云计算的兴起和用户移动性的增加正在改变网络和网络安全服务交付方式。SASE（安全访问服务边缘）作为一种新的网络安全模型应运而生，它将网络安全功能从传统的本地部署转移到云端，并提供统一、一致的安全性。本文介绍了SASE的起源、发展和优势，以及Palo Alto Networks如何通过Prisma Access产品提供全面的SASE解决方案。

📡 **SASE的背景和必要性：**传统网络安全架构在云计算时代面临诸多挑战，如应用迁移到云端、用户移动性增加等，传统的点状产品解决方案难以应对这些挑战。SASE的出现正是为了解决这些问题，它将网络安全功能整合到一个统一的平台，并从云端进行交付，以更好地保护用户、应用和数据。 SASE的出现是网络安全领域的一次重要变革，它将改变传统的网络安全架构，并推动网络安全行业向云端发展。

💻 **SASE的关键特性：**SASE是一种综合性的安全解决方案，它将网络安全功能和WAN功能整合到一个统一的平台，以满足数字企业不断变化的安全访问需求。SASE的关键特性包括： * **统一的平台：**SASE将不同的访问和网络安全方法整合到一个统一的平台，简化了网络安全管理，并提高了安全性。 * **云端交付：**SASE从云端进行交付，可以更好地适应云计算环境，并提供更灵活的部署方式。 * **高性能网络：**SASE需要建立在高性能的全球网络基础设施之上，以保证用户的访问速度和稳定性。 * **无缝的用户体验：**SASE需要提供无缝的用户体验，以确保用户能够顺利地访问所需的资源。

📢 **Palo Alto Networks的SASE解决方案：**Palo Alto Networks是SASE领域的领导者，其Prisma Access产品提供全面的SASE解决方案，可以帮助企业构建安全的云端网络。Prisma Access的优势包括： * **基于云端的安全访问：**Prisma Access可以为用户提供安全的云端访问，无论用户身在何处，都可以安全地访问所需的资源。 * **全面的网络安全功能：**Prisma Access提供全面的网络安全功能，包括防火墙、入侵检测和防御、恶意软件防护、数据泄露防护等。 * **灵活的部署方式：**Prisma Access可以灵活地部署在各种云环境中，以满足不同的业务需求。 * **可扩展性：**Prisma Access可以轻松扩展，以满足不断增长的业务需求。

📃 **SASE的未来展望：**SASE是网络安全领域的未来趋势，它将继续推动网络安全行业向云端发展。未来，SASE将更加智能化、自动化和个性化，以更好地满足企业不断变化的安全需求。

📑 **SASE的意义：**SASE的出现标志着网络安全行业的重大变革，它将为企业提供更安全、更灵活、更便捷的网络安全解决方案。SASE的成功将推动网络安全行业向云端发展，并为企业数字化转型提供有力支持。

By Nir Zuk, Palo Alto Networks founder and CTO

Applications moving to the cloud and increased user mobility are changing the way networking and network security services must be delivered. The future of network security is in the cloud, and this new model is known as a “secure access service edge,” or SASE (pronounced “sassy”). Palo Alto Networks founder and CTO Nir Zuk has been driving this change for the past few years with the Prisma Access product, the industry’s most comprehensive SASE. Here, Nir explains why SASE is the logical evolution for network security. This is the first in an ongoing series in which Palo Alto Networks thought leaders explore the core tenets of an integrated, effective SASE solution, and more broadly, its implementation and implications.

In a cloud-driven world, security needs to be unified, consistent and delivered from the cloud that it’s chartered to protect. This statement transcends my entire career in security, which has required constant evolution to keep up with changes in technology and secure users, applications and data. That focus remains. However, when it comes to the future of network security and the coming convergence, the legacy point-product approach is no longer effective. 

Nearly 25 years ago, I was the principal developer of the industry’s first stateful inspection firewall. Those were the early days of the internet, and back then the prominent firewall technology was stateless access control lists (ACLs). ACLs were not able to deal with the emergence of stateful applications, such as internet audio and video applications (or even good old FTP), so a new approach was clearly necessary. An attempt at using proxy technology proved futile, as proxies were too slow and had the tendency to break many of these applications. Stateful inspection proved to be both useful and secure, which is why it has since dominated the network security market. 

Almost 15 years ago, it became apparent that the explosion in the number of internet applications was challenging stateful inspection, so taking a new approach was again necessary. Early attempts at responding to the challenge with proxy technology emerged (for the second time!). However, they failed once more due to the proxy’s inherent poor performance and its inability to inspect all types of network traffic. I felt I had to fix the firewall again, which led me to start Palo Alto Networks and build a replacement for stateful inspection – the App-ID-based Next-Generation Firewall – which today is, by far, the leading firewall in the market.

Today we are witnessing yet another change in applications that is driving yet another change to network security. This time, applications are moving from corporate data centers to the cloud – both SaaS and public cloud. Cloud adoption is challenging firewall architecture again and requires me to respond. And yes, early attempts at solving the challenge are happening with a proxy, which are failing for the same reasons they did before.

It’s time to fix network security. Again.

Over time, organizations have typically assembled quite a few network security infrastructures. There is infrastructure for securing branch offices, where traffic is typically backhauled over an IP-VPN (think MPLS) network back to corporate headquarters or data centers, and internet traffic is routed from there through the organization’s network security stack. Then there is the network security infrastructure for allowing remote access into the corporate data center. 

As applications move to the cloud, the old method of forcing all branch, user and partner traffic back through the corporate headquarters or data centers no longer makes sense. It makes much more sense to deliver the same network security stack from the cloud, such that traffic destined for the cloud does not have to hit corporate networks, and less traffic needs to go to corporate data centers.

By delivering network security from the cloud, you can protect users, applications and data, regardless of where they are. 

SASE: A More Secure Everywhere

Gartner has proposed a new model for networking and network security in the cloud, known as the “secure access service edge,” or SASE, pronounced “sassy.” In Gartner’s words:

“The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.” 

Effectively, Gartner asserts SASE is able to meet the demands of cloud and mobile environments, addressing the challenges with traditional network and security architectures. 

I agree with this concept, and in my mind, it’s relatively simple. SASE is the convergence of different access and network security methods into one cohesive platform. Perhaps most importantly, however, this cohesive platform must ensure a seamless user experience. It must be built on a high-performance global network, which is beyond the capability of most smaller vendors. SASE demands a level of integration that’s unprecedented in the security industry. It’s unlike other approaches in the fragmented security industry, which has extremely low barriers to entry.

The cybersecurity industry has worked hard to convince customers that they need to work with dozens of vendors and use dozens of point products and technologies. Yet the future of network security is in the cloud, and security vendors must evolve in order to effectively secure customers anywhere and everywhere. 

At Palo Alto Networks, we foresaw this shift and built a compelling SASE solution. Prisma Access delivers the networking and networking security that organizations need in a SASE architecture designed for all traffic, all applications and all users. 

Learn more about SASE in our 10 Tenets of an Effective SASE Solution ebook.

 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, The Future of Network Security Is in the Cloud, Neil MacDonald, Lawrence Orans, Joe Skorupa, 30 August 2019.

The post The Next Generation of Network Security Is Cloud-Delivered appeared first on Palo Alto Networks Blog.