企业SASE的基本要素

The Essential SASE forEnterprises eBook Practical Solutions for Today’s Network Security Challenges Achieving Flexibility, Security, and Performance in Enterprise Networks It’s no easy task to manage a modern enterprise network. Large companies face unique challenges requiring solutions thatallow them to remain agile and efficient. Without the right balance, vulnerabilities quickly emerge, creating weak spots thatadversaries can exploit. A hybrid workforce with both remote andin-office employees introduces uniquechallenges to secure access On-premises servers provide stability formission-critical legacy applications, butlimit scalability and responsiveness tobusiness demands Cloud deployments increase flexibility;however, without proper visibility, theypose significant security risks These diverse needs make itdifficult to maintain a consistentsecurity posture that considersthe full network attack surface. Essential software-as-a-service (SaaS)platforms such as Salesforce, Microsoft365, and Google Workspace requirespecial attention to security aspects Branch offices have special connectivityneeds and access considerations Juggling the demands of an enterprise network requires a perfect balance of security and performance. Let's take a tourthrough practical network security use cases enterprises face daily and explore how Secure Access Service Edge (SASE) solvesthese challenges for a secure, unified, and productive network environment. Management and Visibility Before anything else, an enterprise IT team needs managementcontrol and visibility into the network. It doesn’t matter how goodyour tools are, if the IT team cannot see what’s going on within thenetwork it leaves your organization vulnerable. Most companies use a patchwork of point solutions meant tosolve a specific need. A typical enterprise might use separatesolutions for SD-WAN, VPN, and endpoint security, leading tomanagement silos and increased vulnerability. A unified SASE service brings the essential elements ofnetwork security into one console. If problems do arise, theincreased visibility means the team is better prepared to dealwith them within a single, cohesive view. Application-by-ApplicationAccess Permissions Secure Access to Cloudand On-Prem Enabling a secure connection regardless of location is only partof modern secure access. Organizations also need to ensure onlyauthorized personnel can access company data and resources.A key part of SASE is to dole out user permissions on a per-application basis. Not per server, or data center, or region – butper application. IT administrators for the modern enterprise must supportsecure connections from anywhere to anywhere, worldwide. Forexample, a remote sales team needs to access on-prem with thesame reliability as office employees. SASE transforms the corporate VPN from a few clusteredlocations into a globally distributed network, offering robust,secure access for enterprise teams of any size. The idea of per-application permissions is based on the ZeroTrust model where no one is assumed to be trustworthy bydefault. Each access request is evaluated based on identity andcontext such as device posture, location, and time of day. This global reach ensures that employees experienceconsistent performance and security. By eliminating legacy VPNbottlenecks, SASE also improves productivity and simplifies ITmanagement. This ensures both security and productivity: employees accessthe data they need, while attackers are kept from moving acrossyour network. SaaS Security Software-as-a-service platforms like Salesforce, Microsoft 365,Monday.com, and Asana are an essential part of modern work butare easily identifiable targets. A SASE solution can ensure that onlyyour workforce accesses data stored in enterprise SaaS solutionsby using IP address allowlisting. This means that, even if an attackergains credentials, they will be blocked unless they are accessingfrom an approved IP address managed by the SASE service—addingan extra layer of security beyond simple permissions. Just as important, however, is visibility into how users areconnecting sanctioned SaaS to other SaaS applications.Consider an employee integrating a sanctioned file-sharing SaaSwith a lesser-known task management app. Without IT visibility,sensitive documents could be accessed and shared withoutproper controls, creating a major blind spot. Consider an employee integrating their Microsoft 365 accountwith multiple unsanctioned mail app as shown in Fig. 1. WithoutIT visibility, sensitive documents could be accessed and sharedwithout proper controls, creating a major blind spot. In addition to access, SaaS security requires visibility into SaaSplatforms. One of the primary ways to do this is inline shadow ITdiscovery where the SASE solution monitors traffic to see exactlywhich SaaS platforms employees are using—both sanctionedand unsanctioned. This is critical since employees may beuploading company data to unsanctio