Promoting the comprehensive upgrade of SASE services, the front line of Internet technology is catching up with the era of cloud and network security integration

As digital transformation progresses and cloud-network integration accelerates, enterprises have put forward higher requirements for network information security. How to better integrate flexible cloud-network basic capabilities with comprehensive security protection capabilities has gradually become the focus of market attention.

"At present, we have found that in addition to flexible networking needs, customers are also more concerned about security service subscription needs. They need to simplify the deployment and operation of network security capabilities, reduce Capex investment, and flexibly increase or decrease speeds. These needs are increasingly reflected in bidding projects." Xu Jie, product director of Internet Technology Frontline, talked about his observations in an interview with 51CTO.

SASE was born to respond to this expectation. It is not a synonym for a single technology, but more of a concept that integrates "network + edge cloud security". As a hot word in the field of network security in recent years, SASE has gone from being a hot concept to a cool one, and user acceptance is also increasing, and they are beginning to seek service providers to exchange relevant solutions.

Players entering the SASE market include network service providers, cloud vendors, and professional security vendors. Among them, First-line Internet Technology is emerging as a force that cannot be ignored in the multi-party competition with its cloud network security integrated delivery solution.

Why SASE?

In the past, enterprise data was stored in self-built or hosted data centers. Therefore, the design of traditional network security architecture usually took the data center as the focus of access needs, resulting in a complex architecture and latency issues.

More importantly, the current network environment and data security of enterprises are facing more uncertainties. First, as businesses are fully migrated to the cloud, the operational difficulties and security risks brought about by distributed deployment and multi-cloud architecture are also increasing simultaneously; secondly, the popularity of remote office and mobile office has broken the traditional network security boundaries; finally, the cost and efficiency problems caused by the separation of network construction and security construction have become more and more prominent, and enterprises prefer to be managed by cloud network security integrated service providers.

It is in this context that SASE emerged and has received widespread attention as a new paradigm that subverts traditional architecture.

As a concept proposed by Gartner in 2019, SASE represents a new architecture that integrates wide-area networking functions and security functions to meet the dynamic security access needs of enterprises. Later, Gartner divided a "subset" SSE (Secure Service Edge) from SASE.

Simply put, SSE is a component of SASE, focusing on the security service part, while the other half outside of SSE focuses on the network service part. Gartner predicts that by 2025, 80% of enterprises will adopt a strategy of using a single vendor's SSE platform to access networks, cloud services, and dedicated applications .

It can be seen that the development potential of SASE is unquestionable, and the demand of enterprises for network security subscription services is also driven by the times. In order to meet the ever-increasing user needs, the front line that previously focused on enterprise network services has started the upgrade path to the SASE service architecture.

Architecture upgrade: the goal is "integration, simplification, and flexibility"

Gartner once evaluated that the SASE market is constantly changing, and no supplier can provide the full combination of SASE functions. Some suppliers can provide some security as a service, but lack the SD-WAN function required by SASE. Some suppliers can provide security as a device, but they are not in the cloud-native global network and do not have the conditions to deploy SASE services on edge nodes. In general, the single capability and too few POP points have seriously restricted the implementation of SASE. The integrated integration of cloud network security is the key to promoting SASE services.

To this end, DYXnet relied on its accumulated cloud network construction resources and its self-developed SD-WAN architecture as the basic support, and redefined and upgraded its products, architecture, team building, and delivery model. Xu Jie further introduced this:

First, promote POP nodes to support SASE security service chain functions and upgrade to SASE POP , providing SASE security services such as zero-trust network access (ZTNA), firewall as a service (FWaaS), secure web gateway (SWG), data leakage prevention (DLP) and intrusion prevention (IPS). Enterprises can flexibly subscribe according to the needs of different scenarios. It is understood that DYXnet has built 200+ POP nodes in 100+ cities, and its service capabilities cover 700+ cities worldwide. At present, DYXnet has completed the upgrade of POP nodes in core cities to SASE POP.

Second, promote the integration of SD-WAN and SASE platform management capabilities , integrate various functions that support the SASE security service chain into the existing SD-WAN platform, flexibly call the configuration and status of security components through APIs, and help enterprises finely control the network and security situation through the integrated network security platform.

Third, promote the capacity upgrade of the entire service delivery team , cultivate the technical capabilities of security engineers, pass technical certification by relevant security certification agencies and security vendors, enhance the one-stop solution delivery capability of "Cloud Network Security", and ensure the delivery of SASE projects from an overall business perspective.

Fourth, upgrade from providing one-stop network solutions to providing one-stop network security solutions of "network + security planning + project implementation + post-operation response" . Build a dual operation response system of NOC (Network Operation Center) + SOC (Security Operation Center) to provide agile and efficient support and guarantee for the resolution of various network failures and security incidents.

Xu Jie said that in the process of SASE service upgrade, the first-line focus is on three points - " integration, simplification, and elasticity ."

"First, we need integration. We already have SD-WAN, so how can we integrate security service capabilities with it? Second, we need simplification. Network services can be subscribed, and security services can also be subscribed. Users no longer need to deploy and maintain them themselves. This is a reduction for users, and for service providers, it is about how to achieve unified delivery. Third, elasticity. Security services must be as elastic as network services, and customers can flexibly reduce or expand capacity during the life cycle of their contracts."

Driven by this goal, Dianxian has added "security" to its cloud network services, forming a one-stop integrated solution that integrates SSE, SD-WAN networking, and unified visual management of network and security, gradually completing the transformation from a cloud network service provider to a cloud network security service provider.

Scenario adaptation: Prescribe the right medicine for the right situation and create zero-trust protection for remote work

First Line has a clear understanding of the upgrade of its own positioning. Xu Jie mentioned that although both companies provide network security services, First Line, which has transformed into a cloud network security service provider, still has obvious differences from professional security vendors.

"Security vendors are good at security technology and security solutions, and usually sell one-time software and hardware packaged solutions. The advantage of First-line is that it provides customers with professional one-stop services . Therefore, in the future, in SASE services, First-line will cooperate with leading security vendors, integrate their security functions, and provide full life cycle services. Both parties can play to their strengths."

"Service" is the core of DYXnet SASE. In order to provide SASE services that are close to user needs, DYXnet realized from the beginning that it must be rooted in the scene, extract the most basic scene requirements, and then carry out design, research and development, and iteration.

"A large number of existing customers on the first line are networking customers. These customers usually need to access branches, headquarters/data centers, and since the outbreak, the number of remote office users has increased, and the demand for remote access has increased."

Therefore, the three basic scenarios that First-Line SASE targets are enterprise intranet security, Internet access, and remote secure access.

For intranet security from headquarters/data center to branches , enterprises can use SASE POP to flexibly build an enterprise security intranet, combine IPS to control and intercept intranet threat traffic, and combine DLP to prevent key files from being illegally copied and downloaded; for enterprise access to the Internet and SaaS services , enterprises can use SASE POP as a unified access exit to converge the attack surface and reduce the threat of intrusion and malicious attacks. Combined with SWG capabilities, it can provide dynamic classification of websites and automatically block access to websites with security threats; for decentralized remote office workers accessing the enterprise , the first-line zero trust focuses on the identity of the visitor, granting them the minimum operating permissions for the application, and through micro-isolation and dynamic identity authentication, it can achieve "close" protection of enterprise data access.

In the remote office scenario, the introduction of the zero-trust model can achieve differentiated application authorization based on different users and improve user access security control. This is because zero-trust emphasizes "never trust, always verify". However, in recent years, the issue of "zero trust" has repeatedly caused controversy, such as the cost of zero-trust transformation and whether zero trust is suspected of "over-defense".

In this regard, Xu Jie believes that the implementation of zero trust must first focus on user needs . "To implement zero trust, enterprise users need to plan the definitions of various applications and authorization policies for different users in advance to implement refined management. The security control effect will definitely be enhanced, but this requires a change in concept and takes a considerable amount of time. If a customer does not have a particularly complex application and the demands are relatively simple, insisting on implementing zero trust will lead to increased costs."

In Xu Jie's view, zero trust is more like an alternative upgrade to traditional security strategies . "It is not a completely subversive technology. Overall, zero trust is an iterative upgrade of traditional security strategies. Zero trust and traditional security strategies can be integrated and coexist. The two complement each other in terms of capabilities and jointly provide enterprises with more complete security protection."

Implementation: Creating differentiated advantages and moving towards the era of cloud, network and security integration

Looking at the domestic and international SASE market, there are many players, but the market competition pattern is still unstable. If First-line wants to stand out, creating differentiated advantages is the inevitable path. Xu Jie said that First-line will focus on the following four aspects.

First, agile delivery. "Dianxian has standard network nodes, but some customers still want nearby access points. How to sink the capabilities of the security service chain to more POPs is a question we have been considering. At present, Dianxian SASE can build SASE POPs in as fast as one hour, meeting customers' requirements for nearby security."

Second, elastic scaling. "For SASE to be a form of SaaS service, elastic scaling must be implemented. Customers do not need to wait after placing an order, and can immediately subscribe to security and network services on demand according to their own development needs, achieving the best cost investment."

Third, one-stop management. "The service we provide is to integrate the corresponding SSE functions into the SD-WAN platform, so that customers can use the first-line SD-WAN & SASE management platform to visually monitor and analyze the global network security situation and accurately deal with problems."

Fourth, refined management and control. In addition to unified configuration, the management platform must also support the orchestration of security and network policies, based on policy-driven, so that each application can obtain the best network resources and security protection support.

How to promote the implementation of SASE with differentiated advantages? Xu Jie introduced a consumer electronics customer as an example. The customer hopes to provide a unified and secure Internet exit for each branch to access the Internet and SaaS to avoid external intrusion and malicious attacks. At the same time, the customer also pays more attention to the security of data assets in the intranet, but does not want to participate too much in the deployment of security, and hopes to simplify the operation and maintenance management on the customer side. In the end, Dianxian provides customers with a unified Internet exit based on SASE POP, and enables Internet exit security subscription functions such as "firewall, intrusion detection, data leakage prevention, URL filtering, anti-virus, and anti-crawler" on demand. Overall, the customer is quite satisfied with the delivered solution. First, the security policy is based on unified cloud management, and the network security is one-stop orchestrated, which simplifies the operation and maintenance management on the customer side. Second, customers can subscribe to SASE services of different levels based on the actual business scale and traffic of each branch, and can support elastic expansion and contraction during the contract period, effectively saving costs.

DYXnet has taken a solid step on the road to building cloud-network security integration. Looking forward to the future, facing the era of cloud-network security integration, and based on the positioning of cloud-network security service provider, DYXnet has more blueprints to achieve: continue to upgrade and expand SASE service access capabilities; deepen cooperation with leading security vendors to create customized network security solutions; introduce AI functions to predict, detect, and alert network failures and security incidents, and enhance intelligent network security operations and maintenance...

“The road ahead is long and arduous, but we will reach our destination if we keep moving forward; if we keep moving forward, we will have a promising future.” To consolidate the foundation of the digital economy and promote the interconnection and innovative development of digital infrastructure, we cannot do without the joint efforts of upstream and downstream enterprises in the industry chain. Xu Jie said that DYXnet will take the launch of SASE products as an opportunity to work together with more partners and corporate users in the future to create a new win-win industry ecosystem.