Evolution towards SASE: Cloud-based network architecture and security

    Conventional WAN architecture 

    In traditional networks, the company’s own data centre or main headquarters serves as the central hub for all data traffic. Internet or cloud connectivity is delivered through the dedicated demilitarised zone (DMZ) – a buffer zone that isolates the external network (Internet) from the internal network using strict communication rules and firewalls. All branch offices are connected to the headquarters data centre via WAN connections (MPLS/VPN) and use them to access Internet and cloud services. This has several disadvantages: all network traffic must pass through the data centre (backhauling), which causes bottlenecks in the data traffic. The solution is to increase the bandwidth, but this entails cost and effort. 

    Transformation to decentralised connectivity and cloud-based security 

    The great complexity of today’s networks (e.g., micro-segmentation), increasing data-traffic volumes, and distributed data sources and users require a cloud-based security architecture to manage increasing cyber threats. These requirements are increasingly overwhelming traditional local security.  

    In the age of the cloud and distributed working, companies are increasingly turning to SD-WAN architectures: Internet access no longer has to be provided via the data centre at the company’s headquarters but can instead be provided directly by the router at each location (Direct Internet Access, DIA). This significantly reduces latency and improves the user experience. Using the software-based network overlay, network properties for all company locations can be controlled and configured centrally, providing an overview of the company’s network status at all times. In this model, security is still implemented locally – usually in the headquarters or partially in the hardware at external locations. In addition, remote-access traffic is still routed through the data centre. 

    Secure Service Edge (SSE) is a cloud-based security concept that focuses on protecting data, applications and users by implementing security features directly at the network access point (edge). As a comprehensive security solution, SSE provides key protective features, including: 

    • Zero Trust Network Access (ZTNA): Application-specific access to private applications with minimal privilege allocation 

    • Cloud Access Security Broker (CASB): Access control for cloud applications, including Data Loss Prevention (DLP) 

    • VPN as a Service (VPNaaS): Cloud-based VPN service for secure remote working 

    • Firewall as a Service (FWaaS): Cloud-based comprehensive threat protection 

    • Secure Web Gateway (SWG): Content filtering, malware scanning and application control for web data traffic 

    With SASE, all network and cloud access is secured – whether a user is inside or outside the corporate network.