Realizing next generation ZTNA and a design pattern for Next generation network security
Introduction
NIST publication has the best description of zero trust. Few important points made by NIST in the document:
"Zero trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different—or no more trustworthy—than any nonenterprise-owned environment"
"A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement"
"A typical enterprise’s infrastructure has grown increasingly complex. A single enterprise may operate several internal networks, remote offices with their own local infrastructure, remote and/or mobile individuals, and cloud services. This complexity has outstripped legacy methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise. Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered"
Main takeaway from above is that E-W security is as important as N-S security. As one might have observed, many of the recent data breaches are related to attacker movement laterally within the Enterprise application networks.
ZTNA (Zero Trust Network Access) is one of the products/services that implement ZTA based security. Though ZTNA by its term seems to be generic, many in Industry limit ZTNA scope to protect the Enterprise applications, thereby protecting data generated by the Enterprise applications.
#Gartner defines the ZTNA as follows:
"Zero trust network access (ZTNA) is a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack"
Attack surface is increasing even more due to
ZTNA solutions are expected to address the above increased attack surface.
Just to complete the ZTA picture: Enterprises are increasingly using SaaS Services. CASB products/services address secure access to SaaS to protect Enterprise data in SaaS. Protecting Enterprise users/end-devices from getting infected with Malware, and protecting users visiting social engineering sites is needed to avoid impersonation by malicious outsiders. Secure Internet Access product category such as SWG (Secure Web Gateway) provides network level defense (other being endpoint protections) from stopping attacks on users/devices. That is, network level ZTA is realized by three product categories - SIA (Secure Internet Access), SSA (Secure SaaS Access) and SAA (Secure Application Access). ZTNA is part of the SAA product category.
First generation ZTNA products
First generation ZTNA products are a good start, but they miss many attack surfaces and features. First generation ZTNA products address the following requirements. These ZTNA products mostly address challenges associated with VPN based application access
Don't allow users (laptops/PCs) to access applications just because they are on virtual private networks : Current generation ZTNA products ensure this. The data encryption feature of VPNs continued to be used by these products. In addition, ZTNA products use following methods by breaking overlay tunnels at the ZTNA. In VPN, overlay tunnels extend from an Enterprise site/DC to another Enterprise site/DC, ZTNA normally. With ZTNA, overlay tunnels terminate at ZTNA for it to enforce access control decisions.
Stop discovery of applications and avoid any Enterprise inbound access to the applications: When VPNs are used without any access control, anybody on the local network and virtual networks can perform port scanning to discover the applications. As we know, reconnaissance is the first phase of the attack life cycle. If the discovery of applications is stopped, it makes the attacker's job a lot harder. User authentication & Application Access control based on user ID address discovery to a great extent. In addition, current generation ZTNA products don't expect VPN/site administrator to open any inbound accesses in the Enterprise firewall. That feature not only avoids any external reconnaissance attempts, but it also avoids Enterprise security approval process overheads required to create inbound Enterprise firewall rules. This is important in cases where the applications are ephemeral. ZTNA products achieve this by
Access from Anywhere to any type of applications : Current generation ZTNA products allow application access to the authenticated users (via managed laptops) working from home or anywhere outside of the Enterprise office environments. Many do this by either some special client software or IPSEC/OpenVPN/Wireguard client software. To avoid multiple authentications by the ZTNA, ZTNA products tend to accept the identities used by client software to authenticate with IPSEC/OpenVPN concentrators. ZTNA products gets the mapping of authenticated identity to the virtual IP addresses assigned to the client and use the IP address to make identity based authorization decisions. Since virtual IP addresses are used in making access decisions, all kinds of applications (HTTP and non-HTTP) applications accesses can be made accessible.
Unmanaged Client accesses to the Enterprise applications: A few ZTNA products (not all) also support access to Enterprise applications without any special client software. This is needed to support accesses from BYOD devices, Partners who need access to the Enterprise applications and client devices. ZTNA products tend to enable this feature to access HTTP/HTTPS/gRPC based applications.
Cloud based delivery model: Many new ZTNA vendors are providing SaaS way of delivery of ZTNA. These service providers instantiate ZTNA in various PoP locations to enable low-latency access to their customers.
Central Management Plane and Observability: This is a common feature across ZTNA products/services. Via self-service portal, Enterprises can configure policies and observe the state of their user access to applications. Management plane internally takes care of synchronizing the configuration across multi PoP ZTNA instances.
Continuous user authentication & User login behavior analysis and associated response: Many ZTNA products talk about this. It appears that many force authentication based on idle timeout and also on regular intervals. This will ensure that any authentication session hijacking attempts don't last longer. User behavior anomaly is also performed by many to ensure that users accessing applications are genuine users and not the users who have stolen the credentials. Some of the behavior anomalies include - Login from a new location, Abnormal number of logins, Access to applications that were not usually accessed by certain users, Access to applications at odd times etc.. Some ZTNA systems also look at the security posture of the clients (in case of managed clients) and allow application access only if the security score is beyond some threshold value.
Next Generation ZTNA requirements
First generation ZTNA products are a good start. In my view, next generation ZTNA products would need to address some of the shortcomings of first generation ZTNA products.
Shortcomings in current generation ZTNA products:
Least Privilege Access principles are not taken care to its fullest extent: Today, the granularity of access control on per user/group/role is the entire application. Many applications are complex. They have resources related to administrators and resources specific to different types of users. For example, only administrative users are expected to access resources related to management of a given application. In some cases, one might want to allow only GET operation on some resources to some types of users.
Requirement: Finer granular access control to satisfy least privilege access principle.
Current ZTNA solutions are not addressing all traffic flows and hence are not addressing all attack surfaces: It appears that ZTNA security is mostly applied for north-south traffic flows. That is, for the traffic coming from users/applications from one site/internet to data center sites/VPCs/K8s-Clusters. Following traffic flows are not addressed well in current ZTNA products
Requirement: ZTNA solutions are expected to address all traffic flows without any hair-pinning. That is, ZTNA solution shall not be restricted to PoP deployment, but also shall be able to deploy ZTNA instances within a customer site/VPC and K8s cluster -> Universal and Uniform ZTNA with the same management plane is the requirement.
Current ZTNA solutions are not addressing Multi Cloud and Multi Edge distributed application deployments well: Distributed application deployment across multiple cloud providers and cloud regions is becoming a normal practice to provide good user experience to users. Cloud bursting is another reason why applications may be present across multiple locations. Current ZTNA solutions do not have a way to route traffic to various instances based on the load, regulatory requirements, cost and other criteria.
Requirement: ZTNA solutions are expected to provide GSLB functionality to distribute the load across multiple ZTNA instances; ZTNA solutions are also expected to balance/route the traffic across multiple instances of applications based on various criteria including 'load' on the application instances, cost of using these instances, latency requirements etc..
Current ZTNA products don't talk about their security: ZTNA solutions authenticate users and allow the application accesses based on permissions are given to the users/groups. Many ZTNA instances also terminate the TLS/SSL connections on behalf of applications. ZTNA solutions require customer application specific secret material to be configured. One question that arises is whether ZTNA itself is protected well enough to ensure that it is not exploitable and also ensure that the secret material is never stolen. ZTNA solutions are expected to ensure that all secret material is secured (Encrypted). And they need to ensure that encryption keys are not stored in the file system in clear.
Requirement: ZTNA solutions shall secure secret material using hardware security modules.
Current ZTNA products don't talk about how they scale with the load or when they are under DDoS attack: ZTNA products are ensuring that private applications are never exposed to the Internet. But, ZTNA instances run on public IP addresses to enable BYOD/Partner access to the private applications. It means that ZTNA instances are exposed to the wider Internet. Many ZTNA products don't talk about how they address genuine higher load and also the load during any DDoS attack on them. Though volumetric DDoS attacks prevention may be provided by DDOS providers, ZTNA products are expected to be resilient with the increase in the load. The expectation is that ZTNA instances are scaled-out with the load.
Requirement: ZTNA solutions must be resilient with increasing load on them
Current ZTNA solutions don't address threat security: Current ZTNA solutions do a good job of identity based access control, but leave threat security functionality to other security products. This will lead to proxy-chaining, multiple SSL/TLS terminations and hence can increase latency and increase the attack surface to steal the secret material. Moreover, when security functions are also SaaS, then there could be PoP hopping, which can even increase latency and reduce application throughput.
Requirement: ZTNA solutions are expected to provide one-pass architecture covering various security functionalities (WAF, API Security, Anti-Malware, DLP), Load balancing & L7 traffic routing along with identity based access control function.
Requirement: ZTNA solutions are expected to support third party security functions via few standardized and defacto interfaces.
Requirement: ZTNA solutions are expected to provide a way to onboard new security functions without having to ship the entire ZTNA software
Current ZTNA solutions don't address privileged user access management well : Current ZTNA solutions don't differentiate normal users accessing the applications and administrator access to the applications from authentication perspective. In some cases, administrators need 'SSH' access to the applications or infrastructure that is running the applications. If these users' credentials are stolen, attackers can do major damage. Hence, privileged accesses need to have a second level of authentication. Today ZTNA solutions depend on Enterprise IAM systems for any user authentication including MFA. That is, ZTNA systems trust the IAM systems. Keeping Zero trust principles, it is good if ZTNA authenticates privileged users using its own MFA.
Requirement: ZTNA solutions are expected to provide ZTNA specific MFA based authentication mechanisms for privileges accounts. Some in Industry call it 'Privileged Access Management'.
Current ZTNA solutions don't webify administrative and VDI protocols: Many of current ZTNA solutions provide access to protocols such as SSH, RDP and VNC only from managed clients with special client software. Current ZTNA solutions don't bundle webification packages (such as Apache Guacamole project) and expect customers to take care of them. Any ZTNA solutions in future are expected to provide as many webifications as possible.
Requirement: Web based access to protocols such as SSH, RDP and VNC.
Current ZTNA solutions don't address partner collaborations well: Many of current generation ZTNA solutions expect Enterprises to create accounts for partner employees in their authentication databases. This is not ideal as one needs to take care of partner user life cycle management here too. Ask questions such as what if the employees of your partner resigns. One likes to remove the account as soon as possible. What if, ZTNA solutions authenticate partner users using partner IdPs.
Requirement: Support for Multiple IdPs.
Current ZTNA solutions don't have inbuilt IAM: Small/Medium size companies might not have a standard authentication database. ZTNA solutions expecting every company to have authentication databases may not be valid. ZTNA solutions in their next generation are expected to have IdP functionality.
Requirement: ZTNA products shall provide inbuilt IAM server with MFA.
Leveraging web-push technologies to improve user experience: When non-HTTP application access is denied for users or when reauthentication is required, there is no indication to the user on why the access was denied. New generation ZTNA products (even with no client software) started to leverage web push technologies (link1 and link2 ) to inform users via notifications and direct the users to a portal to view user specific permissions and/or to pro-actively authenticate with ZTNA solutions.
Requirement: Web portal with web notifications to improve user experience
Architecture Pattern
Ritu Sood and Srinivasa Addepalli will talk about the stack with open source components and how those can be used to realize the SSE stack, where ZTNA is a part of it. We will also talk about the gaps and how the team is addressing them in the upcoming ONES talk in November, 2022.
First, we will describe the first generation SSE, challenges, opportunities and then describe an architecture pattern.
Current Practices, Challenges and Opportunities
SSE is currently offered as a service, providing significant benefits for organizations seeking to avoid the maintenance of on-premises infrastructure. However, several challenges associated with SSE have emerged, which require comprehensive solutions. In this section, we outline some of the key challenges that must be addressed, as they can shape the architectural patterns for SSE implementations.
Current Practice
Delivering Services through multiple Point of Presence (PoP) locations:
SSE providers offer their services to customers through strategically located security functions at multiple PoP locations. When an enterprise engages with an SSE provider, they specify the locations of their offices and where their employees operate. The SSE provider then selects the appropriate PoP locations to enable security functions tailored to that specific enterprise. This approach ensures that enterprise traffic is directed to the nearest PoP, minimizing latency and optimizing performance.
To further enhance performance, many SSE providers have established their middle-mile backbone network connecting their PoP locations. This dedicated backbone facilitates efficient transmission of traffic between enterprise offices and users, bypassing the general internet. By leveraging this dedicated network, inter-office and user-to-data center traffic experience minimal latency and improved performance.
SSE Service Implementation:
The implementation of SSE services, including the software form factors and underlying infrastructure, can vary depending on the SSE service provider and their security technology vendors. However, there are some commonalities in the general approach:
-?????????Hardware Servers and Switches: SSE providers deploy a set of dedicated hardware servers and associated switches in colocation facilities. These components form the backbone of the SSE service infrastructure.
-?????????Operating System: Linux is commonly utilized as the bare metal operating system for the servers, providing a stable and efficient foundation for running security functions.
-?????????User Space Programs: The security functions themselves are implemented as user space programs, running directly on the servers.
-?????????Multi-Tenancy: Each security function instance is designed to be multi-tenant capable, meaning that it can handle and process traffic from multiple customers simultaneously. This enables efficient sharing of resources and scalability.
-?????????Tenant Traffic Association with a Given Server: While it may seem like a conventional approach, it is not uncommon for SSE providers to provision a specific server dedicated to handling traffic from a particular tenant in PoP locations. This is normally done due to technical limitations of the underlying technology or sometimes to simplify operations. Whenever a tenant requires higher performance at a later time or if a tenant's traffic is impacting the performance of other tenants, providers manually shift some tenants' traffic to other least loaded servers.
Challenges
Though the improvements are happening, it is worth mentioning a few challenges that the SSE providers need to address.
Unpredictable traffic load:
SSE providers who manage their own hardware infrastructure across multiple PoP locations may face challenges in handling unpredictable traffic loads. Due to a limited number of hardware servers, these providers may struggle to effectively manage sudden bursts in traffic. To address this issue, SSE providers need to carefully consider the potential burstiness in traffic and scale their server deployments accordingly. However, deploying a large number of servers to handle potential bursts can lead to challenges in resource utilization and increase the overall cost of hardware acquisition.
Handling unpredictable traffic load requires a balance between scalability and cost efficiency. Though SSE providers assess the historical traffic patterns and employ sophisticated traffic management techniques to dynamically allocate resources, the resource utilization problem can’t be solved by this technique alone.
Distributed Denial of Service (DDoS) Attacks:
SSE providers can encounter challenges in effectively mitigating DDoS attacks when relying on a fixed and dedicated number of servers. During DDoS attacks targeting the SSE infrastructure, servers can become overwhelmed, resulting in increased packet drops, higher latency, lower throughput, and a degraded user experience for legitimate traffic.
To address these concerns, some SSE providers opt to utilize services from specialized DDoS attack mitigation providers. It is important to note that while anti-DDoS providers can offer protection against volumetric attacks, TCP SYN flood attacks, and to some extent, HTTP-level DDoS attacks, they may not provide complete protection against resource-exhaustion attacks specific to SSE services. Some DDoS attacks may specifically target the memory resources of the SSE infrastructure, while others may aim to exhaust CPU resources.
Increased Latency:
Enabling all security functions in SSE can introduce a significant increase in traffic latency. It is essential to prioritize security, and disabling it is not a viable solution. However, there are strategies to address and mitigate latency challenges.
Insufficient Number of PoP Locations: One approach commonly adopted by SSE providers is to route tenant traffic to the nearest Point of Presence (PoP) locations. The distance between tenant offices/users and the PoP locations directly impacts latency, with greater distances resulting in higher latency. To effectively manage latency, it is essential to ensure an adequate number of SSE PoP locations that cover various geographic regions. Maintaining an extensive network of PoP locations presents challenges, such as increased costs and potentially inefficient hardware utilization. Adding more PoPs incurs additional expenses, including infrastructure deployment, maintenance, and operational costs.?To address these concerns, SSE providers must explore innovative methods of extending their network reach to cover a wider geographical footprint without significantly increasing costs.
Multiple SSL/TLS Inspections: When security functions are sourced from different technology vendors, there is a risk of traffic being decrypted and encrypted multiple times. For instance, consider a scenario where SWG, CASB, IDS/IPS, and DLP solutions come from separate vendors. In such cases, each security component performs its own SSL encryption/decryption, resulting in further latency. Cryptography involves computationally intensive operations that not only contribute to latency but also require increased compute power. This additional compute power can impact the ability to meet sustainability goals. Therefore, SSE providers must address these challenges to minimize latency and optimize performance.
Multiple Additional Hops in Traffic Routing:?SSE introduces additional hops in the path of traffic, not only within a single location but across multiple locations on the internet. Let's consider the scenario of Internet-bound traffic from users within an organization. Prior to SSE, traffic from users in office environments would directly flow to Internet-bound services through their primary ISP. However, with the introduction of SSE, traffic needs to pass through SSE Points of Presence (PoPs) for security processing. Before reaching the SSE PoP, the traffic may have to traverse through an Anti-DDoS service located in a different PoP. Additionally, the traffic may be tunneled from Branch Office Customer Premises Equipment (CPE) devices to the SSE PoP, which increases packet overhead due to tunnel headers and encryption before tunneling. All of these factors contribute to increased latency. While human users may not visually perceive the latency challenges, they can have a detrimental impact on applications that require low-latency communication. Another use case involves traffic destined for an organization's internal services, where users are working remotely or from different office locations. In this case, the traffic is tunneled twice – first to transport it to the SSE PoP and then again to securely transmit it to the location where the applications are running. These multiple hops and additional layers of security further exacerbate latency issues.
Hairpinning:
Not all traffic flows exclusively traverse the wide area network (WAN) in a North-South (N-S) direction. There are numerous scenarios where both the client and server entities reside within a data center or within the same physical location. For example, communication can occur between entities within a Virtual Private Cloud (VPC), within a Kubernetes cluster, or across different regions of a cloud service provider. In the current deployment model of SSE, traffic in these cases needs to be hairpinned for security processing.?Hairpinning refers to the practice of routing traffic from a source within the same network to an external network gateway and back again, instead of taking a direct path. This approach introduces additional latency and can raise privacy concerns. By forcing the traffic to take a detour, the overall latency of the communication increases, which can negatively impact real-time applications and services that require low-latency interactions. Furthermore, hairpinning traffic for security processing can also raise privacy concerns. As the traffic is routed through an external gateway, it may expose sensitive information to additional entities within the network, potentially compromising data privacy. To address these challenges, SSE providers need to explore alternative deployment models that minimize hairpinning and optimize traffic flow, especially for scenarios where the client and server entities are located within the same data center or physical location. This approach can reduce latency and enhance privacy by eliminating the need for unnecessary detours in traffic routing.
Lack of tenant isolation
Isolation holds significant importance for certain organizations, particularly when it comes to memory isolation and performance isolation. Memory isolation is crucial to ensure that any potential exploits targeting SSE functions due to other tenants' traffic do not compromise the confidentiality of their own sensitive information. It provides a safeguard against unauthorized access to secret materials.
Similarly, performance isolation is essential to guarantee that an organization's traffic maintains deterministic performance regardless of any sudden traffic bursts from other tenants. By having performance isolation, organizations can ensure consistent and predictable performance levels for their critical applications and services, regardless of the activities of other tenants.
Poor Energy Efficiency:
SSE providers typically utilize their own servers to deliver services from their PoP locations. As mentioned earlier, the need to address traffic bursts and mitigate DDoS attacks often leads to provisioning a higher number of servers in each PoP. Additionally, with the expansion of PoP locations, the overall number of servers can increase substantially. However, simply increasing the number of servers and PoPs does not necessarily optimize compute power utilization.
To align with sustainability goals, SSE providers must prioritize energy efficiency in their infrastructure. As the server count grows, so does the energy consumption and associated environmental impact. Providers need to explore innovative approaches to enhance energy efficiency, such as employing energy-efficient hardware, implementing dynamic resource allocation strategies, and optimizing workload distribution.
Lack of Open Interfaces for Custom Security Functions:
In the rapidly evolving threat landscape, organizations often require the ability to integrate new security engines to protect against emerging threats. SSE providers may not offer comprehensive threat protection if the threat is specific to a custom application used by the organization. As a result, IT security teams within organizations may develop their own threat protection solutions and seek a way to deploy them alongside the SSE infrastructure. However, many SSE providers do not offer open interfaces or mechanisms to seamlessly integrate these custom security functions, even if they are developed as WebAssembly (WASM) or Lua modules.
This lack of open interfaces poses a challenge for organizations looking to enhance their security posture by leveraging in-house or third-party security solutions. The inability to deploy custom security functions within the SSE environment limits the organization's flexibility and hampers their ability to address unique security requirements.
Opportunities
SSE Technology vendors and service providers have numerous opportunities to enhance their offerings and stay ahead in the market. In the following sections, we discuss several significant areas that are currently or will be integral to SSE solutions.
Elastic Computing
Elastic computing is nothing new for Enterprise application developers. All benefits of elastic computing are equally valid for SSE too.
Auto SSE workload Scaling
Auto scaling is a crucial aspect of SSE security functions to efficiently utilize compute resources. SSE providers typically start these functions with optimal resource allocation. However, as traffic demand increases, additional resources are dynamically added to the workloads to ensure smooth operation. Conversely, during periods of reduced demand, resources allocated to SSE workloads can be scaled down.
Auto scaling employs two primary techniques: scale-up and scale-out. In scale-up mode, additional resources are allocated to existing instances of workloads. For instance, more CPU resources can be added to enhance the processing capabilities of running instances. On the other hand, scale-out involves bringing up more instances of workloads and configuring external load balancers to distribute traffic evenly across multiple instances. Both techniques are essential and serve different purposes.
Currently, the scale-out technique is gaining momentum due to its ability to leverage multiple compute nodes, resulting in linear performance scalability limited only by the number of compute nodes available. This approach allows SSE providers to handle higher traffic volumes effectively and maintain optimal performance levels. By adding more instances and distributing the workload, scale-out enables parallel processing across multiple sessions, improved aggregate throughput and even reduced latency.
Auto node resource provisioning
Auto node resource provisioning is a powerful capability that enables the dynamic addition of compute nodes or virtual machines to the execution environment. In the context of SSE function auto-scaling, this feature becomes particularly valuable. Consider a scenario where the demand for SSE services increases, requiring additional compute nodes to handle the workload effectively.
Auto node provisioning plays a crucial role in meeting traffic demands and mitigating DDoS attacks by automatically adding or removing compute resources based on real-time traffic patterns. By scaling the number of compute nodes, SSE environments can provide near-unlimited performance, with the scalability being primarily constrained by the number of available compute nodes.
To achieve this scalability, SSE solutions can not only provision their own compute node resources but also leverage resources available from colocation providers in the same location. Many colocation providers, as well as third-party providers, now offer BareMetal services, which allow compute nodes to be dynamically subscribed or unsubscribed as needed. This flexibility allows SSE environments to rapidly scale their resources and adapt to changing demands without the need for manual intervention.?
By leveraging auto node resource provisioning, SSE providers can ensure optimal performance, resilience, and resource utilization. The ability to dynamically add and remove compute nodes based on traffic demands enables SSE solutions to handle increasing workloads effectively and deliver seamless security services to organizations.
Elastic Cloud Bursting
Elastic cloud bursting plays a crucial role in addressing the limitations of compute resources within a Point of Presence (PoP) environment. In some cases, the availability of BareMetal service providers may be limited, making it challenging to scale SSE execution environments efficiently. To overcome this, SSE providers need to explore options for extending elasticity to nearby cloud environments.
There are two primary approaches to achieve elastic cloud bursting:
-?????????Extension with Virtual Machines: SSE providers can extend their execution environment by incorporating virtual machines from nearby cloud providers. By seamlessly integrating these virtual machines into the existing infrastructure, additional compute resources can be leveraged to handle increased traffic demand. This approach allows for a flexible allocation of resources, ensuring optimal performance and scalability.
-?????????Dynamic Deployment of SSE Instances: Another approach is to automatically deploy new instances of the SSE in the cloud when demand exceeds the capabilities of the primary PoP environment. This dynamic deployment allows for the distribution of incoming traffic sessions across multiple SSE instances, enabling efficient load balancing and scalability. As the demand decreases, the system can automatically remove the SSE instances in the cloud, optimizing resource utilization and reducing costs.
By incorporating and implementing elastic cloud bursting strategies, SSE Technology vendors & providers can overcome the limitations of PoP compute resources and extend their capacity by utilizing resources from nearby cloud environments. This approach ensures that the SSE execution environment can seamlessly scale to handle increasing workloads while maintaining optimal performance and availability.
Summary:
With elastic computing built into SSE solutions, SSE providers can achieve the following benefits:
-?????????Scalability: Elastic computing ensures that systems can scale resources up or down in response to workload fluctuations. This scalability enables businesses to accommodate increased traffic, sudden spikes in demand, or changes in user activity without compromising performance.
-?????????Improved Latency: By factoring in latency considerations, elastic computing can bring up new instances of SSE functions and optimize the allocation of resources to minimize network delays and improve connection performance.
-?????????Resilience to DDoS Attacks: Elastic computing aids in mitigating the impact of Distributed Denial of Service (DDoS) attacks by dynamically allocating additional resources to handle the increased traffic load. By scaling resources on-demand, organizations can better withstand and mitigate the effects of such attacks.
-?????????Cost Optimization and Sustainability: Elastic computing allows for efficient resource utilization by provisioning resources only when needed. This prevents overprovisioning and minimizes idle resources during periods of low demand. Consequently, it helps optimize costs and improve cost-effectiveness.
Client-Centric, Multi-Edge and Multi-Cloud Computing
In the realm of Client-Centric Multi-Edge and Multi-Cloud Computing, the focus is on overcoming the limitations of current SSE offerings that heavily rely on a limited number of PoPs for security processing. These offerings often face significant challenges with latency, as discussed earlier. While PoP computing can be categorized as edge computing, it has become evident that a few PoPs cannot provide the desired 20 to 40 millisecond (needed for AR/VR and 360-degree immersive media use case scenarios) proximity coverage across the globe. Therefore, it becomes imperative to explore alternative deployment models, harness a wide range of edge providers, leverage multiple cloud platforms, and even empower client-side computing to achieve a more comprehensive and efficient solution.
领英推荐
To address the latency challenge and optimize security processing, SSE providers and SSE technology providers are increasingly considering the following:
-?????????Diverse Deployment Models: By embracing various deployment models, SSE providers can integrate a larger number of edge providers into their infrastructure. This approach enables the placement of security processing closer to end-users, regardless of their geographical location. Whether users are located in different offices, branches, or remote locations, leveraging a diverse range of edge providers allows organizations to significantly reduce latency and ensure consistent security across their global infrastructure.
-?????????Multi-Cloud Integration: Incorporating multiple cloud providers offers unparalleled flexibility and scalability in security processing. By distributing workloads across different cloud platforms, organizations can harness the unique strengths and capabilities of each provider. This approach ensures efficient and seamless security operations at scale, regardless of the geographical distribution of users. It allows for dynamic resource allocation and workload distribution based on the specific requirements of each cloud platform.
-?????????Client-Side Computing: Maximizing the proximity between security processing and clients is crucial for minimizing latency and enhancing user experience. Extending edge processing capabilities to the On-Prem CPE devices, users' laptops or desktops becomes a valuable approach in achieving this goal. By empowering client-side computing, organizations can enable SSE processing to take place directly on the client devices, securely and deterministically or within the organizations’ locations. This eliminates the need for extensive traffic tunneling and reduces reliance on multiple PoPs for SSE processing, resulting in improved performance and reduced latency for internet-bound connections.
By embracing the concept of Client-Centric Multi-Edge and Multi-Cloud Computing, SSE providers can establish a robust and globally distributed security infrastructure. This approach not only allows for traffic breakout at the earliest possible stage but also enhances the overall performance and user experience. By extending edge processing capabilities to the client side, SSE providers can achieve greater proximity and efficiency, as traffic flows don't have to be tunneled and traversed through multiple PoPs for SSE processing.
Comprehensive and Unified Security for Both North-South and East-West Traffic Flows
As discussed earlier, traditional SSE solutions primarily focus on threat protection and access controls for traffic flowing between clients and services over wide area network (WAN) connections. However, these solutions often overlook the security needs of traffic flows occurring within a data center, virtual private cloud (VPC), or Kubernetes cluster. In such cases, traffic is typically routed to centralized Points of Presence (PoPs) for security processing, resulting in increased latency and potential privacy concerns.
To address these limitations, modern SSE architectures are evolving to effectively handle these internal traffic flows by strategically placing SSE-security at appropriate locations using different deployment models. For example, in Kubernetes environments, SSE-security can be integrated into service mesh technologies using sidecars and ingress/egress proxies. This ensures that security functions are seamlessly incorporated into the internal communication within the cluster. In other scenarios, SSE-security can be deployed as containers or virtual machines (VMs) placed strategically across various parts of the cloud infrastructure.
By adopting these newer architectural approaches, SSE providers can mitigate latency issues and alleviate privacy concerns associated with routing local data center, VPC, or Kubernetes cluster traffic outside to PoP locations for security processing. This comprehensive and unified security approach ensures that both North-South (client-to-service) and East-West (internal) traffic flows are adequately protected, regardless of the location within the infrastructure.
In summary, the integration of SSE-security into different deployment models, such as service mesh technologies, containers, or VMs, allows for a more comprehensive and uniform security posture, reducing latency and preserving data privacy for both external and internal traffic flows.
Application Computing at SSE
In the context of AR/VR and immersive media use cases, achieving low latency is crucial for an optimal user experience. Reducing latency wherever possible is a key objective, and several architectural principles have been discussed earlier to address this. These principles focus on bringing SSE processing closer to the source/clients, leveraging on-premises locations of organizations, enabling client-level computing, and utilizing multiple edge and cloud provider compute facilities. These approaches significantly improve latency for user-originated traffic flows.
However, when applications are deployed in distant locations across oceans, there is a potential for increased latency as the traffic has to traverse long distances. To mitigate this, application service computing can be brought closer to the SSE infrastructure. By deploying applications in the same execution environment as SSE, latency can be significantly reduced. Many applications are being designed to be deployed across edge and cloud providers, making it feasible to leverage the same environment for both SSE and application computing.
SSE providers that enable application computing in the same environment as SSE can offer a substantial improvement in latency for emerging applications that require low latency. Therefore, it is imperative for SSE technology vendors and providers to adopt the right software architecture that facilitates the deployment of applications in various forms, such as containers, virtual machines (VMs), and serverless functions.
In conclusion, incorporating application computing within the SSE execution environment is a powerful strategy to achieve low latency and improved performance. SSE technology vendors and providers should prioritize the selection of a flexible software architecture that enables the deployment of diverse application form factors, ultimately enhancing the overall user experience for latency-sensitive applications.
Tenant Isolation
In the realm of SSE, one of the considerations for providers is achieving effective tenant isolation. While shared processing entities offer cost and sustainability advantages by supporting multiple tenants' traffic flows, they may not provide complete isolation. Dedicated processing entities that provide isolation for individual tenants can be resource-intensive, particularly in terms of memory and compute requirements.
For example, let's consider a scenario where a threat intelligence database is 2 gigabytes in size. With dedicated processing entities, each entity may need more than 2 gigabytes of memory to accommodate the database. This can lead to increased costs and resource utilization.
However, it's important to recognize that certain tenants, such as those in the financial, defense, or healthcare sectors, may have unique security requirements that necessitate dedicated processing entities for enhanced isolation.
Therefore, an effective SSE architecture should support both shared and dedicated models to cater to the diverse needs of the customer base. The shared model can provide reasonable isolation while optimizing resource utilization, while the dedicated model can be employed when specific tenants require heightened security and performance isolation.
Miscellaneous Requirements to Address in SSE Architecture Solutions
As SSE architecture solutions continue to evolve, there are several additional requirements that need to be considered to enhance their effectiveness and adaptability. These requirements include:
-?????????IPv6 Support: The adoption of IPv6 is on the rise, driven by government mandates and the growing recognition of its benefits. The US Government, for instance, has mandated the transition of all federal government networks and applications to IPv6 by 2025. Attackers are also exploiting the lack of IPv6 support in network services to distribute malware. Therefore, modern SSE solutions should prioritize IPv6 support to ensure compatibility and security in an IPv6-enabled environment.
-?????????WASM/Lua Support: The constantly evolving threat landscape necessitates flexibility in SSE solutions. Organizations and their IT departments, or managed security service providers (MSSPs), may need the ability to create custom, programmable protections tailored to their specific environments. Technologies like WebAssembly (WASM) and Lua provide sandboxed environments for running custom programs, enabling organizations to develop and deploy their own custom security protections. SSE architectures should incorporate support for running WASM and Lua-based scripts to empower organizations in their threat mitigation efforts.
-?????????Single Pass and Run-to-Complete Architecture: Latency reduction is a crucial aspect of SSE processing. To achieve optimal performance, SSE internals should employ a single pass architecture to avoid multiple SSL/TLS decryptions and encryptions, reducing processing overhead. Additionally, a run-to-complete architecture with a single proxy can minimize memory copies and process context switches, further reducing latency and enhancing overall SSE performance.
-?????????Multi 10Gbps Performance: With the increasing need for comprehensive threat protection and the adoption of Zero Trust Architecture (ZTA), it is crucial to ensure security scanning of all network traffic. Organizations can no longer afford to bypass security for specific traffic flows, even between corporate networks. As a result, the volume of traffic requiring scanning has significantly increased. SSE solutions must be capable of handling high volumes of traffic efficiently and without compromising on latency. The SSE architecture should be designed with the principles discussed earlier, such as elastic computing, to address this requirement. By leveraging scalable and distributed computing resources, SSE solutions can achieve multi 10Gbps performance, allowing for effective and timely scanning of all network traffic.
Design/Architecture Pattern – Kubernetes & its adjacencies
There could be multiple design patterns.?However, one pattern stands out keeping the above requirements in mind.?
Basic foundational component of this architecture pattern is Kubernetes.
Why Kubernetes?
Kubernetes and Elastic computing:
Kubernetes, as a container orchestration platform, provides several features that enable elastic computing. Here are some key features of Kubernetes that support elastic computing:
-?????????Horizontal Pod Autoscaling (HPA): Kubernetes HPA allows you to automatically scale the number of pods in a deployment or replica set based on metrics such as CPU utilization or custom metrics. By dynamically adjusting the number of pods, Kubernetes can scale the SSE service scale-out/in to meet varying demands.
-?????????Vertical Pod Autoscaling (VPA): VPA enables the automatic adjustment of resource requests and limits for individual pods based on their resource utilization.
-?????????Cluster Autoscaling: Kubernetes Cluster Autoscaler automatically adjusts the number of nodes in a cluster based on the demands of the running pods. When the cluster is under heavy load, new nodes are added to accommodate additional pods, and when the load decreases, nodes are automatically scaled down to save resources.?Nodes can be anywhere.?They can be local to the physical system or can even be VMs in nearby cloud.
-?????????Pod Affinity and Anti-Affinity: Kubernetes allows you to define affinity and anti-affinity rules to influence the scheduling of pods. Pod Affinity ensures that pods are scheduled on nodes with specific attributes or labels, while Pod Anti-Affinity prevents pods from being scheduled on the same node or nodes with certain labels. These features enable better resource utilization and can help distribute workload across the cluster.
-?????????Custom Metrics and Autoscaling: Kubernetes supports custom metrics through the Metrics API. This allows you to define and scale your SSE service based on custom metrics specific to your workload, such as request latency, queue length, or any other relevant metric.
Kubernetes provides comprehensive load balancing capabilities that enable efficient traffic distribution for SSE services:
1.??????DNS-level Load Balancing: Kubernetes integrates with CoreDNS and K8gb (Kubernetes Global Balancer) to facilitate load balancing at the DNS level. This enables SSE services to be distributed across multiple edge/cloud Kubernetes clusters, ensuring optimal routing and availability.
2.??????External Load Balancing: Kubernetes offers built-in external load balancing features (such as MetalLB) that distribute incoming traffic across multiple nodes within a cluster. This ensures that the workload is evenly distributed and can scale horizontally to handle increased demand.
3.??????Internal Load Balancing: Kubernetes utilizes IPVS or IPTables for internal load balancing within a node. These mechanisms allow for the distribution of traffic among multiple workload instances running on the same node.
By leveraging these native load balancing capabilities, SSE solutions can eliminate the need for custom load balancing development. Kubernetes provides a robust and scalable infrastructure for managing load balancing at different levels, simplifying the distribution of traffic across clusters, across nodes within a cluster and across workload instances within a node.
Kubernetes and Multi Edge/Cloud computing:
Kubernetes enables the implementation of multi-edge and multi-cloud computing by providing a consistent and portable platform across various cloud providers and even bare metal environments. It is supported by major cloud providers, ensuring compatibility and easier orchestration across different environments. The Kubernetes API remains consistent, allowing seamless management and deployment across providers.
One of the advantages of using Kubernetes for SSE solutions is its versatility in deployment. As Kubernetes is increasingly adopted as a cloud operating system, it can be deployed in both cloud-based and on-premises environments. For instance, there is a growing trend of utilizing Kubernetes clusters in universal Customer Premises Equipment (uCPE) deployments. This allows for the deployment of Kubernetes-based SSE solutions directly on uCPEs.
However, it's worth noting that Kubernetes is not prevalent on client laptops and desktops. While there is some progress in this area, Kubernetes is not yet widely adopted on these devices. Consequently, SSE solutions should be made available as containers that can be deployed within Kubernetes clusters, as well as in the form of installable packages for Windows and macOS operating systems.
Kubernetes and Application computing AND Kubernetes and tenant isolation
Kubernetes supports the deployment of both SSE services and applications within the same cluster, offering several features to facilitate this integration:
-?????????Namespaces: Kubernetes enables the creation of multiple namespaces for isolating SSE services and tenant applications. SSE services can be deployed in specific namespaces, while each tenant can have their applications deployed in separate namespaces.
-?????????Resource allocations: Kubernetes allows for resource affinity, including the ability to assign entire compute nodes to specific namespaces. Tenants can request dedicated compute nodes for their application workloads or SSE services using Kubernetes' resource affinity features.
-?????????Load balancer: Kubernetes provides built-in load balancing capabilities, both external and internal, to evenly distribute traffic among instances of tenant applications.
-?????????ExternalDNS: Kubernetes offers ExternalDNS functionality, which automates the mapping of domain names to dynamic public IP addresses and allows integration with various DNS servers chosen by tenants.
By leveraging these features, Kubernetes can facilitate the coexistence and efficient management of SSE services and tenant applications within the same cluster.
The second biggest foundational component is related to Kubernetes-adjacencies and related open source projects:
All these projects are either Kubernetes ready or can be containerized relatively easily.?By running in Kubernetes, these entities scale-out with the traffic demand thereby overcoming performance challenges with the traditional network security implmentations.
Envoy proxy as foundation for SSE traffic flows:
Envoy proxy is an ideal choice as a universal foundation for SSE (Secure Service Edge) due to its versatile features and capabilities. Here are the reasons why Envoy proxy is well-suited for this role:
-?????????Protocol Support: Envoy supports various protocols including HTTP/1.0, 1.1, 2.0, and 3.0, allowing it to handle a wide range of traffic types.
-?????????IPv4 and IPv6 Support: Envoy is compatible with both IPv4 and IPv6 networks, ensuring seamless communication across different IP versions.
-?????????TLS Inspection: Envoy provides TLS-level inspection, enabling security engines to perform threat protection and access control by terminating and inspecting encrypted connections.
-?????????Traffic Engineering: Envoy offers traffic engineering capabilities, allowing for intelligent routing, load balancing, and traffic shaping to optimize performance and resource utilization.
-?????????RBAC and Authentication: Envoy supports Role-Based Access Control (RBAC) and various authentication mechanisms, such as OAuth2, to enforce secure access control policies.
-?????????Extensibility: Envoy's architecture allows for extensibility through filters, enabling customizations and integration with additional security features or services.
-?????????WASM and Lua Support: Envoy supports WebAssembly (WASM) modules and Lua engines, providing flexibility for programmable security policies and customizations.
-?????????Proxy Modes: Envoy supports forward, transparent, and reverse proxy modes, accommodating different deployment scenarios and network configurations.
-?????????Integration with Service Mesh: Envoy integrates seamlessly with service mesh control planes like Istio, enabling advanced traffic management, observability, and service discovery features within a K8s cluster.
-?????????Acceleration: Envoy benefits from a robust community, including Intel and other semiconductor companies, to accelerate computationally intensive operations like public key cryptography, symmetric key cryptography, decompression, and pattern matching, resulting in enhanced performance and energy efficiency.
-?????????Open Source: Envoy is an open-source project with an active community, making it adaptable and extendable to incorporate additional features, such as multi-tenancy, forward proxy authentication and various security engines needed for SSE.
By leveraging Envoy proxy as a universal SSE foundation, SSE architecture can benefit from its comprehensive capabilities, flexibility, and community-driven development, ensuring a secure and efficient foundational environment.
Keycloak as identity broker:
An identity broker plays a vital role in SSE and SASE solutions by facilitating interaction with various authentication services used by customers or tenants. Keycloak, a widely adopted open-source project, serves as an exceptional identity broker due to the following reasons:
-?????????Seamless integration as an OIDC server for SSE: Keycloak seamlessly acts as an OIDC (OpenID Connect) server for SSE, enabling secure and standardized authentication protocols.
-?????????Support for diverse authentication services: Keycloak efficiently works with authentication services utilized by different customers or tenants. These include AD Servers, OIDC/SAMv2-based services, and multiple social authentication services. Keycloak bridges the gap between SSE and the underlying authentication systems, streamlining the authentication process.
-?????????Kerberos support via SPENGO for SSO: Keycloak provides support for Kerberos via SPENGO, enabling Single Sign-On (SSO) functionality. With Keycloak, users can log in to their Windows/Mac systems, eliminating the need for additional popups or credential input.
-?????????Comprehensive support for local users and MFA: Keycloak offers robust support for local users and their corresponding Multi-Factor Authentication (MFA). This support encompasses various workflows including login, logout, password changes, and other MFA-related actions.
-?????????OIDC Direct grant flow: Keycloak provides support for the OIDC Direct grant flow, catering to scenarios involving forward proxy authentication. This feature ensures seamless and secure authentication for users.
-?????????JWT support for all authentication methods: Irrespective of how users are authenticated, Keycloak allows the use of JWT (JSON Web Tokens) for identity and access management. This ensures consistent authorization.
-?????????User information synchronization: Keycloak facilitates the synchronization of user information such as user groups and roles from the underlying authentication systems. This ensures consistent and up-to-date user data across the SSE and associated services.
-?????????Open-source flexibility: Keycloak being an open-source project provides the advantage of customization. Organizations can tailor Keycloak to their specific requirements, including the implementation of a Direct grant flow for validating Kerberos tickets.
In conclusion, Keycloak stands out as a reliable and feature-rich identity broker. Its ability to act as an OIDC server, work with various authentication services, support SSO with Kerberos, offer local user and MFA capabilities, and synchronize user information make it an ideal choice for SSE and SASE solutions. Furthermore, its open-source nature allows for customization and extensibility, empowering organizations to adapt Keycloak to their unique needs.
Apache Guacamole for Webification of SSH, RDP, VNC, and More:
In the realm of server and application administration, the days of relying solely on Linux consoles and local SSH terminals are fading away. Even privileged users with administrative privileges are increasingly working remotely, creating a demand for secure authentication, authorization, and convenient access to SSH/VNC/RDP services across various application systems, virtual machines, and containers. The HTTP protocol, widely used in many applications, offers advanced security features and robust hardening mechanisms. Therefore, SSE/SASE solutions are inclined towards providing HTTP-level access to streamline the reachability of these administration services. Thanks to the power of HTML5, modern web browsers can now serve as gateways to these administrative functionalities, eliminating the need for any specialized client installations.
By leveraging Apache Guacamole, SSE/SASE solutions can avail benefits of a robust and secure web-based interface for SSH, RDP, VNC, and more. The advantages include:
-?????????Simplified access: Apache Guacamole empowers users to access critical administrative services directly from their web browsers, eliminating the need for specialized client software installations. This simplifies the user experience and reduces deployment complexity.
-?????????Enhanced security: By leveraging the proven security features of the HTTP protocol, Apache Guacamole ensures a secure channel for accessing administration services. Organizations can leverage existing security and hardening tools designed for HTTP-based applications to fortify their administrative access.
-?????????Remote administration: With Apache Guacamole, administrators can perform crucial tasks and configurations remotely, regardless of their physical location. This enables efficient administration and troubleshooting, reducing the need for on-site presence.
-?????????Customizability: As an open-source project, Apache Guacamole allows SSE/SASE solution vendors to customize and extend its functionalities according to their specific requirements. This ensures seamless integration with existing SSE/SASE solutions and facilitates a tailored user experience.
StrongSwan and OpenVPN as VPN Concentrators
In order to ensure robust security processing for SSE (Secure Service Edge), it is necessary to intercept traffic. While forward and reverse proxy mechanisms are effective for capturing Internet-bound and Enterprise application-bound traffic respectively, there are scenarios where traffic can bypass security inspection. For example, malware programs often disregard PAC/forward-proxy settings, resulting in uninspected traffic. Additionally, native applications may not honor forward proxy settings, leading to uninspected traffic generated by these applications. Some organizations attempted to address this by configuring CPE firewalls to block traffic that doesn't go through proxies, but this approach becomes challenging with the rise of remote work scenarios.
Furthermore, not all traffic is limited to HTTP/HTTPS. To ensure other types of traffic go through proxies, SOCKS5 proxy mechanisms have been suggested. However, many native applications and malware may not adhere to these settings, rendering them ineffective. Hence, there is a need for capturing the traffic at the clients and tunnel the traffic to SASE/SSE instances running in various PoPs.
To adhere to Zero Trust Network Access (ZTNA) principles, Enterprise applications should not be exposed to the generic Internet. Attackers should not be able to identify the Enterprise applications and the ports they are listening on using port scanning tools. Since SASE/SSE solutions act as the frontend for Enterprise applications, only the SASE/SSE entities need access to these applications. To address this, VPN tunnels are commonly established between Enterprise sites and nearby SASE/SSE sites.
In summary, SASE/SSE solutions require the termination of multiple tunnels from both remote users and tenant offices. IPsec and OpenVPN are two popular tunnel technologies that are supported in end devices or CPE devices. StrongSwan with Linux IPsec is an excellent choice for terminating IPsec-based VPN tunnels, while OpenVPN is well-suited for terminating OpenVPN-based tunnels.
The advantages of these solutions include:
-?????????Support for route-based VPN, facilitating the exchange of routes on VPN interfaces.
-?????????Utilization of the latest and strongest cryptography to secure traffic.
-?????????Authentication capabilities, including support for PKI-based authentication and extensibility to accommodate OIDC and other authentication mechanisms.
-?????????Kubernetes readiness to support elastic computing and Anti-DDoS measures.
-?????????Tenant identification from peer identities.
-?????????Thriving community support for these projects.
-?????????Interoperability with various CPE devices and VPN clients, including Windows and MacOS.
-?????????Open-source nature, allowing for customization tailored to SASE/SSE requirements, such as support OAUTH2/OIDC based authentication and ability to advertise the client IP address mapping to user identity for SASE/SSE threat protection and access control security engines. This mapping helps SASE/SSE to achieve identity-based access controls.
Vault as a PKI Provider
A PKI (Public Key Infrastructure) infrastructure plays a vital role in SASE/SSE for various purposes. Here are a few examples:
-?????????Authentication of VPN endpoints: Issuing certificates to authenticate VPN endpoints.
-?????????TLS inspection: Issuing certificates to mimic the certificates of internet sites for TLS inspection.
-?????????Enterprise Application certificates: Issuing certificates for Enterprise applications that are not already TLS-enabled.
All of these use cases require a trusted CA (Certificate Authority) certificate hierarchy, which necessitates a reliable CA service. The Vault project serves as an excellent choice for a CA service and can also be used to secure secrets and passwords. It offers several noteworthy features, including:
-?????????Ability to secure Kubernetes secrets, ensuring the confidentiality and integrity of sensitive information.
-?????????Acting as a CA service to issue both intermediate CA certificates and leaf certificates, enabling the establishment of a trusted certificate hierarchy.
-?????????Compatibility with third-party CA services, allowing integration with existing infrastructure and leveraging external CA capabilities.
-?????????Secure storage of master keys with third-party HSMs (Hardware Security Modules), providing an additional layer of protection for critical cryptographic keys.
By leveraging Vault as a PKI provider, SASE/SSE solution vendors can streamline certificate management.
Summary
Delivering Network Security as a Service requires new design patterns to meet the performance and latency requirements of next-generation applications and address the principles of zero trust. This article discusses a design pattern based on Kubernetes and related technologies, including Envoy proxy, Keycloak broker, Apache Guacamole, Strongswan, OpenVPN, and Vault. This design pattern offers a comprehensive foundation for SSE (Secure Service Edge) services that can be deployed anywhere, leveraging the elastic computing capabilities inherent in Kubernetes.
While there may be other design patterns available, the Kubernetes-based design pattern has proven successful for enterprise applications and is widely adopted in the 5G industry. We believe that the Kubernetes pattern is well-suited for SASE and SSE, providing a robust and scalable solution for network security as a service.
?
Depth that is easy to understand!
Very comprehensive discussion of the topic, I really enjoyed it! FYI Sriram Rupanagunta Vivekanandan Muthukrishnan sandeep sharma Rajendra Mishra Namasivayam Sankaranarayanan