Cloud-Connected Branch Security with SASE

12,237 people reacted 1 4 min. read
Brian Tokuyoshi

By

Category: Secure the Cloud

Tags:

By Brian Tokuyoshi, senior product marketing manager

Applications moving to the cloud and increased user mobility are changing the way networking and network security services must be delivered. Palo Alto Networks founder and CTO Nir Zuk believes that the future of network security is in the cloud, and has been driving this change for the past few years with Prisma Access, the industry’s most comprehensive SASE. In this ongoing series, Palo Alto Networks thought leaders explore the core tenets of an integrated, effective SASE solution, and more broadly, its implementation and implications.

As cloud usage increases across the globe, at large and small organizations alike, it is important to ensure your cloud strategy encompasses performance, connectivity and – too often overlooked – security for your branch offices and retail locations. 

Secure access service edge (SASE, pronounced sassy) is a comprehensive solution that helps organizations embrace cloud and mobility by providing network and network security services from a cloud-based, unified platform.

Traditional Branch Connectivity and Security: A Thing of the Past

Traditionally, organizations had three options to choose from to secure their branch offices and connect them to the internet.

  1. Use branch routers at each location to backhaul traffic over an MPLS connection to HQ for inspection and policy enforcement. This strategy is costly and inefficient.
  2. Utilize a VPN over a standard internet connection to connect branch offices to HQ, using a hub-and-spoke architecture as an alternative to MPLS.
  3. Utilize direct-to-internet at the branch, with a network security stack at each branch location, providing equivalent security as a centralized perimeter firewall would.

These solutions made sense when organizations were using applications solely in internal data centers, and when applications were not so bandwidth intensive. For many years, these options were considered best practices for designing wide area networks, until the cloud started to drive new requirements.

With the Onset of Cloud Comes Network Evolution

Enter the cloud. Software-as-a-service (SaaS) applications and public cloud platforms from providers like AWS, Azure and GCP provide the flexibility to meet the needs of a growing organization while reducing costs. SaaS applications have risen in popularity due to their improvements in productivity and collaboration for dispersed enterprises, while public cloud providers help to eliminate resource constraints and infrastructure costs by moving data centers to the cloud and taking over the management and services.

In light of the move to the cloud, it makes less sense to use traditional branch networking to bring traffic back to headquarters. In addition, bandwidth and performance issues arise as more cloud applications are used at the branch. Applications such as video conferencing/streaming and cloud storage applications take up a large amount of bandwidth. As a result, organizations are looking for ways to integrate a direct-to-internet connection at the branch, without introducing new security risks. 

How to Protect Branch Offices in the Cloud Era

Branch offices not only need access to applications hosted in data centers at headquarters, they also need access to the internet, SaaS apps and public cloud services. For effective branch security, organizations need to develop their network architecture in a way that optimizes access to all resources, regardless of location. A SASE security approach provides branch offices security and visibility into all traffic, while also enabling seamless access to assets in the cloud and on-premises. By transitioning your network and network security services to a SASE solution, organizations can benefit from enhanced user experience with fast and reliable internet connection and accurate localization, while also optimizing a company’s ability to grow quickly and easily add offices.

Organizations must also consider the security of the applications being accessed by inspecting apps across not just web protocols, but also ports. With a SASE cloud-based security strategy, organizations have full visibility into and inspection of traffic across ports and protocols, so policies can be applied to all the traffic in the cloud. In addition, organizations can eliminate MPLS by utilizing the cloud, which also results in significant cost savings.

Palo Alto Networks is revolutionizing the way companies transform their cloud security infrastructure. Prisma Access is the industry’s most comprehensive SASE solution. It delivers the networking and security that organizations need in an architecture designed for all traffic, all applications and all users. Rather than creating single-purpose technology overlays that are normally associated with point products, Prisma Access uses a common cloud-based infrastructure to deliver security services, including advanced threat prevention, web filtering, sandboxing, DNS security, credential theft prevention, data loss prevention (DLP) and next-generation firewalling. 

Learn about how Prisma Access can help organizations confidently embrace the use of SaaS applications, rapidly develop and deploy cloud applications, connect mobile users to the cloud and improve branch security.

Got something to say?