Close

HPE Aruba Networking Blogs

Best-of-breed SASE with Aruba and Netskope (Part one)

By Karan Singh Dagar, Product Marketing Manager, Aruba

Protecting sensitive data today is becoming more complex and challenging. More sensitive data is starting to reside outside the enterprise perimeter than in the data center. This is being driven by users consuming more applications as SaaS. Even private applications are increasingly hosted in IaaS instead of corporate data centers. The lack of an enterprise security perimeter expands the attack surface, significantly increasing the need for advanced data and threat protection. In 2019, Gartner coined the term secure access service edge, or SASE, that brings a more secure and flexible way to perform advanced security inspection directly in the cloud, instead of  backhauling application traffic to a data center before forwarding it to the cloud. This cloud-first approach to security also aligns with the increasing adoption of hybrid work post-pandemic, where workers will balance their time in the office and working remote for the foreseeable future.

SASE combines necessary WAN Edge functions with necessary cloud-delivered security functions. Aruba EdgeConnect Enterprise is an advanced SD-WAN platform that supports the WAN Edge functions needed for SASE, including SD-WAN, routing, essential security functions to protect the branch from incoming security threats with a zone-based stateful firewall, IDPS, segmentation, and WAN OP – all from a single platform.

An industry leader in cloud-delivered security, Netskope provides the perfect complement to Aruba EdgeConnect Enterprise by supporting the necessary cloud-delivered security functions, otherwise known as Security Service Edge (SSE). SSE defines the set of security services that help deliver on the security vision of SASE. These security services include Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and related security functions such as Remote Browser Isolation (RBI), Data Loss Prevention (DLP) or even Cloud & SaaS Security Posture Management (CSPM/SSPM).

In a typical deployment, Aruba’s First packet iQ application classification technology deployed at the edge locations (such as branch or headquarters site), automatically identifies more than 10,000 SaaS applications and 300 million web domains on the first packet, enabling granular traffic steering and security policy enforcement. The intelligence to recognize trusted applications enables local breakout from the branch office for trusted or latency-sensitive applications such as Microsoft 365 or Zoom. Moreover, application awareness provides the ability to send targeted Internet or SaaS-bound traffic first to Netskope for advanced inspection before then forwarding onward to the SaaS or cloud destination. Netskope’s extensive peering relationships with web, cloud and SaaS providers help further optimize the user and application performance of these transactions. Leveraging the Aruba traffic steering, other data center-hosted private application traffic can also be sent back to the headquarter across an MPLS connection.

IoT: Securing the edge by role, context, and application

To add further complexity, enterprises are now looking beyond connecting just branches, data centers and headquarters locations but also addressing the ever-growing number of Internet-connected devices or Internet of Things (IoT). This has the potential to make businesses more efficient through automation, however, it also increases the attack surface significantly by adding a new dimension of complexity of devices to manage and secure. IoT devices such as IP cameras, point-of-sale (POS) terminals, and HVAC systems must be addressed in an ‘agentless’ fashion, since running a software agent on them is impossible. Because of this, enterprises require a different security solution for IoT devices to protect corporate networks from potential vulnerabilities that could breach the network and disrupt day-to-day business operations.

Advanced SD-WAN solutions like Aruba EdgeConnect Enterprise implement a zero-trust architecture that complements SASE, plus aligns with similar zero trust approaches incorporated in the Netskope SSE architecture. For example, Aruba EdgeConnect Enterprise with Aruba ClearPass augments the existing application intelligence with user and device identity and role-based policy enforcement, enabling zero trust dynamic segmentation. With zero trust dynamic segmentation, traffic in one segment is isolated from traffic in all other segments. This fine-grained segmentation prevents any threat of lateral traffic movement at the edge. Even if a threat were to appear, its impact is contained to the segment in which it emerged. For example, a fine-grained segmentation policy can prevent IoT security cameras from accessing credit card transactions or HR applications. Zero trust dynamic segmentation helps enterprises isolate any potential security threats by device type, role, and application while assisting them in meeting industry compliance requirement such as PCI, HIPAA, and SOX.

In the Part Two blog of this series, we’ll share more insights into seamless connectivity for a multi-vendor SASE solution and protecting the intellectual property in light of the Great Resignation.

For more details, please refer the Aruba and Netskope SASE solution overview.

Related Resources:

About the authors

Karan Singh Dagar is a Product Marketing Manager at Aruba, a Hewlett Packard Enterprise company. Karan has a broad computer networking and cloud background and is responsible for driving product marketing, messaging, positioning, and content creation across Aruba’s enterprise and service provider SD-WAN offering. Karan also has a master’s in computer networking from North Carolina State University.

Jeff Brainard is a Product Marketing Director at Netskope, where he focuses on the NewEdge security private cloud infrastructure and related networking-focused solutions for traffic steering, client access, and digital experience management. With more than 25 years of experience in product marketing, product management, and sales leadership roles, Jeff has deep knowledge of web cache/proxy, secure web gateways, as well as network and application performance optimization technologies.