A new framework for network security

Keeping the modern distributed network connected

The Internet was designed as a massive, distributed network. Because of this, it is naturally resilient, allowing computers, servers, and other devices to connect and route data on an as-needed basis. When a single device (or group of devices) fails or disconnects from the Internet, it typically has a negligible impact on the way the rest of the network functions.

Despite its innate resiliency, the Internet was not built in a way that it could guarantee fast or available connections. It also lacked a framework for security, making it ill-equipped to protect devices from data snooping, malicious activity, and other cyberattacks.

As a result, traditional network infrastructure was patterned after a ‘castle-and-moat’ model, where applications and data were kept in centralized, on-premise data centers (“castles”) that could be defended from external threats with a complex configuration of hardware firewalls, DDoS appliances, and other security devices (“moats”). Authorized users gained access to the castle by way of VPNs, which functioned as the drawbridge that bridged the moat.

The castle-and-moat approach allowed organizations to protect their networks on a basic level, but it was far from perfect. There were several hurdles they had to overcome:

• Complex configuration and maintenance: On-premise security appliances proved expensive to configure and keep updated against emerging threats, forcing security teams to play catch-up as attackers found new ways to exploit vulnerabilities in existing systems.

• Performance trade-offs: Employees who needed to connect to private networks remotely often did so via VPN, despite the sluggish performance they experienced due to geographically distant servers and overcrowding.

• Security vulnerabilities: Anyone who breached the network perimeter gained unfettered access to corporate resources, making the threat of internal and external data breaches difficult to prevent.

For many enterprises, simplifying and strengthening legacy network infrastructure was a necessary but daunting task — and digital transformation made it even harder.

The cloud brings more flexibility — and more problems

The transformation of the technical landscape has made network security an increasingly arduous task. SaaS and public cloud providers allowed organizations to move their applications and data away from on-premise data centers, while smartphones and other mobile devices enabled employees to increasingly connect to networks from remote locations.

The adoption of cloud-based services helped decentralize on-premise data centers, offering organizations more flexibility and agility than ever before. However, it also meant that sensitive corporate resources no longer resided within a single “castle,” but were spread across multiple locations, making it challenging to establish a unified security perimeter.

Securing this kind of hybrid environment proved more difficult than expected. Organizations had to adopt separate security solutions for on-premise and cloud-based applications and data while ensuring that employees could securely and conveniently access network resources from any location.

As a result, organizations were forced to configure and maintain a complex patchwork of single-point security solutions, most of which were not designed to seamlessly integrate. This resulted in a number of additional challenges for security teams:

• Drain on internal resources: Protecting a hybrid environment is often a laborious and time-consuming effort for security teams. Since on-premise equipment cannot secure cloud-based applications and services, enterprises need separate security systems to safeguard all internal tools and resources, resulting in extra costs, time, and labor.

• Multiple vendors: Cloud-based network security has many moving parts — from cloud firewalls to secure web gateways (SWG), cloud access security brokers (CASB), and more — and finding one vendor that offers every security service can be challenging. For most enterprises, procuring services from multiple vendors is a necessary part of protecting a hybrid environment, though doing so can introduce additional costs and complexity.

• Security gaps: When working with multiple security providers, it can be difficult to ensure that every part of your network is fully protected — with no lingering security gaps — especially since there is no “single pane of glass” from which you can monitor and maintain your network security infrastructure. And the nature of remote work means that employees often use personal devices to connect to corporate networks, introducing additional security risks.

The castle-and-moat model that once made it relatively simple to configure, secure, and maintain corporate networks is no longer compatible with today’s distributed hybrid and cloud-based environments. This transition was happening already, but 2020 forced a rapid acceleration of this process. Employees are more distributed and remote than ever before and have become accustomed to accessing corporate resources through an array of personal devices. Companies are increasingly recognizing the necessity of accommodating employees, servers, and applications existing on the Internet instead of in the castle.

A new framework for network security

As old network security models failed to keep up with developing threats and modern-day network architecture increased in complexity, organizations have begun the shift to a new cloud-based security model: Secure Access Service Edge, or ‘SASE.’

First coined by Gartner in 2019, SASE combines software-defined wide-area networking with core network security services — including secure web gateways (SWG), cloud access security brokers (CASB), cloud firewalls (FWaaS), and zero trust network access policies (ZTNA) — and delivers them on the network edge.

Rather than depending on ineffective hardware appliances or patching together siloed security solutions, SASE offers a streamlined approach to network security. It replaces complicated backhauling with the Internet edge, allowing organizations to route, inspect, and secure traffic in a single pass. SASE takes the concept of Zero Trust security – the idea that every user of every application must be constantly authenticated – even further. Coupled with Zero Trust access policies and network-level threat protection, SASE eliminates the need for legacy VPNs, hardware firewalls, and DDoS protection appliances, allowing organizations to consolidate network security services and allowing security teams more visibility into and control over their network security configurations.

In practice, SASE implementation may vary considerably from vendor to vendor and organization to organization. Most SASE solutions, however, share several key advantages over on-premise and hybrid network security configurations:

• Vendor consolidation: Rather than juggling multiple vendors and point solutions, organizations can receive comprehensive network protection from a single SASE provider, eliminating unnecessary costs and complex configuration between services.

• A unified security perimeter: By delivering these services on the network edge — a global network of servers and devices that are geographically close to the end user — SASE allows companies to secure their applications, data, and users from any location around the world.

• Better visibility: By consolidating networking and network security services and delivering them from a single, cloud-based platform, SASE eliminates security gaps between services, gives IT and security teams greater visibility into network activity, and simplifies the cloud migration process.

SASE promises to take network security to the next level: one where siloed network and security services can be merged on a single, cloud-based platform and delivered as a service.

This approach, when implemented correctly, allows enterprises to ensure their corporate networks remain global, distributed, and consistently connected — with no lapse in security or performance.

Cloudflare introduced Cloudflare One to meet the needs of the enterprise today; a comprehensive, cloud-based network-as-a-service solution that replaces a patchwork of appliances and WAN technologies with a single network that provides security, performance, and control through one user interface. Since the network is the common denominator of all applications, by building control into the network Cloudflare One ensures consistent policies whether an application is new or legacy, run on-premise or in the cloud, and delivered from your infrastructure or a multi-tenant SaaS provider. With Cloudflare’s massive global presence, traffic is secured, routed, and filtered over an optimized backbone that uses real-time Internet intelligence to protect against the latest threats and route traffic around bad Internet weather and outages.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• The hurdles associated with the castle-and-moat security approach

• The complexity that cloud introduces

• Key advantages to SASE

• The promise of SASE

Related resources

• Guide: Getting started with SASE

• What is SASE?

• Cloudflare One SASE platform

• 451 Research: Cloudflare One Market Insights Report