming traffic session. These values can either be extracted directly from the traffic or inferred from contextual information, such as the authenticated user context and the device context responsible for initiating the traffic. Essentially, this matching process involves an ‘AND’ operation across all attributes of the policy.

However, as security technologies have evolved, many security devices have introduced a more flexible approach, granting administrators the ability to assign multiple values to attributes. In this evolved paradigm, a match is established if the runtime context information aligns with any of the values specified for the policy attributes. In essence, the matching process now combines an ‘AND’ operation across attributes with an ‘OR’ operation across the values associated with those attributes.

Organizations stand to benefit significantly from this flexibility when creating comprehensive policies. It reduces the overall number of policies required while maintaining readability. However, these multi-value attributes are just one step in the right direction, and further enhancements are often necessary to meet organizations’ unique requirements:

Support for “NOT” Decoration: Administrators require the ability to define policy attribute values with a “NOT” decoration. For instance, it should be possible to specify a ‘source IP’ attribute value as ‘NOT 10.1.5.0/24,” indicating that the policy will match successfully when the traffic session’s source IP does not belong to the 10.1.5.0/24 subnet.

Support for Multiple Instances of an Attribute: Many traditional security devices support only one instance of a given attribute within a policy. To create comprehensive policies, the ability to include multiple instances of the same attribute within a single policy is essential. For example, an administrator may want to allow sessions from any IP address in the 10.0.0.0/8 subnet while simultaneously denying traffic sessions from the 10.1.5.0/24 subnet. This should be achievable within a single policy, perhaps by specifying ‘source IP’ values twice: “source IP == 10.0.0.0/8” and “source IP == NOT 10.1.5.0/24.” This prevents the need to create two separate policies and allows for more intuitive policy management.

Support for Decorations for String Type Values: Attributes that accept string values, such as URI paths, domain names, and many HTTP request headers, benefit from decorations like ‘exact,’ ‘starts_with,’ and ‘ends_with.’ These decorations enhance the creation of expressive policies.

Support for Regular Expression Patterns: In some cases, policies require pattern matching within traffic values. For instance, a policy may dictate that a traffic session is allowed only if a specific pattern is present anywhere in the ‘user agent’ request header value. Support for regular expression patterns is essential in such scenarios.

Support for Dynamic Attributes: While traditional attributes in policies are fixed and predefined, SASE environments sometimes require dynamic attributes. Consider request and response headers or JWT claims, where standards coexist with numerous custom headers and claims. SASE should empower administrators to create policies that accommodate custom headers and claims. For example, SASE should allow the creation of policies with the request header ‘X-custom-header’ as an attribute and the value ‘matchme.’ At traffic time, any HTTP sessions with ‘X-custom-header’ as one of the request headers and ‘matchme’ as the value should match the policy.

Support for Objects: This feature allows the creation of various types of objects with values that can be used as attribute values in policies, rather than specifying immediate values. Objects can be referenced across multiple policies, and any future value changes can be made at the object level, simplifying policy modifications, and ensuring consistency.

These enhancements contribute to the creation of flexible, expressive, and efficient security policies, empowering organizations to tailor their policies to unique security needs and scenarios effectively.

Enhancing Policy Integration with traffic modifications

Certain security functions necessitate modifications to traffic, with the most common use cases involving the addition, deletion, or modification of HTTP request/response headers and their values, query parameters and their values, and even the request/response body. These modifications can vary significantly based on administrators’ configurations. Often, the specific modifications depend on traffic values, such as the destination application/site service, as well as contextual information available during traffic runtime.

Rather than maintaining a separate policy table for traffic modifications, it is often more efficient to include these modification objects within the access policies themselves. This approach streamlines policy management and ensures that modifications are directly aligned with the policies governing traffic behavior.

One prominent scenario where traffic modification is essential is in the context of Cloud Access Security Broker (CASB) solutions, particularly when organizations require multi-tenancy restrictions. These restrictions often involve the addition of specific request headers and values to enforce collaboration-specific policies. Additionally, there are other instances, such as the addition of custom headers for end-to-end troubleshooting and performance analysis, where traffic modifications play a crucial role.

Consequently, organizations expect SASE solutions to support policies that seamlessly integrate with modification objects. During traffic processing, traffic modifications are executed when the matched policy is associated with the appropriate modification objects, providing a unified and efficient approach to traffic management and policy enforcement.

Enhancing Observability:

It is common practice to log every traffic session at the conclusion of the session for the purpose of observability. In cases involving substantial or “elephant” sessions, it is also customary to periodically log access information. These session logs typically contain valuable data, including traffic metadata, actions taken during the session, and details regarding the packets and bytes transferred between the client and server.

One significant advancement offered by SASE is the consolidation of security functions and the adoption of single-pass, run-time-completion architectures, resulting in a unified session log. This contrasts with non-SASE security deployments where each individual security component generates its own session log, often containing information about the policy that was matched and critical attribute values used in the matching process. Importantly, while SASE generates a single log, there is an expectation that it should not compromise on the inclusion of critical information.

When a traffic session is allowed due to multiple policy evaluations across various security functions and policy tables, the resulting log should encompass information about every policy that was matched. Moreover, if a policy matches due to the values of specific traffic or context attributes, the log should provide precise details about the attribute values that led to the policy match.

Given that organizations rely on comprehensive logs for effective observability, SASE solutions are expected to furnish thorough information in the logs, ensuring that administrators have access to the data they need to monitor and analyze network traffic effectively.

SASE Approach to Policy Management:

It’s important to recognize that not all SASE solutions are identical. Organizations should carefully assess whether a particular SASE solution aligns with their specific organizational requirements without sacrificing usability. While organizations may not initially possess all the requirements listed above, it’s only a matter of time before these requirements become increasingly relevant and essential to their operations.

Organizations having all the aforementioned requirements gain the advantage of complete flexibility in tailoring their SASE policies to their specific needs. On the other hand, organizations that do not currently have all these requirements often seek a simpler user experience while keeping an eye on introducing additional functionality as their requirements evolve. This approach allows organizations to strike a balance between their current needs and future growth, ensuring that their SASE solution remains adaptable and responsive to changing circumstances.

Unless SASE solutions provide full flexibility, customization becomes challenging. Therefore, we believe SASE solutions should provide the following core capabilities:

1. Modular Policy Management: SASE solutions encompass multiple security functions, each with its own set of policy configurations. These configurations should include options to enable/disable, set default action in case of no policy match, manage collection of multiple policy tables, define multiple policies within each policy table, establish an ordered list of policies, and set action settings, modification objects, matching attributes, and values for each policy.
2. Policy Chaining: To enable more specific and granular policies, SASE solutions should support policy chaining. This means allowing the arrangement of policies across multiple policy tables in a collection. For example, organizations can have separate policy tables for different applications, with the main table policies using application/domain names as matching criteria to select the appropriate policy tables. This is typically accomplished through the use of policies featuring an action called ‘Jump,’ which redirects policy evaluation to the referenced policy table. The concept of policy chaining gained popularity with Linux IPTables, and many security solutions subsequently incorporated this functionality.

The comprehensiveness of security functions within SASE can be extensive and may include:

• NGFW (Next-Generation Firewall): Providing L3/L4 access control, DDoS protection, IP reputation, domain reputation and, Intrusion Detection and Prevention System (IDPS)
• SWG (Secure Web Gateway): Offering TLS inspection, pre-TLS web access control, post-TLS web access control, URL reputation, file reputation, and malware protection.
• ZTNA (Zero Trust Network Access): Similar to SWG but focused on securing hosted applications.
• CASB (Cloud Access Security Broker): Covering cloud service reputation and cloud service access control.
• DLP (Data Loss Prevention): Implementing access control based on Personally Identifiable Information (PII), standard confidential documents, and enterprise-specific sensitive documents.

The flexibility of policy management for each security function, along with the ability to manage policies within each function via multiple policy tables with policy chaining, is a powerful feature. Geo-distributed organizations with various regulatory requirements can particularly benefit from this flexibility.

However, smaller organizations may prefer some sort of consolidation of policy tables. In such cases, it should be possible to customize the configuration by:

• Consolidating all pre-TLS security function configurations into a single collection of policy tables across multiple SWG/ZTNA components.
• Consolidating all post-TLS security function configurations into another single collection of policy tables across multiple SWG/ZTNA components.
• Retaining CASB, malware, and DLP functions as separate entities as these require complex policy definitions.
• Opting for a single policy table within the policy table collection, thus avoiding policy chaining.

Therefore, organizations should seek SASE services that provide full flexibility while also offering custom controls to consolidate configurations for relevant security functions. This approach ensures that SASE policies are tailored to an organization’s specific needs while maintaining ease of management and scalability as requirements evolve.

Balancing User Experience with Future-Proof Flexibility

Security policy management has historically been a complex endeavor. Many products specialize in policy management for specific security appliances, resulting in a fragmented landscape. SASE addresses this complexity by consolidating multiple security appliances into a unified solution. While this consolidation offers advantages, it also introduces complexities of its own.

Traditional approaches to policy management, such as a single policy table, may seem appealing initially. However, they present numerous challenges and often fall short of meeting the requirements outlined in this article. Conversely, having an excessive number of policy engines can also lead to complexity. Striking the right balance between flexibility and simplicity is paramount.

One significant challenge in the industry is the proliferation of policies. An excessive number of policies not only degrades the user and troubleshooting experience but also carries performance implications. The multi-table approach and policy expressiveness, as described earlier, are essential strategies for reducing the volume of policies within policy tables.

SASE solutions are increasingly addressing these complexities by providing greater sophistication in policy management. It is our belief that SASE solutions will continue to evolve, implementing many of the requirements detailed in this article in the very near future. This evolution will empower organizations to strike the optimal balance between user experience, flexibility, and performance, ensuring that their security policies remain effective and adaptable in a rapidly changing threat landscape.

The post Make Security Simple: Streamline Policies in Unified SASE<h5><i>Balancing Configuration and Control is critical for reducing security risks and management complexity</i></h5> appeared first on Aryaka.

Authentication & Authorization comes in various colors

The Zero Trust Network Access (ZTNA) component of SASE is designed to provide secure inbound access to enterprise private applications. In line with the core principle of identity-based access control in Zero Trust Architecture (ZTA), ZTNA plays a vital role in authenticating users and enforcing access controls based on user types, groups, and roles on every inbound session to the Enterprise applications.

ZTNA security offers significant advantages in the following scenarios:

• Legacy Applications: Legacy applications that lack built-in security measures are often not exposed to Work-From-Anywhere (WFA) users due to security concerns. By utilizing ZTNA to front-end these legacy applications, HTTPS termination with certificate management, authentication using protocols such as OIDC, and authorization based on context-aware access controls can be provided. This enables legacy applications to be safely accessed by WFA users over the Internet.
• Broken Applications: Despite being developed with security in mind, some applications may not have been updated for an extended period. These applications may lack proper certificate management, with outdated or no support for uploading new certificates or auto-renewal. ZTNA can act as a security replacement for these broken applications, ensuring secure access while overcoming their security limitations.
• New Application Architecture: Modern enterprise applications are often designed with security considerations shifted to external entities like ZTNA and service mesh technologies. This approach relieves application developers from the burden of handling HTTPS, authentication, and authorization, as security is offloaded to the front-end entity. By centralizing security management, benefits such as uniform security policy enforcement, increased productivity in application development, and simplified maintenance are achieved. Additionally, as security updates are handled externally, the frequency of patch releases aimed at addressing security issues can be significantly reduced.

Many ZTNA solutions today are good at front-ending simple Enterprise applications, but they fail to deliver to provide authentication & authorization for multi-tenant applications such as SaaS applications.

ZTNA’s Role in SaaS Applications: In the context of Software-as-a-Service (SaaS) applications, ZTNA will play a vital role in strengthening and enhancing the authentication and authorization mechanisms, in my view. SaaS applications have specific requirements, including multi-tenancy, resilience against DoS/DDoS attacks, and robust protection against authentication bypass and privilege escalation attacks. This article will delve into the features of next-generation ZTNA that can assist in offloading or enhancing the authentication and authorization processes for SaaS applications. Please note that this article will not cover other features of ZTNA, such as WAAP (Web Application and API Protection), HTTPS termination, traffic management of incoming sessions to various application instances, webification of SSH/RDP/VNC services, and making applications invisible from port scanners. Its primary focus is on the authentication and authorization aspects of ZTNA.

It’s important to note that there can be confusion between the roles of CASB (Cloud Access Security Broker) and ZTNA in the context of SaaS. The CASB component of SASE focuses on securing connections to SaaS services used by enterprises, where enterprises are consumers of SaaS and CASB services. On the other hand, ZTNA, in the context of SaaS, is designed to protect the SaaS application itself, making SaaS companies consumers of ZTNA services. This differentiation is essential to understand the distinct roles and responsibilities of CASB and ZTNA in the SASE solutions.

In a previous article about identity brokers, we explored the numerous benefits of integrating brokers into SASE solutions. The advantages discussed primarily revolved around the modularity and simplicity of design, ultimately enhancing the resilience of SASE solutions. In this article, we will delve into the pivotal role of identity brokers in supporting complex applications, particularly focusing on SaaS applications.

What are the challenges with multi-tenant applications?

ZTNA of SASE excels in providing robust support for policy-based authorization. The authorization engines within SASE offer the capability to manage multiple policy tables, with each table containing multiple policies. Each policy is composed of multiple rules and specifies the action to be taken upon a successful match. The rules themselves encompass various matching attributes, which can be classified as source and destination attributes.

Destination attributes primarily pertain to the applications’ resources being accessed, such as URIs and the methods (e.g., GET, PUT, POST, DELETE) used to interact with those resources. On the other hand, source attributes are typically associated with the subjects accessing the resources. These attributes encompass user-related attributes like name, group, role, authentication service that validated the user credentials, and other user claims. They also include device context attributes, which capture the secure posture of the devices utilized by the subject and the location of the device from which the user is accessing the resources.

However, many ZTNA solutions fall short when it comes to addressing comprehensive authentication scenarios, often limiting their capabilities to non-SaaS applications. The inclusion of an Identity Broker in SASE/SSE solutions is a progressive step towards achieving comprehensive authentication across all types of applications. While it may be argued that SaaS vendors possess the capability to handle authentication and authorization within their applications, the landscape has evolved significantly.

In today’s agile environment, SaaS providers increasingly recognize the advantages of offloading security responsibilities to external entities like SASE. By doing so, they can benefit from increased productivity and heightened confidence in their overall security posture. Furthermore, this approach allows new SaaS providers to enter the market more swiftly, as they can offload authentication and authorization to an external entity and focus primarily on their core business logic. SASE solutions can play a pivotal role in supporting these new SaaS providers.

It is our belief that SASE solutions should and will be ready to take up this challenge of providing authentication and authorization security on behalf of complex applications such as SaaS applications. The following scenario gives one representative example of a SaaS application and explores how SASE, by integrating identity brokers, can help in the delegation of authentication & authorization from the applications.

Consider this example SaaS application (hosted at app.example.com) scenario consisting of multiple API resources:

In this scenario, let’s also assume that the IDP for the SaaS provider is example-idp.

There are two tenants: XYZ and ABC, with their respective IDP services being XYZ-idp and ABC-idp. Each tenant also has two partners, each with their own IDP service. XYZ-P1-idp and XYZ-P2-idp are IDP services of XYZ partners. ABC-P1-idp and ABC-P2-idp are IDP services of ABC partners.

Furthermore, XYZ tenant requires authentication via Google and Facebook for access to the public API space, while ABC tenant prefers authentication through LinkedIn and GitHub.

The following authorization policies are needed in ZTNA to address the above scenario:

1. Domain = app.example.com; user-role=app-admin; authservice=example-idp; uri = /service-admin-api/* ALLOW: Allow access to any user who has successfully logged in to the example-idp service and possesses the app-admin role for all resources under the admin-api of the application with the domain app.example.com.
2. Domain = app.example.com; user-group=admin-group; authservice=XYZ-idp; uri = /tenants/XYZ/tenant-admin-api/* ALLOW: Allow access to any user who has successfully logged in to the XYZ-idp service possessing the admin-group role for all resources under the XYZ/tenant-admin-api.
3. Domain = app.example.com; user-role=admin-role; authservice=ABC-idp; uri = /tenants/ABC/tenant-admin-api/* ALLOW: Allow access to any user with the admin-role, authenticated with the ABC-idp service, accessing the ABC/tenant-admin-api resources
4. Domain = app.example.com; authservice=XYZ-idp; uri = /tenants/XYZ/tenant-user-api/*, /tenants/XYZ/collaboration-api/*, /tenants/XYZ/public-api/* ALLOW: Allow access to resources specified in the rule for any user that was successfully authenticated with XYZ-idp service
5. Domain = app.example.com; authservice=ABC-idp; uri = /tenants/ABC/tenant-user-api/*, /tenants/ABC/collaboration-api/*, /tenants/ABC/public-api/* ALLOW: Allow access to resources specified in the rule for any user that was successfully authenticated with ABC-idp service
6. Domain = app.example.com; authservice=XYZ-P1-idp; uri = /tenants/XYZ/collaboration-api/*, /tenants/XYZ/public-api/* ALLOW: Allow access to XYZ collaboration space for users authenticated with XYZ-P1-idp service.
7. Domain = app.example.com; authservice=XYZ-P2-idp; uri = /tenants/XYZ/collaboration-api/*, /tenants/XYZ/public-api/* ALLOW: Allow access to XYZ collaboration space for users authenticated with XYZ-P2-idp service.
8. Domain = app.example.com; authservice=ABC-P1-idp; uri = /tenants/ABC/collaboration-api/*, /tenants/ABC/public-api/* ALLOW: Allow access to ABC collaboration space for users authenticated with ABC-P1-idp service.
9. Domain = app.example.com; authservice=ABC-P2-idp; uri = /tenants/ABC/collaboration-api/*, /tenants/ABC/public-api/* ALLOW: Allow access to ABC collaboration space for users authenticated with ABC-P2-idp service.
10. Domain = app.example.com; authservice=google.com; uri = /tenants/XYZ/public-api/* ALLOW: Allow access to XYZ public-api space for all users authenticated with google.com.
11. Domain = app.example.com; authservice=facebook.com; uri = /tenants/XYZ/public-api/* ALLOW: Allow access to XYZ public-api space for all users authenticated with facebook.com
12. Domain = app.example.com; authservice=linkedin.com; uri = /tenants/ABC/public-api/* ALLOW: Allow access to ABC public-api space for all users authenticated with linkedin.com
13. Domain = app.example.com; authservice=github.com; uri = /tenants/ABC/public-api/* ALLOW: Allow access to XYZ public-api space for all users authenticated with github.com
14. Domain = app.example.com; DENY: Deny access to the application if none of the above rules match.

SASE solutions excel at attribute-based access control. This means that they handle authorization functionality well. However, they are not very comprehensive when it comes to authentication. In the policies above, different levels of access are granted based on the identity provider (IDP) service that users choose to authenticate with. Also, some users may deliberately want to authenticate with a specific IDP service to access resources with minimal permissions to avoid potential data exfiltration mistakes.

Role of Identity Brokers

To address such scenarios, the integrated functionality of an identity broker is required. Identity brokers serve as OIDC (OpenID Connect) providers to the SASE/SSE proxy component while acting as OIDC/SAML/LDAP clients to the upstream identity services (authentication services).

Keycloak, an open-source IAM system, is a popular choice for many. It can be configured to fulfill the role of an identity broker and is commonly used by SASE service providers and service mesh product vendors. Hence, Keycloak terminology is used here. Keycloak offers the flexibility to handle authentication for various types of applications, including multi-tenant SaaS applications.

Authentication for multi-tenant SaaS applications can be achieved using ‘identity brokers’ in the following manner:

One realm with one client for each SaaS application with modified authentication flows:

In cases where the application-tenant cannot be identified from the URL path or HTTP request headers, the SASE proxy component can have only one OIDC client to communicate with the identity broker. During user authentication, the identity broker needs to know which IDP service to authenticate the user against. Keycloak provides standard authentication flows such as browser flow and allows the creation of customized flows and associates with Keycloak clients. SASE leverages this feature by creating authentication flows where users are prompted to provide tenant information. Based on this information, the authentication flows can present the available identity providers for the user to select from. With this information, the broker can redirect users to the appropriate identity service.

One realm with multiple clients for each SaaS application:

If the application-tenant can be identified from the URL or HTTP request headers, the SASE proxy component can be configured to use one client for each application-tenant. In this case, standard browser flows with different sets of identity providers can be employed and associated with the corresponding client entities in Keycloak. The advantage of this is that the user is not prompted to give the tenant name, hence better user experience.

In summary, these strategies empower SASE solutions to effectively handle authentication for multi-tenant SaaS applications, leveraging the capabilities of Keycloak as an identity broker.

Policy-based OIDC Client Selection

The Keycloak broker offers support for multiple realms and multiple clients within each realm. It enables standard authentication flows, the creation of custom authentication flows, and the association of these flows with clients. The Keycloak broker functionality also allows for the brokering of authentication sessions between user-side authentication mechanisms and backend (upstream) authentication services. We have previously discussed how Keycloak can prompt users to identify their application-tenant and select the identity service for authentication.

These capabilities should also be leveraged by the SASE proxy, which acts as an OIDC client (also known as OIDC relay) for various customer applications, including multi-tenant applications.

The SASE proxy needs to support multiple OIDC clients. One approach is to have a set of OIDC clients for each customer, ensuring that customer-specific authentication-related configurations are isolated from others. Typically, each SASE customer’s OIDC set is associated with a realm in Keycloak.

In scenarios where a customer of the SASE proxy has multiple applications, each with its own domain name, it becomes necessary to provide isolation among multiple application administrators. In such cases, a subset of OIDC clients should be configured, with one client assigned to each application.

For many applications, a single OIDC client suffices if they are single-tenant application or if the tenant cannot be identified from the traffic, as discussed earlier. However, if the tenant can be identified, one OIDC client can be configured for each application-tenant.

Due to the requirement for multiple OIDC clients, the SASE proxy should offer a mechanism for selecting the appropriate OIDC client. This is where policy-based OIDC selection becomes crucial.

A policy table with multiple policies is utilized, with each policy pointing to the corresponding OIDC client record. During the traffic flow, the SASE proxy checks whether OIDC authentication is required and then matches the customer, application domain name, and application-tenant against the policies in the table. If a match is found, the corresponding OIDC client record is used to communicate with the broker. Some implementations may have multiple policy tables, with one table dedicated to each customer, to expedite the policy matching process.

NextGen ZTNA will adapt to multi-tenant applications

ZTNA (Zero Trust Network Access) within SASE (Secure Access Service Edge) solutions play a crucial role in securing applications. It enables the offloading of authentication and authorization tasks from applications, allowing developers to focus on their core business logic. This approach enhances productivity and bolsters overall security.

Authentication bypass and privilege escalation vulnerabilities are common in applications, as not all developers have expertise in security. Offloading security can eliminate these vulnerabilities, ensuring stronger application resiliency.

Centralizing security in a commonplace, such as SASE, simplifies the work of security administrators, who only need to manage a single interface for all applications.

To achieve both security and flexibility, the next generation of ZTNA within SASE solutions should address diverse application types. Many existing ZTNA solutions often struggle to support multi-tenant applications effectively. Future enhancements are expected to incorporate identity broker functionality and policy-based OIDC (OpenID Connect) client selection to cater to a wide range of application scenarios.

The post Enhancing SaaS Security: Next-Gen ZTNA for Authentication & Authorization appeared first on Aryaka.

The Secure Web Gateway (SWG) plays a crucial role in the SASE/SSE solution, which aims to secure internet-bound connections. Its primary objective is to safeguard users from online threats and enforce acceptable access policies within an organization. The SWG achieves this by intercepting user traffic and employing various security engines, including access policy enforcement. Only traffic that meets organizational access policies and is considered clean is allowed to pass through.

With 95% of internet traffic now encrypted, achieving comprehensive security in SASE/SSE solutions necessitates the ability to decrypt this traffic. While most of the traffic can be decrypted using MITM (Man-In-The-Middle) TLS decryption, concerns around user privacy have emerged, particularly when users visit websites that handle personally identifiable information (PII) or banking sites. Furthermore, certain application software vendors have begun adopting certificate pinning techniques to prevent MITM TLS decryption altogether.

These developments raise questions about the security that can be applied at the SASE level while still providing value to enterprises. This is where reputation security engines are gaining momentum.

This article highlights the value of SWG for internet-bound connections by describing security engines that can be universally applied, with or without TLS decryption. It also explores security engines that operate on decrypted TLS traffic, enabling comprehensive security measures.

Generic features common to all components of SASE

As SASE Security’s access control is centered around identity, authentication and authorization are fundamental functions required across all SASE components. The articles on Identity-aware SASE and Identity broker provide insights into different authentication methods and interfaces with multiple authentication services..

In addition, the proxies-in-SASE article delves into the techniques used to capture traffic flowing from users to the Internet, users to SaaS services, and users to enterprise applications. However, this article focuses primarily on the security engines of the SWG component. Note that this article also does not delve into other common features shared by all SASE components, such as centralized configuration management and observability capabilities.

Security Engines and Generic Policy evaluation

In the SASE framework, all security engines operate based on administered policies, which provide the rules and actions to govern the behavior of the system. Each security engine can consist of multiple policy tables, and each table can contain multiple policies.

A policy is comprised of an action and a set of rules. ‘Action’ determines how the system should handle the traffic session.

Rules within a policy define the conditions that must be satisfied for the policy to be considered a match. Rules consist of matching attributes and their corresponding values. If the traffic session aligns with the specified attribute values, the rule is considered a match.

Various matching attributes can be used within rules to enforce security policies effectively. Examples of these attributes include schedule (date/time range), source IP, destination IP, Protocol/Destination Port, Source Port, user claims attributes such as user email address, user group, user role, issuer, and others as specified in the JWT claims registry. Additionally, attributes such as domain name, URL, request headers and values, HTTP method, device posture, UEBA score, location of the user, domain category, domain reputation score, URL category, URL reputation score, IP security category, IP reputation score, and file reputation score can also be utilized. It’s important to note that all security engines may not support all matching attributes in their policies.

SASE evaluates traffic sessions by passing them through multiple security engines. Each security engine independently decides whether to allow the traffic session based on its configured policies. If all security engines permit the traffic session to continue, SASE allows the traffic to pass through.

The order in which SASE executes the security engines is typically predefined. However, certain SASE implementations may offer the flexibility to select the order in which the security engines are executed. This allows administrators to prioritize specific security engines or tailor the processing sequence based on their requirements.

Inline Threat Intelligence Gathering

The SWG (Secure Web Gateway) component plays a crucial role in gathering inline threat intelligence. It relies on data feeds from reputable providers to acquire valuable information about different aspects, including:

• Reputation of IP addresses, domains, URLs, files, and SaaS services: The SWG leverages threat/data intelligence feeds to assess the reputation of these entities. This information helps in identifying potentially malicious or suspicious sources, allowing the system to make informed decisions.
• Categorization of domains, URLs, and SaaS services: By utilizing the intelligence feeds, the SWG can determine the categories to which domains, URLs, and SaaS services belong. This categorization aids in policy enforcement and enables organizations to define granular security controls based on specific categories.
• Malware classification of content: The SWG employs the gathered threat intelligence to classify potential malware based on content analysis. By examining the characteristics of the content, the system can identify and block or quarantine malicious files or websites, preventing them from causing harm.
• Data classification of content: The SWG also utilizes data classification intelligence feeds to classify the content of web traffic. This classification helps identify sensitive or confidential information that may be transmitted or accessed, enabling organizations to enforce data protection policies effectively.

As all internet-bound and SaaS traffic passes through the SWG, it has the ability to collect various attributes of the traffic. By leveraging threat/data intelligence feeds, the SWG can enrich these attributes with valuable threat information. This information not only facilitates policy enforcement across different security engines but also provides visibility into the threats present in the traffic flowing through the SWG. This enhanced visibility enables organizations to detect and mitigate potential security risks in real-time, ensuring a robust security posture.

Security Engines before SSL inspection

These security engines process traffic sessions before they are TLS/SSL decrypted. These security engines act on all the Internet bound HTTP traffic. These security engines stop the traffic session if they identify any potential risk.

• IP Reputation-based Threat Protection Security Engine: The administrators of the SWG are empowered with the capability to create policies based on specific IP categories, IP reputation scores, and other generic attributes, enabling them to establish tailored security measures. This engine offers robust protection to users who access websites known for hosting malware and phishing content. Leveraging comprehensive threat intelligence collected on destination IP addresses, the engine efficiently identifies and mitigates potential risks, safeguarding users from malicious activities. By assessing the reputation of each IP address, the security engine makes well-informed decisions on the appropriate actions to be taken in alignment with the matching policy, ensuring a proactive and dynamic security posture.
• Domain Reputation-based Threat Protection Security Engine: The administrators of SWG possess the capability to create policies based on domain categories, domain reputation scores, and other generic attributes, allowing them to define desired security measures effectively. This engine provides comprehensive protection to users accessing websites flagged for hosting malware and phishing content. Leveraging domain threat intelligence gathered from various sources, including HTTP CONNECT host header, TLS SNI for TLS-based HTTP traffic, and host header of clear HTTP traffic, the engine evaluates policies to accurately identify and mitigate potential risks. By incorporating domain reputation data, the security engine ensures proactive defense measures, strengthening overall security posture and safeguarding users from potential threats.

The reputation-based security engines prioritize both accuracy and adaptability. These security engines offer comprehensive policy-level flexibility to empower SWG administrators with the ability to create exceptions. These exceptions are crucial for various reasons, such as addressing false positives generated by threat intelligence feeds and accommodating the deliberate need to allow traffic for local threat hunters to conduct further inspections.

When it comes to the domain reputation security engine, an important question arises regarding which domain name to utilize for gathering intelligence and enforcing reputation policies. This question arises because the domain name is present in multiple layers of the traffic. In the case of traffic flowing through forward proxy method of the SWG, the SWG can extract the domain name from the host header of the HTTP CONNECT request and from the TLS Server Name Indication (SNI) field. Although both the host header and TLS SNI values typically align, there are instances where they can differ. As a result, SWGs inherently perform two passes through this security engine by default. The first pass occurs when the SWG receives the HTTP CONNECT request, while the second pass occurs when the SWG receives the TLS traffic. This approach ensures that the SWG can accurately evaluate the domain reputation and enforce the corresponding policies.

However, SWGs are designed to be intelligent and efficient. If the domain names extracted from the HTTP CONNECT request and the TLS SNI field are identical, the SWG recognizes this redundancy and avoids the need for a second run of the reputation engine. This optimization helps streamline the security evaluation process and reduces unnecessary computational overhead, enabling the SWG to maintain high-performance levels while ensuring comprehensive domain reputation-based threat protection.

Access Control Engine

In addition to reputation-based threat protection, SWGs offer robust access control capabilities, allowing administrators to provide differentiated access to users when accessing various Internet sites. This powerful security engine enables administrators to create policies based on domain categories, which are provided by reputable threat intelligence providers.

By leveraging domain categories, SWG administrators can simplify their management experience by classifying a vast number of Internet sites into a few overarching categories. This classification system enhances efficiency and ease of policy creation, ensuring that administrators can effectively define access control measures without the need for granular configuration for each individual site.

Moreover, the access control engine also provides the flexibility to specify individual domain names within the policies. This allows administrators to have fine-grained control over access to specific sites, accommodating situations where specific sites require unique access permissions or restrictions.

The flexibility of the access control engine proves particularly useful in scenarios where false positives occur in the domain categorization process. In such cases, administrators can create exceptions within the policies to override the categorization and ensure accurate access control for affected sites. This ability to handle exceptions empowers administrators to maintain a balance between stringent security measures and providing necessary access for legitimate sites that might be misclassified.

SASE TLS/SSL Inspection Engine

The SWG TLS/SSL inspection engine plays a crucial role in enabling advanced access controls and threat protection that require access to the content of TLS/SSL sessions. However, TLS inspection necessitates decrypting these sessions, which requires access to the private keys. As a Man-In-The-Middle (MITM) entity, the SWG does not have direct access to the private keys. To overcome this limitation, TLS inspection engines typically employ a technique where they mimic the server certificate using the Enterprise trusted Certificate Authority (CA).

The typical flow of steps followed by the TLS inspection engine for each new TLS session from the client is as follows:

• Establish a TLS connection to the destination service (Internet site).
• Retrieve the certificate presented by the destination service.
• Mimic the content of the certificate, including its lifetime, to create a mimic certificate.
• Sign the mimic certificate using the Enterprise trusted CA.
• Present this mimic certificate during the TLS handshake with the client.

For this process to work seamlessly without causing security pop-ups in browsers, it is essential that the Enterprise CA certificate chain is securely onboarded in employees’ machines as a trusted CA, typically through their system management software.

To minimize computational overhead associated with key generation and signing of mimic certificates, the TLS inspection engine caches the mimic certificates and corresponding private keys, reusing them until their lifetime expires.

While TLS inspection is highly desirable for advanced threat protection and access control, enterprises may have specific cases where decryption is not allowed. These cases include privacy concerns, especially when accessing banking, financial, or healthcare sites, as well as scenarios where certificate pinning is employed. Additionally, enterprises may choose not to enable TLS inspection for content that is already checked for threats before TLS encryption occurs at the client-side, such as through browser or Office 365 extensions.

To provide flexibility in deciding whether to perform TLS decryption or not, the SWG TLS/SSL inspection engine empowers administrators to create policies. These policies can include domain category classifications, allowing administrators to bypass TLS decryption for specific categories such as financial and healthcare sites, as well as any other sites for which the enterprise is uncomfortable with decryption.

By offering policy-based control and categorization, the SWG TLS/SSL inspection engine enables enterprises to strike a balance between maintaining privacy and security while ensuring robust threat protection and advanced access controls.

SWG PKI infrastructure

SASE services are inherently multi-tenant, supporting multiple enterprises. Within this context, some enterprises may have their own Public Key Infrastructure (PKI) infrastructure, while others may not have any PKI infrastructure in place. It is important to note that the enterprise CA certificate (used to sign the mimic certificates) should have a relatively short lifetime, typically a few days, to ensure robust security. Regular reissuance of the CA certificate is necessary to maintain a secure environment.

To ensure the security of the private key of the CA certificate within the SWG context, Certificate Signing Request (CSR) based certificate generation is preferred. Many SWGs provide their own PKI infrastructure to issue intermediate CA certificates (SWG CA Certificates) to their SWG data plane instances. In cases where an enterprise does not have its own PKI infrastructure, the SWG’s PKI infrastructure automatically creates the parent CA and root CA certificates on behalf of individual Enterprise.

In situations where an enterprise does have its own PKI infrastructure, the SWG’s PKI infrastructure establishes communication with the enterprise’s PKI infrastructure to obtain the parent CA certificate signed. Once the parent CA certificate is obtained, it is used to sign the SWG CA certificates, ensuring the authenticity and integrity of the certificates used for signing mimic certificates.

The PKI infrastructure is considered a critical component of the SWG as it plays a vital role in securing the private keys used for signing the mimic certificates. By effectively managing the PKI infrastructure, including the regular reissuance of CA certificates, and adhering to established security practices, SWGs can ensure the integrity and trustworthiness of the certificates used within the multi-tenant SASE service environment.

Security Engines after SSL inspection

After TLS/SSL decryption, the SWG utilizes a set of security engines to process the traffic sessions and identify any potential risks. These security engines play a crucial role in ensuring comprehensive threat protection

URL Reputation-based Threat Protection Security Engine

SWG administrators are equipped with the capability to create policies based on URL categories, URL reputation scores, and other relevant attributes, enabling them to effectively define security measures. While the domain reputation-based threat protection engine provides protection at the domain level, there are instances where it becomes necessary to perform reputation-based threat protection at the URL level. This is particularly important for websites that have sub-sections or different URLs representing specific sections of the site. While the overall domain reputation might be good, certain individual sections within the site could be compromised or pose a risk. Therefore, the URL-based reputation security engine is essential for comprehensive protection, preventing users from accessing malware-hosted or phishing websites. By considering the reputation of specific URLs, this engine enhances the accuracy of threat detection and enables proactive blocking of potentially harmful content.

As mentioned earlier in the “SWG Pre Decryption Security Engines” section, reputation scores derived from threat intelligence feeds can sometimes result in false positives. Additionally, there are cases where administrators may want to allow a traffic session to proceed for a more in-depth inspection by threat hunters. Furthermore, if comprehensive protection has already been applied at the client level, duplicating the threat protection at the gateway level may be unnecessary. To address these scenarios, the post-decryption reputation threat protection engines are also policy-driven, enabling administrators to create exception policies.

Advanced Access Control Engine

In addition to reputation-based threat protection, SWGs provide robust advanced access control capabilities, enabling administrators to enforce differentiated access to users when accessing various Internet sites. This advanced access control engine shares similarities with the previously described “Access Control Engine” in the “SWG Pre Decryption Security Engines” section. However, as it operates after TLS decryption, it offers even more sophisticated access control options based on URLs, HTTP methods, and HTTP request headers.

The advanced access control engine leverages URL categories, which provide a more accurate and granular classification of websites compared to domain categories. By utilizing URL categories, administrators can effectively define policies to regulate access based on specific URLs, allowing for fine-grained access control.

Similar to the Access Control Engine, the advanced access control engine also provides the flexibility to create exceptions, addressing scenarios where false positives occur in URL categorization. These exceptions enable administrators to override default access control policies for specific sites or content that might be misclassified or require special access permissions.

Security Engines with content inspection

Up until now, the security engines described have been focused on stopping traffic sessions when threats are detected, or access is denied. These engines operate based on initial HTTP information and request headers, allowing for the suspension of traffic until the traffic is inspected.

However, there are additional security engines that require deeper inspection of the content within HTTP sessions. These engines need access to the content in both requests and responses to effectively detect threats. Unlike the previous engines, these content inspection engines do not stop the entire traffic flow but instead halt the specific traffic the moment a threat is detected.

Some of these security engines not only require access to the entire content, but they may also need to perform further processing on the content before utilizing threat intelligence feeds to identify potential threats. For example, if a file is compressed, it needs to be uncompressed for analysis. Additionally, certain threat intelligence providers expect the extraction of text streams from different file types such as Word documents, PowerPoint presentations, OpenOffice files, Excel spreadsheets, PDFs, and more. Since these extractions and threat detections can be computationally intensive, they may introduce latency to the HTTP transactions.

To address this, many of these security engines offer two options: inline capture with threat detection and inline enforcement, or inline capture with offline threat detection. In the inline detection mode, the traffic is captured, and threat detection occurs within the HTTP session, allowing for immediate enforcement actions. In the offline detection mode, the traffic is still captured, but the text stream extraction and threat detection with threat intelligence feeds are performed outside of the HTTP session. In this mode, offending traffic is not immediately stopped, but visibility into potential threats is maintained. These two modes provide flexibility for enterprises to balance inline threat protection and user experience, allowing them to choose the approach that best suits their needs.

File Reputation-based Threat Protection Security Engine

The SWG incorporates a File Reputation-based Threat Protection Security Engine that plays a vital role in assessing the reputation of files transferred over HTTP. This engine leverages the SWG’s threat intelligence gathering functionality, which continuously analyzes the content passing through the gateway. As the traffic flows, the threat intelligence engine calculates the hash of the content, both as it is being transferred and at the end of the file, in order to determine the file’s reputation score. If necessary, the SWG performs decompression on the content before calculating the hash. Administrators are empowered with the flexibility to create policies that consider the file reputation score and dictate whether to allow or deny the traffic session based on this assessment. This security engine performs the policy evaluation and stops further transfer of the traffic once the threat is detected.

Anti Malware Security Engine

The Anti-Malware Security Engine integrated into SWGs incorporates advanced threat intelligence and anti-malware functions to effectively detect and prevent viruses and malware from infiltrating the traffic stream and reaching user devices. This engine also plays a crucial role in preventing users from unknowingly spreading malware by actively monitoring traffic in both directions. As mentioned earlier, these security engines employ various techniques to analyze the content within local files. If necessary, the engine will uncompress files and extract the text stream, which is then subjected to thorough examination using threat intelligence anti-malware functions. The text stream is particularly important for signature-based analysis, enabling the detection of known malware strains.

SWG solutions offer flexibility to administrators, allowing them to create policies that dictate the appropriate actions to be taken upon detecting different types of malware and considering the confidence level provided by the threat intelligence provider. This ensures that responses to malware are tailored to the specific threat and risk level. Furthermore, SWGs provide the capability to create exceptions within the policies to address performance concerns, false positives, and to facilitate deeper threat inspections by threat hunters. This flexibility empowers administrators to fine-tune the security measures and strike the right balance between protection and operational efficiency.

Intrusion Detection & Prevention (IDP) Security Engine

The IDP security engine is an integral part of SWGs, designed to identify potential exploits within traffic streams. Exploiting system vulnerabilities is a common method attackers employ to gain unauthorized access, introduce rootkits, and distribute malware. These vulnerabilities can take the form of buffer/stack overflows, inadequate input validation, or misconfigurations in systems and applications. The IDPS within SWGs can detect exploit attacks targeting client machines and identify compromised clients attempting to exploit third-party services on the Internet, preventing enterprise assets from becoming launching pads for further attacks.

The IDP engine within SWGs delivers accurate detection with fewer false positives for several reasons:

• Access to Clear Data: The IDP engine can access traffic data that has been cleared of encryption, enabling it to effectively analyze and detect potential attacks.
• Access to Reassembled and Re-sequenced Data: The engine can access data streams that have been reconstructed and reordered, ensuring comprehensive analysis and detection of any malicious activities.
• Access to HTTP Protocol Extracted and Decoded Data: By having extracted and decoded data from proxy part of SWGs, the IDP engine gains deeper visibility into the content, allowing for more effective detection of attack patterns.

The IDP engine employs various types of signatures to detect attacks, including protocol anomaly signatures, traffic anomaly signatures, and content-based signatures. Threat intelligence providers offer extensive signature databases, but loading every signature can significantly impact system performance. To address this concern, SWGs provide signature tuning capabilities based on factors such as signature applicability. For example, signatures that are not relevant to HTTP-based traffic or those that inspect non-decrypted content within HTTP can be avoided. Tuning can also consider factors like risk impact, confidence levels of signatures provided by threat intelligence providers.

SWG solutions also offer policy-based traffic selection, enabling administrators to determine which traffic should undergo IDP processing. This flexibility allows for the avoidance of redundant IDP scans on traffic that has already been scanned for attacks at the client endpoint level.

Data Loss Prevention Security Engine

The inclusion of Data Loss Prevention (DLP) Security Engine within SWGs has become increasingly prevalent. This powerful engine is designed to prevent users from inadvertently transmitting or receiving confidential financial, accounting, or business-sensitive information without proper authorization. By leveraging policy-based controls and user attributes, the DLP Security Engine monitors and mitigates the risk of accidental or intentional data leaks.

To effectively perform its role, the DLP Security Engine requires access to the complete content of data transmissions. It extracts text streams, allowing it to analyze and classify the data based on its sensitivity. Data classification intelligence providers utilize the text stream to generate classification results, which encompass various attributes such as compliance labels (e.g., Personally Identifiable Information or PII), generic confidential document data (e.g., financial information), and custom-defined sensitive data.

To facilitate precise control over sensitive data, SWGs offer administrators the ability to create policies that incorporate different classification attributes and values. These policies, combined with generic matching attributes, enable administrators to define granular access controls and specify how different types of sensitive data should be handled.

Custom Security Engines (Bring Your Own Security Engine)

While SASE/SWG providers offer comprehensive security coverage, the ever-evolving threat landscape, particularly zero-day attacks, may require additional enhancements. Enterprise security teams are often proactive in their threat hunting efforts, identifying new attack patterns. They may also receive new threat patterns from other enterprise security teams through threat intelligence sharing. In both cases, these teams may want SWGs to protect their assets against these emerging threat patterns and attacks.

Although SWGs typically have well-configured IDP engines and other security engines, there are situations where the configuration systems may lack the flexibility to create rules for detecting complex threat patterns. Relying solely on SWG providers to add new software logic for these protections can be time-consuming. Additionally, the threat patterns observed by enterprises may be specific to their environment and not applicable for generic usage. In such cases, SWG vendors may be hesitant to release new software in a timely manner to address these custom requirements. Therefore, there is a need for flexibility to integrate new custom programmatic security engines developed by enterprise security departments or Managed Security Service Providers (MSSPs).

SWG solutions are expected to provide open interfaces for incorporating new security engines. Some SWGs offer the capability to add Lua scripts and WebAssembly (WASM) modules. With these capabilities, organizations can develop new security engines such as Lua scripts or WASM modules and integrate them into the SWG infrastructure. SWGs ensure that these custom engines do not interfere with other security engines and that they consume compute resources within the configured limits set by the SWG administrators.

By allowing the integration of custom programmatic security engines, SWGs empower enterprises to enhance their security posture, promptly respond to emerging threats, and protect their assets effectively. This flexibility enables organizations to leverage their in-house security expertise or collaborate with MSSPs to develop tailored security engines that address their unique security requirements.

Summary

In summary, this article has provided an overview of the security engines for secure Internet access. It is important to note that the inclusion of all security engines may vary across different SASE/SWG solutions, and new security engines may be added as new types of internet threats emerge.

SASE/SWG solutions leverage security engines such as IP Reputation-based Threat Protection, Domain Reputation-based Threat Protection, Access Control, TLS/SSL Inspection, File Reputation-based Threat Protection, Anti-Malware, Intrusion Detection & Prevention, Data Loss Prevention, and others. These security engines enhance overall security measures and provide protection against various threats when accessing the internet.

As the threat landscape continues to evolve, organizations should regularly assess their security needs and ensure that their chosen SASE solution incorporates the necessary security engines to mitigate emerging risks effectively.

The post Unlocking the Potential: The Crucial Role of SWG in a SASE Architecture appeared first on Aryaka.

The evolution of WAN networks and network security has been rapid over the past 20 years. Prior to 2000, WAN networks were relatively straightforward, with private networks (such as MPLS and leased lines) combined with centralized firewalls placed at headquarters and data centers. At that time, most employees worked from the office and were tethered to a cable; there was no cloud to speak of. Remote workers were connected to a central VPN concentrator. While private networks provided a high-performance controlled experience, they were expensive. However, with the limited number of remote workers, subpar experience was not considered a significant issue. There were almost no firewalls in branch offices, and a centrally located firewall protected connections to the internet. The network and security teams were organized into separate silos and only occasionally collaborated with each other.

Over the past 25 years, a slew of new technologies has disrupted the established order, including Wi-Fi in 1997, broadband internet in 2000, WAN optimization in 2002, cloud services in 2006, cloud security in 2008, SD-WAN in 2012, and SASE (Secure Access Service Edge) in 2019. As a result, IT and security organizations have been grappling with three fundamental questions:

Question One: Where to place the breakout to the internet?

Before Wi-Fi became ubiquitous, it was common practice to route all internet traffic over the private WAN to a central location where a collection of firewalls would protect the perimeter of the enterprise. However, as Wi-Fi and cloud adoption became more widespread, backhauling massive amounts of internet traffic over expensive private links started to compromise application performance. Consequently, there has been a growing trend of placing the internet breakout in branch offices and deploying firewalls in these locations, despite the added cost and heightened security risk. Cloud security came to the rescue in 2008, providing an ideal solution for smaller offices and remote workers, allowing them to keep firewalls away from on-premises and eliminate hair-pinning for remote users. For large sites and data centers, the on-premises NextGen Firewall remained in place, creating the challenge that security policies were now split between cloud and on-premises security.

Question Two: How can cheaper internet be used to slash enterprise WAN costs?

Most corporations have refrained from connecting offices directly to the internet for simplicity, and security reasons. However, as Wi-Fi and cloud adoption forced the hands of IT managers and the internet was introduced to all offices, internet connectivity was increasingly seen as an opportunity to slash WAN expenses. This droves the adoption of SD-WAN, which used path steering and optimization capabilities to deliver the required application performance by using the optimal path (internet or MPLS) where required. The biggest benefit of SD-WAN was cost reduction by reducing the need for expensive (and inflexible) MPLS as much as possible by directing WAN traffic across internet circuits. Today, many companies have even eliminated MPLS altogether and replaced it with (dual) internet links. However, the internet is a best-effort technology with inconsistent latencies and without bandwidth guarantees. This has created the emerging need for enhanced internet with an uptime guarantee and more predictable latencies. Additionally, with the explosion of apps on the WAN, network managers want to eliminate any cause of subpar application performance. Also, with the increase in work-from-anywhere, it became apparent that remote workers would need to enjoy the same experience as office workers. Traditional SD-WAN solutions primarily focused on office connectivity, which often resulted in increased network complexity and higher management overhead.

Question Three: What cloud-onramp architecture best adapts to ever-changing cloud needs?

With the widespread adoption of cloud services, companies are now dealing with the challenge of managing connections between their WAN and cloud providers. This requires specific cloud-onramps that aggregate connections from multiple offices and remote users onto a single link to a specific cloud provider’s IaaS location. Cloud-onramps are costly, as each on-ramp requires specific aggregation points within a specific location. Moreover, these cloud-onramps must fit into the overall security framework of the company, which often involves a combination of on-premises firewalls and cloud security covering both the internet breakout use case and site-to-site connections.

The End Result: IT Organizations Are Stuck with Frankenstein Networks.”

IT organizations have been struggling to come up with simple answers to the three aforementioned questions and are now facing a complex and challenging situation. They are left with a patchwork of separate implementations for SDWAN to connect branch offices, cloud-onramps, and security implementations for cloud and on-premises security. These different implementations often come from multiple vendors and with separate management tools, leading to a complex and cumbersome solution to manage and maintain. This “Frankenstein network” is complex and results in subpar performance, inconsistent security policies, and a lack of visibility and control, making it challenging to address issues quickly and efficiently.

Today’s Typical Frankenstein Networks

“Aryaka’s SASE Solution: The End of Frankenstein Networks”

The rise of Frankenstein networks has left IT organizations searching for a solution, and SASE has emerged as the answer. Aryaka’s approach to SASE begins with a high-performance network foundation, allowing for secure connections between users and applications regardless of location, all under a set of fully unified policies for networking and security. By enforcing security policies as close to users and applications as possible, whether in the cloud or on-premises, performance bottlenecks are eliminated in compliance with zero-trust principles. The network foundation must eliminate the inflexible patchwork of separate networks connecting branch offices, users, data centers, and the cloud and be delivered as a consumable cloud service, including on-premises functionality. Moreover, a flexible network infrastructure must offer three service levels to optimize WAN expenses: best-effort internet, better-than-internet, and better-than-MPLS, while completely eliminating legacy MPLS. It’s often worth noting that current single-vendor SASE implementations appear to be SASE solutions at the surface level, but underneath the hood, they can still be Frankenstein networks that have not cleaned up the underlying architecture.

Aryaka’s Unified SASE ona FlexCore Foundation

The outcomes of Aryaka’s approach provide an easy-to-consume SASE solution that benefits customers by delivering a highly secure and high-performance experience for all users, applications, and workloads. This easy consumption is established by a cloud-native infrastructure consisting of deterministic control of the network underlay, combined with a single-path architecture of networking, optimization, and security functions with integrated service workflows. Agility and flexibility are the fundamental upshots for customers, as they can now evolve their networking and security infrastructure in pace with the never-ending digital transformation. Moreover, with this approach, users can quickly move, and branch offices can be relocated without constantly replacing technologies and vendors every few years as new challenges arise. Additionally, expensive cloud-onramps can be eliminated without requiring costly upgrades to the network infrastructure. Network SLAs (Service Level Agreements), ranging from best effort to guaranteed application performance, can be changed instantly based on users’ needs and the nature of applications. Aryaka’s SASE solution, with its easy consumption, agility, flexibility, and managed services, provides customers with a powerful tool to eliminate Frankenstein networks and take control of their network and security infrastructure.

The post Unified SASE: The Solution to Frankenstein Networks appeared first on Aryaka.

Is your enterprise one that falls in the bracket of small to medium-sized firms? Does your organization face challenges when it comes to deploying network and security services? Are affordability, performance optimization, and ease-of-use key considerations that drive your decision-making? And who can help me with these challenges?

Sound familiar? Chances are great that as a small to mid-size enterprise you’ve asked yourself these questions.

We got answers. And the solutions with our revamped SD-WAN and SASE offerings.

You know us as a leader for Unified SASE Solutions that is trusted by large enterprises and Fortune 500 companies worldwide for over a decade. We now equally focus our energies on small to medium-sized enterprises (SMEs) like yours to offer you an all-in-one managed service. Our core identity lies in our ability to offer an all-encompassing SD-WAN and SASE network and security service solution, as opposed to the usual multi-vendor stitched together solution which is complex in its execution and just not sustainable in delivering the outcomes you need – and deserve!
Our aim is to make sure your enterprise gets the same end-to-end optimal experience that large companies get. And you won’t have to stretch your budget or compromise on the service you get.

SMEs deserve a First-class Service Delivery Experience

It makes us understand the specific networking and security challenges that enterprises of all sizes face. We take this understanding and actively take steps to deliver products and services that are targeted to address those challenges.

Dennis Monner, Aryaka’s Chief Commercial Officer, when asked about the importance of having a customer-centric focus, puts it like this: “One bad experience is one too many. SMEs deserve a first-class experience equal to large enterprises and multi-national companies while meeting their budgetary needs.”

Research shows that the three main networking and security challenges that small to medium-sized companies face are limited budgets, lack of skilled IT resources, and the need for operational simplicity. These fundamentals need to be taken into consideration before their need for optimized network and security solutions can be acted upon. SMEs search for a vendor that offers a service which encapsulates all their needs, while also fitting their budget framework of what they can afford as an organization, is a difficult one. This is where we step in.

Our revamped offerings bring our highly regarded agile deployment at an affordable price range for SMEs. Our entry price begins at $150 per site/per month. Our integrated approach delivers a more comprehensive set of managed service capabilities with application optimization, network security, multi-cloud connectivity, and cloud-based observability and control, all supported by comprehensive lifecycle services management.

Aryaka’s service is tailored specifically to solve these challenges through our approach of selling network and network security as-a-service. The “as-a-service” is part of our DNA. We have done it since we started 14 years ago. We are unique in combining our technology – and where desired, select 3rd party security technology – a global backbone and integrated lifecycle services management options. Making network and security affordable, easy-to-deploy, and easy-to-consume is what we offer SMEs.

SD-WAN and SASE Solutions for SMEs

Our tailored SME solutions are easy to buy and deploy. They are guided by focusing on cost-effectiveness, resilience, and easy consumption for SMEs. The SD-WAN and SASE service we offer comes with built-in resilience and application acceleration, offering flexible network connectivity through Aryaka’s global backbone. Its cloud-based structure brings in the ease-of-use quality. As enterprises have become work from anywhere and deliver from everywhere since the pandemic, moving networking and security to the cloud while offering the same QoS and performance optimization is the key. And that is what we offer.

More than anything, we make sure that your organization has access to reliable and high-performing network connectivity and security and does not find the need to compromise on the best quality service.

Contact Us to find out more about our SD-WAN and SASE solutions. Use keyword “SME Solutions” in the comment section of the contact form.

The post SD-WAN and SASE “As-A-Service” Now Affordable to Companies of All Sizes! appeared first on Aryaka.

Interest rates are rising.  US Inflation is now 8.5%, its highest point in over 40 years.  The S&P 500 is teetering on the brink of a bear market.  Q122 venture funding has dropped by 19%.

And all in time for budget season and your first request for 2023 IT funding.

So … what’s your plan?

Belts will be tightened

The impact of world events on the economy over the last few years has been unprecedented.  Calls for recession are now a daily occurrence across major news outlets.

“Two shocks in recent months, the war in Ukraine and the buildup of momentum in elevated U.S. and European inflation have caused us to revise down our forecast for global growth significantly,” a Deutsche Bank team led by economist David Folkerts-Landau wrote on Tuesday. “We are now projecting a recession in the U.S.…within the next two years.”¹ 

The phrase,“We need to tighten our belts,” will surely be uttered in more than one board room this summer.  For CIOs charged with finding growth while protecting the enterprise, the question is how?   It’s not like the challenges are getting any easier.

The bad guys aren’t going away

As any CISO will tell you, the threats are not going away.  The bad guys are still out there and unfortunately getting worse.

A penetration test study from Positive Technologies found that cybercriminals can penetrate an alarming number of enterprise networks.  “In 93 percent of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources.”  Ninety-three percent!²

They’re not (all) coming back to the office

While threats increase, the enterprise continues to become even more distributed.  77% of remote workers say they’re more productive at home.  85% of managers believe that having remote teams will become the new norm.³  It’s almost a given that remote work will persist well into the future.

But not everyone will be remote.  And even those that are remote, will not be remote all the time.  How do you even answer the question of “How many sites do you have?” when every worker is an office of one?  And do your AWS and Azure instances count as sites?  I mean, 60% of your workload is there.

Convergence is the answer

What used to be clean is now amorphous.  Buzz phrases like ‘Digital Transformation’ and ‘Network Modernization’ are just fancy ways of saying that the IT infrastructure and organization need to evolve … and fast.

That evolution is enabled by convergence.  Call it SASE or NESaaS or whatever acronym that analysts come up with, network and security are coming together in the cloud (whether the network and security silos like it or not).

Convergence IS the answer to the question of, ‘What’s your plan?’  Convergence provides the CIO flexibility, both for innovation AND the balance sheet.  It untethers the IT team from the legacy contracts that tie them to capital-intensive expenses.  The world doesn’t work in 3-5 year cycles anymore.  Your network and security infrastructure can’t either.

Big data center costs?  Gone.  Inflexible MPLS contracts?  Bye bye.  Network and security hardware refresh?  Not anymore.

Converging the network and security into the cloud, delivered as-a-service will become the story for CIOs needing to accomplish the impossible:  do more with less.  A smarter, more effective deployment of capital resources that is prepared for whatever craziness the world throws at it next.

Budget season?  We can help

We love talking convergence and helping IT teams rethink their network.  If you are just getting into budget season and trying to figure out how to tell a growth story while reducing the budget, give us a shout.

In the next article, we will discuss four practical recommendations where procurement and IT teams can look to reel-in costs while simultaneously modernizing the network.

1. https://bit.ly/3FJ6cG4
2. https://bit.ly/38pzCwE
3. https://bit.ly/3l94og5

In the next article, we will discuss four practical recommendations where procurement and IT teams can look to reel-in costs while simultaneously modernizing the network. In the meantime, check out Aryaka’s guide for IT manages on how to thrive during an economic downturn.

The post Convergence is the answer appeared first on Aryaka.

Like many of you in the channel, I’ve just spent a week in Vegas at the 25^th anniversary Channel Partners Conference & Expo. Congratulations, Channel Partners, on 25 years. Thanks for bringing the channel community together twice a year and every day online. We agree – the best is yet to come!

Here are a few of the reasons why:

1. The channel is back – bigger and better than ever. More than 7,400 people turned out for CPEXPO – the largest contingent in the event’s history. It’s confirmation of what many of us in the channel community already know – the channel is growing in numbers and importance to businesses in navigating complex tech decisions. The record attendance also included a greater mix of agents, VARs and MSPs. The channel convergence we’ve anticipated for more than a decade may finally be here!
2. Network transformation is an opportunity and a challenge. Telecom agents are looking for providers to help their customers transition from MPLS-centric wide area networks to flexible software-defined WANs. At the same time, provider consolidation is narrowing their options as legacy carriers buy up disruptive competitors. Aryaka remains independent and invites partners to join our continuing campaign for cloud-first networking.
3. Marketplaces are gaining momentum. Online marketplaces are not new; they thrive in the software world as a direct-to-customer channel for buyers that have done their digital homework. What’s happening now is that marketplaces are adding more complex services like SD-WAN (stay tuned for some big news from Aryaka). At the same time, they are embracing rather than disintermediating the traditional IT and telecom channels. Buyers get the best of both worlds – expert advisors and simplified ordering.
4. SASE soars. Secure networking is priority one with partners and their customers, and for a good reason – network security is complex. They’re looking to simplify with integrated and managed SASE and SD-WAN. Aryaka’s 6^th annual State of the WAN report backs up what we heard in conversations at CPEXPO: More than two-thirds (64%) are deploying or planning to deploy SASE over the next year. A similar number will opt for a managed SASE to help address complexity and costs.
5. Diversity moves to center stage … literally. Diversity in gender and race were evident among the speakers and topics at CPEXPO – a welcome change for an industry long criticized for the opposite. While we’ve still a long way to go as a community, the show organizers deserve credit for leading us toward greater inclusion. For those of us at Aryaka, diversity is part of our DNA as an organization. Our global team is diverse from the home office to the corner office; two-thirds of our leadership are diverse in gender and/or race.

Those are my top five takeaways. Agree? Disagree? I’d love to hear from you! Connect with me personally on LinkedIn or email channelpartners@aryaka.com.

The post Top 5 Takeaways from CPEXPO 2022 appeared first on Aryaka.

This year, Aryaka announced the launch of the new Aryaka Accelerate Global Partner Program and our total transition from a channel-first to a channel-led go-to-market strategy.

We built the global program on the foundation the Aryaka Channel Team set in the fall of 2021 with our sales agent program launched at CPEXPO 2021, to include partnerships of all types, including:

• Managed services providers (MSPs)
• Value-added resellers (VARs)
• Cloud service providers (CSPs)
• IT distributors
• Marketplaces
• Technology services brokerages (TSBs)
• Sales Agents
• Technology vendors

Over the past eight months since I joined Aryaka as Channel Chief, Aryaka has demonstrated our commitment to the channel and our partner community through significant investments in people, processes and technology so that our solutions align with our partners’ specific business models and how they choose to go to market.

We’re putting our money where our mouths are to drive real growth for our Aryaka Accelerate partners through our managed SD-WAN, SASE and Last Mile services.

Here’s what Aryaka Accelerate Partners can expect when they partner with us:

• Enhanced Sales and Marketing Alignment – As a channel-led company, Aryaka works in lockstep with partners to align and supercharge sales and marketing activities, such as strategic account mapping, marketing resources, investment in co-marketing and co-selling, and all-new account-based sales and marketing programs to generate leads for qualified partners.
• Lucrative Incentives – Aryaka offers a range of enticing sales incentives tailored to all partner types, such as commission multipliers and increased margin opportunities
• 3-Fold Customer Success – In addition to two levels of expert support, Aryaka provides customer success managers (CSMs) devoted to retaining and growing partners’ accounts.
• Training and Certification – Aryaka has a self-paced, online training program for sales and technical competencies.
• Increased Total Addressable Market (TAM) – Aryaka’s new all-in-one SD-WAN and SASE services are based on the company’s new, industry-leading FlexCore technology that combines Layer 2 and 3 networking, enabling partners to deliver services optimized for performance or cost. This flexibility also expands the total addressable market for Aryaka’s services to include businesses of all sizes – from global enterprises to regional small and medium businesses (SMBs).
• Simplified Packaging and Pricing – Ayaka’s new SmartConnect EZ + SmartConnect Pro and Prime EZ solutions are easy to quote, sell and consume with “T-shirt” sized pricing and standard service tiers, speeding time to revenue for partners.
• New Co-managed Network Option – Aryaka’s new AppAssure application enables VAR, MSP and white-label partners with the network visibility required to co-manage their clients’ networks, increasing their value and wallet share.
• Last-Mile Services Revenue – Uniquely, Aryaka can offer its network-as-a-service solution with the last-mile connections included, offering partners an additional revenue opportunity.

Industry Accolades

These investments in our new Aryaka Accelerate Partner Program have paid off, with recognition as a CRN 5-Star Partner Program. This designation speaks to the innovations and resources the Aryaka Channel Team built into the new program, including real go-to-market strategy, planning and support. Unlike other providers, we aren’t expecting our partners to do all the work to bring in deals. We’re developing true partnerships.

Our team is actively engaging with our partners in a cooperative effort to acquire new business. We generate and share leads, identify target accounts, activate account-based campaigns and work side by side to close deals with our partners.

Aryaka’s channel investments were noted by Channel Futures as well. On behalf of the Aryaka channel team. I’m honored to accept the 2022 Circle of Excellence Award, which is presented to channel leaders who strategically invest in channels and provide enablement resources so that high-performance partners can create business value for their customers.

Race for the Keys to a Corvette!
To kick things into high gear, I’m super excited about our 2022 channel sales incentives, including a grand prize for our highest-performing partner. We’re giving away a 2023 Corvette to the Aryaka Accelerate partner who sells the highest total MRR in 2022.

Who’s in the lead? Check out our leaderboard.

Our Channel Team is Growing

We’ve reinforced our commitment to the channel with industry-leading depth and experience in the Aryaka Channel Team, including:

• Rich Farbman, Vice President of Global Strategic Partnerships
• Sarah Linford Cothran, Director of Channel Programs and Operations
• Nicole Steele, Director of Channel Marketing and Enablement
• Ryan Burke, Channel Sales Director, Great Lakes
• Derek Wood, Channel Sales Director, South Central
• Matt Thompson, Channel Sales Director, Pacific
• Mike Wall, Channel Sales Director, North Central
• Lou LaVigna, Channel Sales Director, Northeast
• Mark McGarvie, Channel Sales Director, Mid Atlantic
• J. Jensen, Channel Sales Director, Rocky Mountain
• Heather Clemen, Channel Sales Director, Midwest
• Ray Marfino, Channel Account Manager, West
• Melissa Anderson, Channel Account Manager, East

I’d like to invite you to meet the team and learn more about the Aryaka Accelerate Partner Program. We’ll be at the Channel Partners Conference & Expo, April 11-14, at the Venetian Resort in Las Vegas and we’d love to chat with you about what we’ve been up to. Visit us in Meeting Room 27 or Cabanas 119, 120 and 121. Click to set up a meeting.

Got questions? Connect with me personally on LinkedIn or channelpartners@aryaka.com.

The post Aryaka Accelerate: Our Commitment to the Channel appeared first on Aryaka.