SASE is advancing rapidly, and the first-line is stepping up efforts to empower the computing power era

With the accelerated development of enterprise digital transformation, cloud computing has gradually become a rigid demand. Under the general trend of cloud-network integration, more and more enterprises hope to find efficient and flexible networking solutions to quickly connect headquarters and branches and use cloud computing, laying a solid foundation for digital transformation. In this context, SD-WAN has become one of the wide area network technologies that has attracted much attention in recent years.

At the same time, the popularity of multiple interconnected scenarios and online and offline hybrid office models has increased the digital security threats faced by enterprises. In addition to networking capabilities, how to build a comprehensive security protection system has also become a challenge that all industries must face. The integration of SD-WAN and SASE security architecture has begun to attract attention.

At the 5th SD-WAN & SASE Summit held recently, Xiong Xuetao, Director of the Network Products Division of Interconnect Technology, shared with the guests the technological innovations and industry practices of First-Line in cloud network security integrated services.

What is the overall development trend of SD-WAN? How do you view the relationship between SD-WAN and SASE? How does SASE solve the pain points of industry users? How will Dianxian promote professional services integrating cloud, network and security in the future? After the meeting, 51CTO interviewed Xiong Xuetao and fully discussed the above topics.

MPLS VPN or SD-WAN? That’s not the question

For a long time, MPLS VPN has been the preferred networking choice for enterprise organizations. However, since the emergence of SD-WAN, especially with the continuous improvement of the quality and bandwidth of the last mile of the Internet, more enterprises have begun to face the choice of "MPLS VPN or SD-WAN". Now, as SD-WAN technology gradually matures, its advantages in network control are fully demonstrated, and user recognition has also increased significantly.

Xiong Xuetao believes: "Currently, SD-WAN has entered a mature stage of development and has a high penetration rate in enterprises. In recent years, its annual compound growth rate is also considerable, and it continues to lead the enterprise networking service market. As the demand for enterprises to go to the cloud continues to grow and remote office scenarios continue to emerge, the application of SD-WAN will become more and more extensive, helping enterprises to achieve efficient interconnection and cloud migration. As a result, SD-WAN will usher in faster development in the future."

Regarding the debate between MPLS VPN and SD-WAN, Xiong Xuetao believes that the two are not mutually exclusive. Both have their own strengths. MPLS VPN has reliable data packet transmission capabilities and can be used to connect headquarters with large data centers. SD-WAN has the characteristics of fast opening, cost savings, and agile cloud migration, which can meet the needs of enterprises to quickly expand branch stores and conduct unified management. Enterprises need to weigh whether to choose SD-WAN or MPLS VPN according to their own situation, or to reasonably combine MPLS VPN and SD-WAN.

Xiong Xuetao introduced that DYXnet started with MPLS VPN and is also one of the first network service providers in China to launch SD-WAN services. It currently serves more than 6,000 domestic and foreign companies, providing MPLS VPN+SD-WAN hybrid networking solutions. Relying on 200+ POP node resources in 100+ cities, it provides one-stop networking services for multiple scenarios such as corporate headquarters-branch-cloud-IDC. The two complement each other to fully meet the diverse needs of corporate digital transformation.

The evolution of cloud-network-security integration: SASE=SD-WAN+SSE

Although SD-WAN is becoming the darling of the enterprise networking service field, in actual practice, it is difficult to effectively solve the existing pain points of users by relying on a single networking capability. Xiong Xuetao pointed out that more and more enterprises hope that the network integration security can meet their own transformation needs in one stop. The emergence of SASE has provided a new solution to this problem to a certain extent.

According to Gartner's definition, SASE (Secure Access Service Edge) is an emerging product that integrates wide-area networking functions and network security functions to provide subscribeable security services for enterprise digital transformation and upgrading.

"SD-WAN did not emphasize security at the beginning of its development. However, with the continuous extension of enterprise network boundaries, the increasing complexity of IT architecture, and the increasing threat of network attacks, users' demand for security has gradually increased. Today, the definition of SASE is relatively clear. SASE is the integration of SD-WAN and SSE (Security Service Edge) functions, which itself is a combination of network + edge cloud security."

In summary, first of all, SASE is the re-evolution of SD-WAN network capabilities and a re-innovation for edge cloud networks. Furthermore, SD-WAN networks are the cornerstone of the implementation and development of SASE architecture. Widely distributed SD-WAN POP nodes have the foundation for evolving into edge cloud native security SASE POP points. The diversified digital application scenarios of enterprises require SASE's security protection on demand. In the deep integration of the two, SASE integrates SD-WAN and network security access into the edge cloud network service infrastructure, realizing a security architecture that can adapt to the current enterprise network traffic model.

Xiong Xuetao said: "The main purpose of SASE now is to deliver network and security services to enterprises in a one-stop manner. This is why SD-WAN vendors pay special attention to the evolution of SASE. As enterprise needs become more and more comprehensive, an integrated solution is needed to solve all problems as much as possible. If you only focus on networking without security, you will not be able to meet new requirements."

Based on this understanding, Dianxian has created a one-stop cloud network security integration solution, promoted the SD-WAN integrated SASE security architecture, and provided enterprise-level security services at the POP node closest to the enterprise; created an integrated management platform for SD-WAN and SASE to help enterprises visually manage networks and security; and promoted the integration of SD-WAN networks with Dianxian OCD edge clouds and public clouds to help enterprises quickly access multiple clouds and build a hybrid cloud architecture.

The essence of SASE: Dynamically reconstructing the logical security boundaries of the enterprise

From the definition of SASE itself, it includes SWG secure web gateway, CASB cloud access security agent, FWaaS firewall as a service, ZTNA zero trust network, etc. Its functions cover almost all scenarios of enterprise networking.

Xiong Xuetao said: "If you look closely at the details of SASE, you will find that its original intention is to cover all security challenges with comprehensive protection capabilities. Of course, not all companies need all of its functions. For example, for secure access to remote offices, you only need to subscribe to zero trust services."

In Xiong Xuetao's opinion, customers who have used cloud services will be more receptive to SASE services because it has the same characteristics as cloud applications, on-demand subscription, and elastic expansion and contraction. Specifically, SASE is based on edge cloud deployment, and when customers add certain security capability requirements, they do not need to add any hardware facilities, but can subscribe directly and use it out of the box.

So how does SASE work? Xiong Xuetao used the application scenario of ZTNA zero-trust network access to explain it.

Take a manufacturing company as an example. The company has factories in China and Southeast Asian countries. Business personnel who travel frequently will access the company's private cloud in multiple network environments such as the Internet, 4G/5G, etc. to access design drawings, call OA systems, etc. In terms of security, the company hopes that factories and business personnel can access key corporate resources and applications in a secure manner.

The ZTNA solution of DYXnet SASE will conduct a series of systematic security monitoring and restrictions on factories and mobile office personnel from before to after access, protecting the security and controllability of customers' key resources and applications. In specific scenarios, it is manifested as:

• Personnel login and terminal access authentication (remote and mobile office scenarios). ZTNA will perform multi-factor identity and terminal security authentication on the accessed personnel/devices. The ZTNA agent client installed on the authorized device will send multiple information such as the current security environment and identity to the cloud control system for verification. Only after passing the verification will it be allowed to connect to the security gateway and proceed to the next step.
• Secure access to enterprise applications and data. After personnel/devices access the network, ZTNA can provide good protection whether they are accessing intranet applications and data or cloud applications and data . Based on the characteristics of ZTNA micro-segmentation, corporate headquarters, factories, and mobile workers/devices will be granted minimum access rights to specific devices, applications, or resources after identity verification. If they need to access other devices, resources, or data, they need to authenticate or upgrade their rights again, and the person cannot see, access, or copy other unauthorized applications or resources. At the same time, after the person's access is completed, the rights will be revoked. In addition, ZTNA will continue to check and verify the operations of personnel/devices accessing the network, and make dynamic policy adjustments. If non-compliant operations are detected, ZTNA can immediately downgrade the rights of the corresponding personnel and terminals to cut off further illegal access.

Xiong Xuetao concluded that with the SASE architecture, the enterprise boundary is no longer a location, but a set of dynamically created, policy-based secure access service edges. Relying on the characteristics of centralized orchestration and decentralized execution of security policies, SASE will provide the required security guarantees for complex scenarios such as remote office, multi-cloud, and hybrid cloud around each edge cloud network POP point to prevent security threat blind spots. At the same time, enterprises can use a unified control platform to perform global centralized management and threat analysis of the network, and thus respond to and handle security issues more accurately and agilely. So overall, SASE is a very complete security solution.

Vision: Accelerate cloud-network integration and build a computing power network

SASE is still an emerging concept, but Xiong Xuetao believes that the integration of SD-WAN and SASE is bound to be the general trend. The emergence of the SASE concept not only promotes network service providers to pay attention to the evolution of security capabilities, but also encourages security service providers to start focusing on their own network capability building.

Xiong Xuetao said, "Dianxian hopes to further develop its security capabilities based on its own network capabilities and provide customers with simple and comprehensive services. Simple means lightweight, easy to activate, and easy to operate and maintain. Comprehensive means that Dianxian hopes to be as comprehensive as possible and have the opportunity to cover more scenarios and functions. Dianxian's vision is to become a comprehensive solution service provider of 'network + cloud + security + computing power'."

In the future, the overall evolution strategy of DYXnet is to pursue the continuous extension and improvement of SD-WAN networking capabilities. Second, based on the network capabilities and cloud-network integration capabilities accumulated over more than 20 years, the edge network POP will be fully upgraded to SASE POP to provide network + security solutions. Third, keep up with the trend of computing network construction and development, and continuously explore the integration of SD-WAN + SASE + computing power.

Final Thoughts

According to Gartner's forecast, by 2024, the SASE market size will climb from US$1.9 billion in 2019 to US$11 billion. The SASE track will inevitably usher in competition from traditional IT vendors, cloud vendors, security vendors and other forces. First-line's continuous exploration and practice of the integration of SD-WAN and SASE is a microcosm of the vendors' efforts to lay out and build the foundation for the computing network era under this general trend. We will wait and see how to upgrade from multiple dimensions such as products, resources, and services in the future to help enterprises quickly obtain high-quality network + security + computing services.