This post is also available in: 简体中文 (Chinese (Simplified))
By Nir Zuk, Palo Alto Networks founder and CTO
Applications moving to the cloud and increased user mobility are changing the way networking and network security services must be delivered. The future of network security is in the cloud, and this new model is known as a “secure access service edge,” or SASE (pronounced “sassy”). Palo Alto Networks founder and CTO Nir Zuk has been driving this change for the past few years with the Prisma Access product, the industry’s most comprehensive SASE. Here, Nir explains why SASE is the logical evolution for network security. This is the first in an ongoing series in which Palo Alto Networks thought leaders explore the core tenets of an integrated, effective SASE solution, and more broadly, its implementation and implications.
In a cloud-driven world, security needs to be unified, consistent and delivered from the cloud that it’s chartered to protect. This statement transcends my entire career in security, which has required constant evolution to keep up with changes in technology and secure users, applications and data. That focus remains. However, when it comes to the future of network security and the coming convergence, the legacy point-product approach is no longer effective.
Nearly 25 years ago, I was the principal developer of the industry’s first stateful inspection firewall. Those were the early days of the internet, and back then the prominent firewall technology was stateless access control lists (ACLs). ACLs were not able to deal with the emergence of stateful applications, such as internet audio and video applications (or even good old FTP), so a new approach was clearly necessary. An attempt at using proxy technology proved futile, as proxies were too slow and had the tendency to break many of these applications. Stateful inspection proved to be both useful and secure, which is why it has since dominated the network security market.
Almost 15 years ago, it became apparent that the explosion in the number of internet applications was challenging stateful inspection, so taking a new approach was again necessary. Early attempts at responding to the challenge with proxy technology emerged (for the second time!). However, they failed once more due to the proxy’s inherent poor performance and its inability to inspect all types of network traffic. I felt I had to fix the firewall again, which led me to start Palo Alto Networks and build a replacement for stateful inspection – the App-ID-based Next-Generation Firewall – which today is, by far, the leading firewall in the market.
Today we are witnessing yet another change in applications that is driving yet another change to network security. This time, applications are moving from corporate data centers to the cloud – both SaaS and public cloud. Cloud adoption is challenging firewall architecture again and requires me to respond. And yes, early attempts at solving the challenge are happening with a proxy, which are failing for the same reasons they did before.
It’s time to fix network security. Again.
Over time, organizations have typically assembled quite a few network security infrastructures. There is infrastructure for securing branch offices, where traffic is typically backhauled over an IP-VPN (think MPLS) network back to corporate headquarters or data centers, and internet traffic is routed from there through the organization’s network security stack. Then there is the network security infrastructure for allowing remote access into the corporate data center.
As applications move to the cloud, the old method of forcing all branch, user and partner traffic back through the corporate headquarters or data centers no longer makes sense. It makes much more sense to deliver the same network security stack from the cloud, such that traffic destined for the cloud does not have to hit corporate networks, and less traffic needs to go to corporate data centers.
By delivering network security from the cloud, you can protect users, applications and data, regardless of where they are.
SASE: A More Secure Everywhere
Gartner has proposed a new model for networking and network security in the cloud, known as the “secure access service edge,” or SASE, pronounced “sassy.” In Gartner’s words:
“The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.”
Effectively, Gartner asserts SASE is able to meet the demands of cloud and mobile environments, addressing the challenges with traditional network and security architectures.
I agree with this concept, and in my mind, it’s relatively simple. SASE is the convergence of different access and network security methods into one cohesive platform. Perhaps most importantly, however, this cohesive platform must ensure a seamless user experience. It must be built on a high-performance global network, which is beyond the capability of most smaller vendors. SASE demands a level of integration that’s unprecedented in the security industry. It’s unlike other approaches in the fragmented security industry, which has extremely low barriers to entry.
The cybersecurity industry has worked hard to convince customers that they need to work with dozens of vendors and use dozens of point products and technologies. Yet the future of network security is in the cloud, and security vendors must evolve in order to effectively secure customers anywhere and everywhere.
At Palo Alto Networks, we foresaw this shift and built a compelling SASE solution. Prisma Access delivers the networking and networking security that organizations need in a SASE architecture designed for all traffic, all applications and all users.
To learn more about SASE, read Gartner’s paper: The Future of Network Security Is in the Cloud.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, The Future of Network Security Is in the Cloud, Neil MacDonald, Lawrence Orans, Joe Skorupa, 30 August 2019.