Connect and Secure Distributed Applications and Users

It’s no secret that applications and work models have dramatically changed over the past few years. IT has always faced major challenges in networking and securing applications. But until recently, most of those applications resided in one well-defined data center environment. All traffic went through a technology stack at the physical perimeter, with a single point of control for all applications—both local and remote. However, this stack was expensive to buy, complex, and costly to configure and manage. Its complex nature also led to misconfiguration and security vulnerabilities.

Today’s world looks quite different, and even small enterprises face a much more challenging situation, where apps and users might be almost anywhere. Applications are still in the data center, but they might also be co-located offsite, or delivered through a cloud service. Users might be in a branch office, but they could just as easily be working from home, visiting family, or connecting from a coffee shop. With no physical perimeter, the only reasonable approach is a logical mode, based on:

  • Identity, including who is accessing the app, and whether they are authorized to do so
  • Context, such as how trusted the user and their device are, and when and where they are logging in

This approach works for any endpoint, connecting to any application, in any location. The umbrella term for these cloud-delivered services is Secure Access Service Edge (SASE). SASE is enjoying wide adoption, and it’s increasingly supported by every major networking and security vendor. It also integrates smoothly with SD-WAN solutions, and complements WAN optimization, QoS, zero trust network access, and other leading-edge capabilities.

Secure, agile connectivity for modern users and applications

The benefit of SASE is that it matches the networking and security services to the needs of each session and can be adapted as context changes. For example, an accountant working from home, on a trusted device, might access two approved applications, plus her social media. SASE will activate the appropriate services, including SaaS acceleration to improve her user experience, and data loss prevention because she’s on social media. If the accountant reconnects later from an airport Wi-Fi hotspot, it could add DNS and Wi-Fi protection.

Today’s users increasingly rely on composite applications with distributed components and back-end services. One of the advantages of SASE is that when policy requirements change, there’s no need to change the applications themselves. Using identity and context to determine required networking and security services is a well-understood, well-established practice, and can apply to composite applications. If we separate policy definition from enforcement, we only need to configure applications once.

Generic illustration of VMware SASE securely connecting users and devices in any location to apps and data in any location or cloud.

Five capabilities are needed, including:

  • Common policy definitions and mappings
  • A method to encode the policies
  • Consistent policy enforcement mechanisms so we get the same behavior everywhere
  • Common error codes to figure out what went wrong in the event issues arise
  • Multi-vendor support from network and security vendors, cloud and service providers, and application providers

By applying SASE principles to composite applications and inter-application communications, we can use a single end-to-end policy configuration and enforcement model. This extension, called Composite Application Secure Connectivity Edge (CASCE), can leverage and propagate edge-based authentication context across the distributed components and back-end services of a composite application. CASCE was part of the original SASE vision, and it can apply to any distributed composite application, including public web-facing applications.

To deliver on this, organizations will need a cross-functional team, from application security, networking, network security and governance. This team will have to work together to determine the appropriate governance policies, as well as user requirements for performance and availability. To achieve consistency, they will require a single method for policy definition and distribution that is separate from enforcement.

The timing is right for CASCE. Composite application adoption is growing, the technology is mature, and the key elements exist. The good news is that multiple large vendors are already working on it, and they understand that it requires an open approach.

Learn more

  • Find about the essentials of SASE, and how it helps enterprises navigate today’s changing threat landscape in an increasingly distributed world, on the VMware SASE website
  • Read our blog about VMware SASE’s position as a Leader in the 2021 Gartner® Magic Quadrant™ for WAN Edge Infrastructure for four years in a row

GARTNER and MAGIC QUADRANT are trademarks and service marks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Leave a Reply

Your email address will not be published. Required fields are marked *