1 00:00:00,000 --> 00:00:00,990 In this lesson, 2 00:00:00,990 --> 00:00:01,823 we're going to cover 3 00:00:01,823 --> 00:00:03,660 the Secure Access Secure Edge, 4 00:00:03,660 --> 00:00:05,730 and the Security Service Edge. 5 00:00:05,730 --> 00:00:08,333 The Secure Access Secure Edge, or SASE 6 00:00:08,333 --> 00:00:10,950 and the Security Service Edge, or SSE, 7 00:00:10,950 --> 00:00:13,350 frameworks are network security architectures 8 00:00:13,350 --> 00:00:15,150 that blend traditional network services 9 00:00:15,150 --> 00:00:17,490 with comprehensive security functions. 10 00:00:17,490 --> 00:00:21,270 SASE and SSE, both mark a significant evolution 11 00:00:21,270 --> 00:00:23,070 from a decentralized security model 12 00:00:23,070 --> 00:00:25,950 into a more unified, cloud-centric approach. 13 00:00:25,950 --> 00:00:27,780 These days, our digital businesses 14 00:00:27,780 --> 00:00:29,220 have transformed beyond the boundaries 15 00:00:29,220 --> 00:00:30,750 of the typical corporate network 16 00:00:30,750 --> 00:00:32,220 and extended our services well 17 00:00:32,220 --> 00:00:34,980 beyond our traditional network perimeters and boundaries. 18 00:00:34,980 --> 00:00:37,230 To help secure these deep parameterized networks, 19 00:00:37,230 --> 00:00:38,532 we can utilize SASE 20 00:00:38,532 --> 00:00:41,910 and SSE to provide us with a secure, fast 21 00:00:41,910 --> 00:00:44,910 and reliable access to our cloud-based network resources, 22 00:00:44,910 --> 00:00:46,440 no matter where our users are 23 00:00:46,440 --> 00:00:48,570 and what devices they're trying to use. 24 00:00:48,570 --> 00:00:49,860 First, let's take a look 25 00:00:49,860 --> 00:00:52,080 at the Secure Access Secure Edge framework, 26 00:00:52,080 --> 00:00:54,120 known as SASE. 27 00:00:54,120 --> 00:00:56,310 Now, the Secure Access Secure Edge framework 28 00:00:56,310 --> 00:00:58,650 is used to consolidate numerous wide area networking 29 00:00:58,650 --> 00:01:01,830 and security functions into a single cloud native service 30 00:01:01,830 --> 00:01:02,940 to ensure that secure 31 00:01:02,940 --> 00:01:05,550 and seamless access for our end users can be achieved 32 00:01:05,550 --> 00:01:08,220 regardless of their actual physical location. 33 00:01:08,220 --> 00:01:10,530 The Secure Access Secure Edge is seen as a way 34 00:01:10,530 --> 00:01:12,090 to address the challenges of securing 35 00:01:12,090 --> 00:01:13,620 and connecting users and data 36 00:01:13,620 --> 00:01:15,930 that's being distributed across multiple locations, 37 00:01:15,930 --> 00:01:17,880 like branch offices, remote workers, 38 00:01:17,880 --> 00:01:21,150 and mobile users, as well as into our cloud environments. 39 00:01:21,150 --> 00:01:23,760 A key aspect of using SASE technology 40 00:01:23,760 --> 00:01:25,650 is by using software defined networking 41 00:01:25,650 --> 00:01:27,570 or SDN to provide security 42 00:01:27,570 --> 00:01:29,550 and networking services from the cloud 43 00:01:29,550 --> 00:01:32,430 rather than from traditional hardware-based appliances. 44 00:01:32,430 --> 00:01:34,830 This allows for more flexibility, scalability, 45 00:01:34,830 --> 00:01:36,480 and cost efficiency than using 46 00:01:36,480 --> 00:01:38,310 traditional network solutions. 47 00:01:38,310 --> 00:01:39,660 Secure Access Secure Edge, 48 00:01:39,660 --> 00:01:42,210 or SASE solutions are typically going to include 49 00:01:42,210 --> 00:01:44,100 a wide variety of security services, 50 00:01:44,100 --> 00:01:46,620 including things like firewalls, VPNs, 51 00:01:46,620 --> 00:01:48,120 Zero Trust Network Access, 52 00:01:48,120 --> 00:01:49,950 and Cloud Access Security Brokers, 53 00:01:49,950 --> 00:01:51,990 which are known as CASB. 54 00:01:51,990 --> 00:01:53,040 These are all going to be delivered 55 00:01:53,040 --> 00:01:55,530 through a common set of policy and management platforms, 56 00:01:55,530 --> 00:01:57,960 as well as to achieve your networking goals. 57 00:01:57,960 --> 00:02:00,540 SASE is going to help to address the challenges 58 00:02:00,540 --> 00:02:02,460 of the modern distributed enterprise, 59 00:02:02,460 --> 00:02:05,160 which is increasingly composed of mobile, cloud-based, 60 00:02:05,160 --> 00:02:06,480 and multi-cloud applications 61 00:02:06,480 --> 00:02:08,639 and services, as well as a large number of users 62 00:02:08,639 --> 00:02:10,470 and devices that are constantly growing 63 00:02:10,470 --> 00:02:13,620 and moving into larger and more distinct locations. 64 00:02:13,620 --> 00:02:16,260 SASE is going to be used to provide a more secure 65 00:02:16,260 --> 00:02:18,000 and efficient way of connecting all these users 66 00:02:18,000 --> 00:02:20,160 and their devices back to the applications 67 00:02:20,160 --> 00:02:21,990 and services that they want to use, 68 00:02:21,990 --> 00:02:24,120 regardless of the location or the type of device 69 00:02:24,120 --> 00:02:26,250 that they're actually going to be connecting with. 70 00:02:26,250 --> 00:02:27,810 Now, all of the major cloud providers, 71 00:02:27,810 --> 00:02:30,570 including Amazon Web Services, Microsoft Azure, 72 00:02:30,570 --> 00:02:32,250 and the Google Cloud platform, 73 00:02:32,250 --> 00:02:34,410 do offer solutions that align with the concepts 74 00:02:34,410 --> 00:02:36,360 of Secure Access Secure Edge, 75 00:02:36,360 --> 00:02:37,470 but each one refers to them 76 00:02:37,470 --> 00:02:39,210 by a different name or acronym 77 00:02:39,210 --> 00:02:40,440 depending on the specific service 78 00:02:40,440 --> 00:02:42,540 or product that you're going to be referencing. 79 00:02:42,540 --> 00:02:46,230 For example, in Amazon Web Services, also known as AWS, 80 00:02:46,230 --> 00:02:48,870 the service that most closely aligns with SASE 81 00:02:48,870 --> 00:02:52,050 is known as a VPC or Virtual Private Cloud. 82 00:02:52,050 --> 00:02:54,030 Now, virtual Private Cloud provides a secure 83 00:02:54,030 --> 00:02:55,710 and flexible network infrastructure 84 00:02:55,710 --> 00:02:57,270 for your applications and data, 85 00:02:57,270 --> 00:02:59,040 and AWS VPCs enable us 86 00:02:59,040 --> 00:03:01,050 to create virtual networks in the cloud 87 00:03:01,050 --> 00:03:02,940 and connect it to our on-premise data centers 88 00:03:02,940 --> 00:03:07,080 or other AWS services to achieve that SASE capability. 89 00:03:07,080 --> 00:03:09,540 Microsoft Azure actually has a lot of different services 90 00:03:09,540 --> 00:03:11,670 that align with the SASE concept, 91 00:03:11,670 --> 00:03:13,470 including Azure's Virtual WAN, 92 00:03:13,470 --> 00:03:14,940 which provide secure, global 93 00:03:14,940 --> 00:03:17,430 and efficient connectivity between branch offices, 94 00:03:17,430 --> 00:03:19,500 data centers, and Azure resources, 95 00:03:19,500 --> 00:03:21,420 as well as using Azure ExpressRoute, 96 00:03:21,420 --> 00:03:22,320 which enable you to create 97 00:03:22,320 --> 00:03:23,610 a dedicated private connection 98 00:03:23,610 --> 00:03:25,080 between an Azure data center 99 00:03:25,080 --> 00:03:27,450 and your on-premise network infrastructure. 100 00:03:27,450 --> 00:03:29,880 If you happen to be using the Google Cloud platform, 101 00:03:29,880 --> 00:03:32,190 they call their SASE Aligned Service 102 00:03:32,190 --> 00:03:33,870 Google Cloud Interconnect. 103 00:03:33,870 --> 00:03:35,490 Google Cloud Interconnect allows you 104 00:03:35,490 --> 00:03:37,290 to connect your on-premise infrastructure 105 00:03:37,290 --> 00:03:39,750 to the Google Cloud platform, known as GCP, 106 00:03:39,750 --> 00:03:41,790 over a dedicated private connection. 107 00:03:41,790 --> 00:03:44,220 They also have a service known as Google Cloud VPN, 108 00:03:44,220 --> 00:03:45,450 that allows you to securely connect 109 00:03:45,450 --> 00:03:46,980 your on-premise infrastructure 110 00:03:46,980 --> 00:03:48,420 to your virtual private cloud network 111 00:03:48,420 --> 00:03:50,850 through an IPSec VPN tunnel. 112 00:03:50,850 --> 00:03:52,110 Now, it's important to realize 113 00:03:52,110 --> 00:03:55,650 that these services are not exclusively SASE providers, 114 00:03:55,650 --> 00:03:57,630 and the definition of SASE here 115 00:03:57,630 --> 00:03:58,770 is not completely aligned 116 00:03:58,770 --> 00:04:00,660 with all the features and functionality 117 00:04:00,660 --> 00:04:02,100 of any single cloud service 118 00:04:02,100 --> 00:04:03,810 from these cloud service providers, 119 00:04:03,810 --> 00:04:04,680 but they do provide 120 00:04:04,680 --> 00:04:07,140 a lot of the aspects of SASE for you, 121 00:04:07,140 --> 00:04:08,940 such as having secure, flexible, 122 00:04:08,940 --> 00:04:10,710 and global networking capabilities 123 00:04:10,710 --> 00:04:12,930 by using these different services. 124 00:04:12,930 --> 00:04:15,840 Next, let's take a look at the Security Service Edge, 125 00:04:15,840 --> 00:04:17,850 also known as SSE. 126 00:04:17,850 --> 00:04:19,500 The Security Service Edge framework 127 00:04:19,500 --> 00:04:22,680 is a key subset of the Secure Access Secure edge model 128 00:04:22,680 --> 00:04:25,770 that really focuses on the security services necessary 129 00:04:25,770 --> 00:04:27,480 to protect access between our users, 130 00:04:27,480 --> 00:04:29,310 devices and the cloud. 131 00:04:29,310 --> 00:04:32,820 While SASE combines comprehensive WAN security services, 132 00:04:32,820 --> 00:04:36,240 the Security Service Edge really only focuses on security 133 00:04:36,240 --> 00:04:38,430 and determining what is required to guard your data 134 00:04:38,430 --> 00:04:41,400 and your interactions in a cloud-centric world. 135 00:04:41,400 --> 00:04:43,470 Them Security Service Edge is designed to address 136 00:04:43,470 --> 00:04:45,150 the sophisticated threat landscape 137 00:04:45,150 --> 00:04:47,220 that our modern organizations are facing, 138 00:04:47,220 --> 00:04:48,600 where traditional security perimeters 139 00:04:48,600 --> 00:04:50,370 are no longer in existence. 140 00:04:50,370 --> 00:04:51,930 In the past, security measures 141 00:04:51,930 --> 00:04:53,760 were centered around the corporate firewall, 142 00:04:53,760 --> 00:04:56,550 but the advent of cloud computing, mobile workforces 143 00:04:56,550 --> 00:04:59,700 and bring your own device policies or BYOD policies, 144 00:04:59,700 --> 00:05:01,800 those traditional boundaries in our corporate networks 145 00:05:01,800 --> 00:05:03,450 have pretty much dissolved. 146 00:05:03,450 --> 00:05:06,570 So Security Service Edge has stepped into this new era 147 00:05:06,570 --> 00:05:08,250 with a suite of security capabilities 148 00:05:08,250 --> 00:05:09,510 that are delivered as a service 149 00:05:09,510 --> 00:05:10,770 to ensure that no matter where 150 00:05:10,770 --> 00:05:12,630 the data resides or travels to, 151 00:05:12,630 --> 00:05:14,280 it's always under the vigilant watch 152 00:05:14,280 --> 00:05:16,500 of our robust security measures. 153 00:05:16,500 --> 00:05:19,110 SSE is focused on providing secure access 154 00:05:19,110 --> 00:05:20,790 to the internet cloud services, 155 00:05:20,790 --> 00:05:22,500 and/or private applications. 156 00:05:22,500 --> 00:05:23,910 This is typically going to be done 157 00:05:23,910 --> 00:05:26,220 by using technologies like Secure Web Gateways, 158 00:05:26,220 --> 00:05:27,630 Cloud Access Security Brokers, 159 00:05:27,630 --> 00:05:29,760 and Zero Trust Network Access. 160 00:05:29,760 --> 00:05:32,430 Now, a Secure Web Gateway, or SWG, 161 00:05:32,430 --> 00:05:33,390 can be used to inspect 162 00:05:33,390 --> 00:05:35,490 and filter unwanted software and malware 163 00:05:35,490 --> 00:05:38,370 from user initiated web and internet traffic sessions. 164 00:05:38,370 --> 00:05:41,160 A cloud access security broker, or CASB, 165 00:05:41,160 --> 00:05:42,360 is used as a border device 166 00:05:42,360 --> 00:05:44,580 that sits between the cloud service consumer 167 00:05:44,580 --> 00:05:45,990 and the cloud service providers 168 00:05:45,990 --> 00:05:47,010 to monitor the activity 169 00:05:47,010 --> 00:05:49,260 and enforce the security policies. 170 00:05:49,260 --> 00:05:51,450 A Zero Trust Network Access, or ZTNA, 171 00:05:51,450 --> 00:05:53,010 is designed to operate on the principle 172 00:05:53,010 --> 00:05:55,020 that no user or device inside 173 00:05:55,020 --> 00:05:56,850 or outside of the organization's network 174 00:05:56,850 --> 00:05:58,920 should be trusted by default. 175 00:05:58,920 --> 00:06:00,150 Now, these three technologies 176 00:06:00,150 --> 00:06:03,240 all converge under the Security Service Edge framework 177 00:06:03,240 --> 00:06:04,470 to form a security framework 178 00:06:04,470 --> 00:06:06,870 that's both comprehensive and adaptable. 179 00:06:06,870 --> 00:06:08,940 For instance, a secure web gateway 180 00:06:08,940 --> 00:06:10,170 can be used by an organization 181 00:06:10,170 --> 00:06:12,300 to ensure that when employees access the internet, 182 00:06:12,300 --> 00:06:14,190 they're doing so without exposing the company 183 00:06:14,190 --> 00:06:15,420 to a web-based threat 184 00:06:15,420 --> 00:06:17,610 or violating a compliance policy. 185 00:06:17,610 --> 00:06:19,740 A cloud access security broker, on the other hand, 186 00:06:19,740 --> 00:06:21,600 could be employed to monitor and control the data 187 00:06:21,600 --> 00:06:23,340 that's being shared with cloud applications 188 00:06:23,340 --> 00:06:25,200 and to provide visibility, compliance, 189 00:06:25,200 --> 00:06:28,230 data security, and threat protection for our users. 190 00:06:28,230 --> 00:06:29,760 Perhaps the most crucial though, 191 00:06:29,760 --> 00:06:31,860 is going to be Zero Trust Network Access, 192 00:06:31,860 --> 00:06:33,450 which is redefining network security 193 00:06:33,450 --> 00:06:35,280 by treating every access attempt 194 00:06:35,280 --> 00:06:37,740 as if it originates from an untrusted network. 195 00:06:37,740 --> 00:06:39,840 This type of Zero Trust Network Access 196 00:06:39,840 --> 00:06:41,850 can be used to grant access based on the identity 197 00:06:41,850 --> 00:06:43,860 and context of the user or the device, 198 00:06:43,860 --> 00:06:45,660 and apply strict access controls 199 00:06:45,660 --> 00:06:48,330 and not just a perimeter-based firewall approach. 200 00:06:48,330 --> 00:06:49,890 This ensures that only authenticated 201 00:06:49,890 --> 00:06:51,540 and authorize users and devices 202 00:06:51,540 --> 00:06:53,040 will be able to access applications 203 00:06:53,040 --> 00:06:55,440 and services in order to reduce the attack surface 204 00:06:55,440 --> 00:06:57,840 and mitigate the risk of internal threats. 205 00:06:57,840 --> 00:06:59,610 Together all these components 206 00:06:59,610 --> 00:07:01,920 of the Security Service Edge can create a dynamic, 207 00:07:01,920 --> 00:07:03,750 scalable, and secure framework 208 00:07:03,750 --> 00:07:05,040 that can be applied consistently 209 00:07:05,040 --> 00:07:08,160 across all users regardless of their location. 210 00:07:08,160 --> 00:07:09,390 This enables organizations 211 00:07:09,390 --> 00:07:11,010 to enforce their security policies 212 00:07:11,010 --> 00:07:12,810 without the constraints of back hauling traffic 213 00:07:12,810 --> 00:07:14,130 to a central location, 214 00:07:14,130 --> 00:07:15,750 which in turn reduces latency 215 00:07:15,750 --> 00:07:18,120 and improves your user's overall experience. 216 00:07:18,120 --> 00:07:21,960 So remember, the Secure Access Secure Edge, or SASE 217 00:07:21,960 --> 00:07:24,750 and the Security Service Edge, or SSE frameworks 218 00:07:24,750 --> 00:07:26,430 are network security architectures 219 00:07:26,430 --> 00:07:28,170 that blend traditional network services 220 00:07:28,170 --> 00:07:30,420 with comprehensive security functions. 221 00:07:30,420 --> 00:07:32,430 The Secure Access Secure Edge framework 222 00:07:32,430 --> 00:07:34,710 is used to consolidate numerous wide area networking 223 00:07:34,710 --> 00:07:37,740 and security functions into a single cloud native service 224 00:07:37,740 --> 00:07:39,600 to ensure that secure and seamless access 225 00:07:39,600 --> 00:07:41,400 for our end users can be achieved, 226 00:07:41,400 --> 00:07:44,100 regardless of their actual physical location. 227 00:07:44,100 --> 00:07:46,830 The Security Service Edge framework is a key subset 228 00:07:46,830 --> 00:07:48,900 of the Secure Access Secure Edge model 229 00:07:48,900 --> 00:07:49,980 that's focused exclusively 230 00:07:49,980 --> 00:07:51,810 on the security services necessary 231 00:07:51,810 --> 00:07:53,670 to protect access between our users, 232 00:07:53,670 --> 00:07:55,440 devices and the cloud. 233 00:07:55,440 --> 00:07:57,600 While SASE combines comprehensive WAN 234 00:07:57,600 --> 00:07:58,860 and security services, 235 00:07:58,860 --> 00:08:02,370 the Security Service Edge really does focus only on security 236 00:08:02,370 --> 00:08:04,410 and determining what is required to guard the data 237 00:08:04,410 --> 00:08:07,530 and interactions inside of a cloud centric world. 238 00:08:07,530 --> 00:08:09,330 As we continue to shift our enterprises 239 00:08:09,330 --> 00:08:10,170 and our corporate networks 240 00:08:10,170 --> 00:08:11,850 towards more distributed networks, 241 00:08:11,850 --> 00:08:13,140 these models and frameworks 242 00:08:13,140 --> 00:08:14,190 are going to continue to play 243 00:08:14,190 --> 00:08:15,600 an increasingly vital role 244 00:08:15,600 --> 00:08:17,940 in ensuring that security is not just an afterthought, 245 00:08:17,940 --> 00:08:19,290 but it's a foundational component 246 00:08:19,290 --> 00:08:21,153 inside of our network architectures.