Implementing a SASE solution: it takes more than marketing
There has always been a need to support distributed workforces in an agile and cost-effective way. However, this has never been more important than today. Not only has there been a surge in remote workers which promises to be the new normal, but companies are also thinking about how to safely bring workers back onsite by shifting away from large, highly-dense corporate offices to more regionally clustered locations.
Every workforce requires predictable and reliable network connectivity to be effective, coupled with robust information security to protect devices and data. The increase in remote workers complicates this by placing employees outside of the traditional on-premises, organizationally secured access model and beyond the physical reach of IT staff for troubleshooting and management.
At the same time, enterprises continue to struggle with the best way to securely deliver fast and reliable access to cloud-hosted applications. The shift from centralized data centers to cloud-hosted SaaS is happening fast. This also means that the way traffic is routed, inspected and secured needs to change.
In 2019, Gartner introduced a new concept, Secure Access Service Edge (SASE), as a framework for addressing the above dynamics. It supports the following core principles:
- Cloud-hosted architectures, so that services can be easily deployed on-demand and at scale;
- Identity-driven policies, whereby network access and security can be customized based on individual user requirements;
- Localized policy inspection/enforcement to deliver applications and services as close to users as possible to minimize latency.
While SASE is transitioning from emerging technology to mainstream, vendors like Juniper are laying the foundation today for this important architectural shift. Below are ways this is being accomplished, and why Juniper is uniquely positioned to lead the SASE space as it continues to emerge.
Juniper has long embraced the need for scalable, resilient and agile solutions hosted in the modern cloud, coupled with open APIs for easy programmability. This facilitates the anywhere/anytime operations of SASE solutions, from zero-touch provisioning (ZTP) of CPE devices like the Juniper SRX Series firewall to the remote configuration and monitoring of security, networking and application policies. This becomes especially important as the industry transitions from traditional SD-WAN environments that rely on static policies to a new era of AI-driven solutions that leverage real-time automation and insight to optimize user experiences all the way from the client to the cloud. Juniper’s powerful capabilities across LAN, WAN and Security elements, combined with a unified AI-engine, enables them to deliver on this promise.
In the cloud, workloads can be highly dynamic and elastic, with frequent additions, moves and changes. This can complicate the ability to attach SASE policies to workload instantiation and track policies with workload movement to ensure optimal network performance and continued security compliance. Juniper addresses these challenges with virtual and containerized versions of the SRX (the vSRX and cSRX, respectively), which can be easily deployed as needed and configured with dynamic network access and security policies that adapt to changing workload needs.
A Unique Focus on User Experiences
When it comes to network access in a SASE environment, there are three main things that can impact the user experience:
- Availability: Is the WAN link up or down?
- Quality: Is packet loss, congestion or other network and application parameters adversely affecting traffic delivery?
- Capacity: Is there enough bandwidth (either via a single link or across multiple links) to support traffic requirements?
While traditional SD-WAN solutions look at network and application conditions in an attempt to optimize the above, they lack a key element – visibility into the actual user experience. Unfortunately, “up” is not the same as “good”. In other words, just because a WAN link is successfully passing traffic, it doesn’t mean the users on that link are having a good Zoom experience. Furthermore, how does an IT administrator know if a change to the WAN (i.e. the switch from one active connection to another) made the user experiences better or worse? This traditionally has been a gaping hole in networking. No feedback loop exists whereby IT administrators can set and monitor customizable WAN Service Level Experiences (SLEs) and take automated actions to ensure the best user experiences.
Juniper uniquely uses AI-driven automation, insight and actions across the LAN, WLAN and WAN to optimize the end-to-end user experience. This includes customized Service Level Expectations (SLEs), event correlation across the LAN and WAN for rapid fault isolation and resolution, AI-driven support with proactive notifications and an interactive Virtual Network Assistant (VNA) called Marvis to provide recommended actions and/or keep the network humming autonomously.
As the name suggests, Security is also an essential element to the SASE user experience. By integrating network and security elements together in a single platform, Juniper customers can seamlessly and cost effectively take advantage of advanced security services like Application Security for broader visibility and control, Advanced Threat Prevention, Intrusion Detection and Prevention along with Data Loss Prevention. All with no additional hardware or software required. Juniper Advanced Threat Prevention (ATP), for example, is a cloud-based service that provides complete advanced malware protection. SASE customers can identify and defend against new zero-day malware and targeted attacks, mitigate risks by updating existing security controls to defend against identified and unknown threats, reduce the time and cost to remediate threats and, overall, reduce exposure to advanced threats.
Juniper Connected Security
By converging security and the network into a unified solution, Juniper provides the powerful and compelling ability to see, automate and protect at every point of a SASE connection. This concept, known as Juniper Connected Security, enables the network to be Threat-Aware, with the ability to detect and enforce policies at every connection point across the network – from client to the cloud. At the same time, analytics and threat intelligence provide the insight and ability to act on threats or prevent risky behavior by users or devices. Firewall orchestration will empower IT teams to automatically implement mitigation. This mitigation can take the form of firewall policy, a switch port, AP registered MAC or an endpoint agent (via control commands or infected host-feed).
In combination with ATP, Juniper can orchestrate rule changes to any combination of supported devices with automated responses to real-time threats at the connection point of the user (no matter where they are on the network). This functionality is called SecIntel (Security Intelligence) and is a critical component of Juniper’s Connected Security strategy. SecIntel delivers curated, consolidated, actionable intelligence to Juniper SRX Series firewalls, MX Series routers, EX and QFX Series switches and Mist APs, as well third-party networking devices to protect users where it matters with minimal impact elsewhere.
“When the bones are good, the rest doesn’t matter.”
In the case of SASE, I find the above quote (credit to singer Maren Morris) especially applicable to Juniper. They have the right pieces in place to deliver a compelling SASE solution, including robust cloud offerings, a deliberate focus on user experiences and the right toolset for end-to-end traffic inspection and policy enforcement in real-time. As the SASE space continues to evolve, look to Juniper to build on these elements with new features, partnerships and use cases that stand out from the competition and deliver real value to their customers.