Grow As You Go With A Modular SASE Architecture

Motivated by their expanding hybrid workforces and an explosion in cloud-based applications, many organizations are seeking a more agile, consistent way to enforce security across their expanding network perimeters that won’t impede network performance and will still provide a seamless user experience. Enter SASE, short for Secure Access Service Edge—offering a flexible, modular network and security architecture that’s quickly moving to the top of many IT leaders’ to-do lists.

A major shift in IT infrastructure

SASE brings together Wide Area Networking (WAN) and network security functions into a single cloud-based framework that makes networks more visible, secure and easier to manage. This represents a significant evolution in IT infrastructure that is helping to bridge many of the security, management and performance gaps common in distributed enterprises.  An increasing number of network and security leaders are finding SASE’s unified approach compelling because it equips them to quickly adapt to new or unexpected scenarios—promising greater agility, productivity, security and even cost reduction.

Yet even though SASE architecture consolidates an array of security technologies into a single “service-as-a-service,” each one is still a standalone function. This modular structure means that rather than ripping and replacing their entire infrastructure, organizations are more likely to start by solving for a specific use case, such as secure remote access, and adopt additional security services based on their changing needs and priorities.

SASE Architecture: Designed For Flexibility

One of the biggest misconceptions is that SASE is a single product in a “box” that can be bought and deployed immediately when it is really a collection of individual solutions that work together. Its modular architecture makes it easy to implement the right tools to meet your needs now and add or scale components as your network and security requirements evolve. Think of it as a journey to an ideal state of security, access and end-user experience you can manage all in one place.

Right now, two types of customers are driving SASE adoption: organizations focused on defending and protecting their branch locations with SD-WAN—and work-from-anywhere businesses where employees log in from a variety of locations. Each model needs a different network and security approach.

• Branch locations: If this describes your business, then you need to manage a single online experience for your in-office users accessing resources over a corporate network behind a firewall. You may already be running SD-WAN, and if so, you’re well on the way to SASE, which integrates SD-WAN with other core services for a holistic and integrated network and security framework.
• Work-from-anywhere employees: If your business has many employees working remotely, you probably realize that routing all your traffic to your on-premises data center won’t offer the performance and security you need to support your expanding perimeter. You need security that is identity-driven rather than site-based—meaning that it uses device and location to assign access and policies. So instead of asking, “What should the security policy be for my branch office in Chicago?” you’ll ask, “What is the security policy for Jane?,” who works from multiple locations, including home, her favorite coffee shop and occasionally the branch office.

Figure 1: Network traffic flowing to a single data center for inspection

Different types of security for different types of users

As hybrid work becomes the norm rather than the exception, you need to provide different types of security for different types of applications. For example, you might want a secure web gateway (SWG) for users who need a constant connection to browser-based apps like YouTube.

On the other hand, Software-as-a-Service (SaaS) apps like Office 365 and cloud-based development environments require a cloud access security broker (CASB) and zero trust network access (ZTNA) for identity and location-specific access control.

Ultimately you want the flexibility to manage SD-WAN for your branch locations and secure users working from anywhere in a single online experience—and to do it all from a centralized location with visibility across your entire network.

A modular SASE architecture is the path forward to manage your disparate services at scale effectively, but because few networking or security providers offer a complete, single-vendor SASE solution today, many IT decision makers are taking a slightly different approach.

Secure Service Edge: The First Step On Your SASE Journey

When Gartner coined the term SASE, the idea was to pull all the network and security pieces together under one umbrella. Since then, a clear separation has emerged between SD-WAN for branch location connectivity and protection and the remote user security piece.

While the end goal is still SASE, finding a provider that can deliver every security and networking component isn’t easy, which is where Secure Service Edge (SSE) comes into play. This subset of SASE architecture is a collection of integrated, cloud-centric security capabilities that makes up half of the SASE architecture and enables secure access to websites, software-as-a-service applications, and proprietary apps.

The key components of SSE are:

• Cloud Access Security Broker (CASB)
• Secure Web Gateway (SWG)
• Firewall-as-a-Service (FWaaS)
• Zero Trust Network Access (ZTNA)

Figure 2: The connected SASE services architecture with core network and security components

It’s important to understand that SSE isn’t a replacement for SASE—SSE is merely a subset of the SASE architecture that makes it easier to get the unified security tools you want if you don’t need (or already have) SD-WAN.

Some enterprises will opt for the full SASE framework, while others will approach their journey in phases by starting with SSE and adding the SD-WAN layer if needed. Selecting an SSE solution that is part of an integrated SASE platform opens the door to future network transformation, operational simplicity and lower total cost of ownership (TCO).

Flexible, Cloud-Native SASE Powered By The Lumen Network

Whether you’re prioritizing SD-WAN or security with your SASE strategy, Lumen can help you create the ecosystem you need today, with the flexibility to scale it as your business and workforce evolve.

The Lumen Platform, with its combination of network capabilities, cloud integration, low-latency edge computing and a deep roster of security components, is uniquely positioned to deliver on the promise of SASE. Powered by the #1 peered global network, ¹ it’s an ideal foundation for Lumen® SASE Solutions, which integrate SD-WAN and network security functions to simplify, control and scale application delivery in a single cloud-based service.

Thanks to our vendor-agnostic partner ecosystem and digital purchase path, we can reduce the complexity typically associated with multi-vendor SASE solutions. With offerings from best-in-breed network and security vendors such as Fortinet and VMware, we give you the ease and flexibility to add sites, apps and users for fast, cloud-based scalability. Plus, we give you the option to manage it yourself or take advantage of our 30+ years of network management experience to handle it all for you so you can focus on running your business.

Find out how you can simplify network access, security and management with SASE solutions on the Lumen Platform.

Learn More

¹The Center for Applied Internet Data Analysis, AS Rank, August 2022.

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.