Building Points of Presence for SASE

The IT landscape has changed. Networks centralized around a data center no longer make sense when applications are served from the cloud and users are working from remote locations.

The internet has become a staple of enterprise networks but brings along security concerns that can no longer be solved with on-premise security appliances. SASE architectures move security out of data centers and push it out to where users, data, and applications reside. It moves inspections to the traffic instead of bringing traffic to the inspection, which improves the user experience and decreases the cost of operations.

SASE architectures do this through distributed points of presence (PoP). These PoPs have two components.

  • Global Network Mesh – SASE solutions leverage a software-defined WAN to build its own private network of points of presence (PoPs). Once established, traffic is intelligently routed through this network mesh, minimizing the latency and loss problems associated with public internet traffic. The benefits of the global network are most noticeable to users whose traffic traverses global networks. 
  • Distributed Inspection and Policy Enforcement – Serving users and applications in a variety of locations means security inspection and policy enforcement must also be distributed. Secure services such as secure web gateways (SWG) and data loss protection (DLP) can become expensive at centralized bottlenecks in the cloud, while functions like remote browser isolation benefit from vertical scaling to accommodate unpredictable demand. To improve user experience and minimize cloud costs, inspection and enforcement are moved to the edge (the PoPs) and operated on a platform that combines SD-WAN with edge compute capabilities.

Additionally, because the network is assumed hostile, SASE provides end-to-end encryption of every session. The architecture extends this all the way from the application to the PoP and down to the endpoint device.

The ability for these PoPs to remain seamlessly connected, and also to run security components, is critical to the convergence of network and security that SASE promises.

A Trustgrid Points of Presence (PoP) Network

Many security vendors have spent 100s of millions of dollars building out proprietary PoP networks to enable SASE architectures. While this may be a viable strategy for some solution providers, others may not have the appetite to build or maintain this kind of overhead. While these dedicated networks have been the standard, rapidly evolving solutions from AWS and Azure have increased the available options. The rationale of building massive PoP networks begins to erode when compared to the option of leveraging the global networks of public cloud operators. And for enterprises building their own internal SASE architectures, a more economical solution may include the use of both existing data centers and public cloud infrastructure.

Trustgrid has taken a more flexible approach to the PoP problem. As a platform delivering both networking and edge computing capabilities, we empower our customers to build their own PoP infrastructure as they need it. In each PoP security applications, seamlessly connected via the Trustgrid SD-WAN, are run and centrally orchestrated within containers on the Trustgrid platform. And because the platform has been designed from the ground up to deploy at massive scale, new sites can be turned up relatively quickly in 1 or 1000 locations with minimal effort.

When building this fabric of PoPs, some may opt for use of IaaS compute for non-latency-sensitive operations and others may rely on existing owned or leased data centers. Some SASE solutions will use a hybrid model with internet edge/PoPs for low-latency in-line inspection and use commodity compute and storage from public cloud providers for less-latency-sensitive operations such as network sandboxing, remote browser isolation, and audit log storage and analytics.

Regardless of each PoPs location, a Trustgrid enabled SASE architecture leverages these distributed points of presence to provide flexibility in addressing each organization’s access latency and data residency requirements. Once established, traffic can traverse dedicated lines or the public internet between PoPs. Public internet can also be used for a short hop to the SASE fabric, where it is then inspected based on policy and optimized for best performance via intelligent routing.

Additionally, the Trustgrid platform integrates to most identity providers and handles all software lifecycle management to operate a global SASE network securely and efficiently.

Summary

Today enterprises need a network mesh that supports the security of distributed users, data and applications. By applying software-defined networking and edge computing to the security stack, access and security services can be more delivered with lower latency and with a seamless user experience.

With the Trustgrid platform, security PoPs can be established as needed, at a lower cost, and across an unlimited number of locations, allowing for SASE architectures to be customized to the needs of any security vendor or enterprise.

Learn more about the Trustgrid connectivity platform