Palo Alto Networks SASE Deck. A SASE (secure access service edge) architecture combines networking and security as a service functions into a single cloud-delivered service at the network edge. In short, a SASE architecture identifies users and devices, enables secure access, delivers secure access to the appropriate applications, while providing network security from the cloud to protect users, applications, and data regardless of where they are. Combined with Prisma SD-WAN, Palo Alto Networks offers the industry's most complete SASE solution.
6. 2021 SASE Trends Survey, ESG 2021 State of the Cloud Report, Flexera 2021 Gartner Magic Quadrant for
WAN Edge Infrastructure
Market trends for SASE
7. WHAT DOES SASE DO
● Converges networking and security services into one
unified, cloud-delivered solution
● Provides secure access capabilities to a variety of
distributed users, locations and cloud-based services
● Delivers on-demand services and policy enforcements
10. a
HOW DOES PRISMA SASE WORK
Network as a Service Layer
Protects All App
Traffic
Complete, Best-in-
Class Security
Exceptional User
Experience
Mobile
Home
Branch/Retail
Autonomous Digital Experience Management (ADEM)
Security as a Service Layer
FWaaS CASB ZTNA Cloud SWG
SD-WAN
Segment-wise insights Auto-remediation
SaaS Public Cloud
Internet HQ/Data Center
Prisma Access
Prisma SD-WAN
(Formerly CloudGenix)
11. HIGH AVAILABILITY WITH CLOUD
SCALABILITY
Cloud-native architecture
designed on AWS & GCP
Built on biggest
backbones for global
accessibility
Multi-cloud design
ensures high performance
12. Retail Bank Enterprise
DATA
PLANE 1
DATA
PLANE 2
DATA
PLANE 3
Retail Bank Enterprise
COMMINGLED DATA
PLANE
Prevents other customers from
affecting your performance
One customer could adversely affect
all customers
PRISMA ACCESS OTHER SOLUTIONS
DATA PLANE ISOLATION FOR
SECURITY & PERFORMANCE
14. VALUE OF PRISMA SASE
Unified Product Reduces
Security Risk
Provides Best User
Experience
15. FRAGMENTED SOLUTIONS IMPACT
SECURITY OUTCOMES
Separate products have disjointed management, disconnected policies, and scattered data
ZTNA 1.0 SWG CASB FW
Management
Policy
Data
17. COMMON TERMS
Building Credibility
● Remote Access VPN
○ Most organizations have a remote access VPN used to access apps at HQ or the internal data center
○ Users typically disconnect from the VPN when they aren’t using internal apps
○ Users access cloud apps through HQ/datacenter
● Proxy / Secure Web Gateway (SWG)
○ Used to control and inspect web browsing, especially when user is not connected to VPN
○ Web browser connects to a proxy/SWG and does not secure non-web traffic
○ Creates problems with inconsistent security and management
● Off-Premise (Off-Prem)
○ Users and resources that are located outside of corporate network
● Zero-Trust Network Access (ZTNA)
○ Not to be confused with zero-trust, ZTNA is a technology category that focuses on denying access to
applications by default
○ It limits users to seeing and accessing only what they “need to know” after verifying their identity
18. WHAT TO ASK
● Where are you on your cloud journey?
○ As you move apps to the cloud, how are you enabling high-performance and
secure access to them?
● What percentage of your employees are remote now?
○ Has COVID changed your remote workforce strategy?
● How many branch locations do you have?
○ What does is your WAN Architecture look like, and do you know your WAN TCO?
19. WHY SELL PRISMA SASE
$15Bby 2025
Total Addressable Market
(TAM)
40%by 2024
Of Enterprises
Strategies to Adopt
SASE
42%by 2024
Compound Annual
Growth Rate
(CAGR)
76% of Global Office Workers Want to Continue Working from
Home post-COVID-19
20. WANT TO KNOW MORE
SASE for Dummies Gartner’s SASE Report
Help Me Sell - Prisma Access Help Me Sell - Prisma SASE
Technical Resources SASE Learning Path
Gartner published research that described how all of these technologies would begin to converge into what’s known as a Secure Access Service Edge (or SASE, pronounced “sassy”). Their thesis is that “Digital business and edge computing have inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside”. SASE addresses the digital transformation that is underway at organizations and shows us that a cloud delivered security platform is needed to address this shift.
The journey to the cloud presents two fundamental security challenges for organizations - how to enable users to access the public/hybrid cloud securely, and how to secure applications in the cloud. Prisma solves both problems by providing the most comprehensive visibility and security in the industry, protecting users, applications, and data, in all clouds (SaaS, Private, Hybrid Cloud and Public Cloud) regardless of where they are.
Digital transformation is accelerating - driven by response to COVID
87% of all enterprises now make use of hybrid cloud (Flexera, 2020)
Cloud provides greater business flexibility and agility
This has led to apps and data going everywhere - SaaS, Public Cloud, on-prem. The world is hybrid.
87% of enterprises adopting hybrid cloud
However, our latest analysis of more than 500 enterprise customers on Prisma Access shows that 53% all remote workforce threats are for non-web apps (non HTTP or HTTPS protocols).
Work from anywhere - The future of work is remote
76% of global workers want to continue working from home (2020 Global Workplace Analytics Study)
48% of employees will work remotely at least some of the time in the post-pandemic world, compared to 30% before (2020 Gartner)
Organizations have been forced to adopt an array of point products to handle different network and security requirements, such as secure web gateways, application firewalls, secure VPN remote access, SD-WAN, etc. For every product, there’s a policy and interface to manage, as well as its own set of logs. This is creating an administrative burden that introduces cost, complexity and gaps in security posture.
Existing network approaches and technologies simply no longer provide the levels of security and access control digital organizations need. These organizations demand immediate, uninterrupted access for their users, no matter where they are located. With an increase in remote users and software-as-a-service (SaaS) applications, data moving from the data center to cloud services, and more traffic going to public cloud services and branch offices than back to the data center, the need for a new approach for network security has risen.
Inconsistent Security:
Users connecting from unsecured or unmanaged devices are granted the same access as users physically at HQ
Implementing uniform policies across different vendors and products is extremely difficult and most organizations don’t do it
Poor User Experience:
Remote users experience latency when connecting to resources via VPN
Backhauling of traffic to a central HQ for firewall and network security inspection causes additional connectivity issues
Management Complexity:
MPLS and site to site VPN management is difficult to manage and configure
Scaling operations with hardware firewall, router, and switch deployments is time consuming
Most vendor solutions lack required breadth and depth of functionality with integration across all components, a single management plane, and unified data model and data lake.
Secure access service edge, or SASE (pronounced “sassy”), is an emerging cybersecurity concept that Gartner described in the August 2019 report The Future of Network Security in the Cloud.
SASE is the convergence of wide area networking, or WAN, and network security services like CASB, FWaaS and Zero Trust, into a single, cloud-delivered service model. According to Gartner, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.”
By removing multiple point products and adopting a single cloud-delivered SASE solution, organizations can reduce complexity while saving significant technical, human, and financial resources.
Three fundamental shifts are driving the need for network transformation in the enterprise - hybrid work, cloud and digital transformation, and branch transformation.
Hybrid Workforce has become the new normal and a requirement for many organizations due to the pandemic. Research indicates that organizations expect 62% of their employees to work in a remote or hybrid manner even after COVID-19 mandates are lifted (ESG Research Report, 2021 SASE Trends Survey, July 2021). As a result, most organizations are planning to support a model where the majority of employees can work fluidly between corporate offices, branch offices, home offices, or on the road.
Cloud and Digital initiatives are driving organizations to invest more in SaaS and other public cloud services. Cloud adoption enables companies to be more agile, efficient and flexible, indicative of why 92% of all enterprises are now adopting a multi-cloud strategy (Flexera, 2021).
Branch Transformation is well underway, driven by new hybrid work and digital transformation initiatives. Organizations are fundamentally changing the branch -- leveraging them as collaboration hubs rather than primary places of work -- while retailers are transforming the way they engage in-store with customers. This trend is fueling the demand for WAN transformation from legacy MPLS to SD-WAN and SASE. According to Gartner, by 2024 more than 60% of software-defined, wide-area network (SD-WAN) customers will have implemented a secure access service edge (SASE) architecture, compared with about 35% in 2020.
SASE offerings will provide policy-based, software defined secure access from a network fabric in which enterprise security professionals can precisely specify the level of performance, reliability, security, and cost of every network session based on identity and context. SASE securely enables the dynamic access requirements of digital transformation, providing secure access capabilities to a variety of distributed users, locations and cloud-based services. Enterprise demand for cloud-based SASE capabilities, and market competition and consolidation, will redefine enterprise network and network security architectures and reshape the competitive landscape.
Mobile Users - The #1 strategic priority for CIOs, post-COVID - …a typical employer can save about $11,000/year for every person who works remotely half of the time.
Securing mobile users with traditional types of network security can be a challenge, especially when users work in areas where you don’t have IT staff or it’s cost-prohibitive to have IT staff in many locations.
With the number of applications and workloads moving to the cloud, they need secure access to cloud applications and the Internet as well. Using cloud applications over remote-access VPN can hurt the user experience, and as a result, end users tend to avoid using remote-access VPN whenever possible.
Branch & SD-WAN - SASE provides Significant cost-savings and ROI, enabling digital transformation
Cloud adoption is affecting branch and retail networking strategies. With the growing number of applications in the cloud, it doesn’t make sense to carry all of an enterprise network’s traffic back to headquarters over expensive multiprotocol label switching (MPLS) connections. As a result, many organizations are adopting new strategies to redesign their wide area networks (WANs) to enable branch offices and retail stores to go directly to the cloud. With the drive to reduce the IT footprint at the branch in order to cut operational costs and reduce complexity, organizations are also looking for ways to reduce the amount of hardware that needs to be physically installed and managed at each location.
Best-in-class security meets best-in-class SD-WAN, delivered from the cloud, with these suite of products
Our PA-series Next-Generation Firewall hardware appliances are designed for simplicity, automation, and integration.
As you are moving to the cloud, we believe a Secure Access Service Edge (SASE) is the right approach. Prisma Access + Prisma SD-WAN is our (SASE) solution for branch offices, retail locations and mobile users.
With the addition of Prisma SD-WAN, customers can leverage machine learning and automation to simplify management, enable app-defined SD-WAN policies and implement a secure, cloud-delivered branch.
Panorama gives you a single place to manage all of your Palo Alto Networks Next-Generation Firewalls.
Prisma Access delivers the security and Prisma SD-WAN the networking that organizations need in a Secure Access Service Edge architecture designed for all traffic, all applications, and all users. Rather than creating single purpose technology overlays that are normally associated with point products, our SASE solution uses a common cloud-based infrastructure that delivers multiple types of security services, including advanced threat prevention, web filtering, sandboxing, DNS security, credential theft prevention, DLP and next-generation firewall policies based on user-to-application, and host information profile.
The combination is the most comprehensive SASE solution in the industry.
Our SASE solution provides:
Protection for All App Traffic: Access to all apps and secures against all threats, not just web-based apps and threats, reducing the risk of a data breach.
Complete, Best-in-class Security: Industry-leading capabilities converged into a single cloud-delivered platform, providing more security coverage than any other solution.
Exceptional User Experience: Massively scalable network with ultra-low latency, backed by industry-leading SLAs, ensuring the best digital experience possible for end-users.
A cloud-native architecture designed on the biggest backbones and across a multi-cloud manner ensures a high availability
We take advantage of the highest performing, most available public cloud providers such as Google and AWS - and we have a private instance across their private back bones, with access to their private fiber and load balanced across their global backbones to deliver very high performance everywhere.
What this allows our customers is to do is globally have their users, their branch offices, their applications, data centers, cloud locations, SaaS applications all come together on the back of this extremely powerful solution.
Data plane isolation ensures a truly enterprise-grade multi-tenant environment without commingling data or having “noisy neighbors” impacting performance
We’ve built our solution with enterprise-class multi-tenancy.
What this means for you is we isolate every tenants’ and every customers data plane.
This provides a more secure cloud environment and prevents other customers from affecting your performance or your data.
Of course you’d expect this from any cloud security solution, however in the industry, many leading solutions have shared or commingled data planes.
This creates a situation where a “noisy neighbor” that generates a bunch of traffic can adversely impact the performance of all shared customers on that data plane.
Likewise, any potential security impact also will adversely impact all customers who are sharing that data plane. A
The better approach that ensures the highest performance is an enterprise-class multitenant environment that provides true data plane isolation / dedicated data plane per each customer.
native and pervasive visibility with ADEM that leverages all the deep insights to choreograph itself to deliver truly exceptional user experiences
That’s where ADEM comes in.
All the visibility that is required is being captured and analyzed so if there is a challenge, IT can identify it instantly and, more importantly remediate the situation.
When you take all these three things into account, you can clearly see how Prisma Access is purpose-built and tailored to delivered the best user experiences:
A cloud-native architecture designed on the biggest backbones and across a multi-cloud manner ensures a high availability
Data plane isolation ensures a truly enterprise-grade multi-tenant environment without commingling data or having “noisy neighbors” impacting performance
And native and pervasive visibility with ADEM that leverages all the deep insights to choreograph itself to deliver truly exceptional user experiences
Unified Product
Simplify Network Management and Operations
Integrated SD-WAN simplifies site to site connectivity and remote user configuration
Single pane of glass for role based access control and policy creation through Panorama
Reduces security risk with consistent best-in-class network security across your entire enterprise
Granular, identity based access control to applications and services, regardless of location
Delivers protection to all applications (public cloud, private cloud, SaaS, internet) and protocols
Full single pass inspection and detection capabilities including malware, behavior based IDS, exploit detection, DNS security, and data-loss prevention
Provides Best User Experience through ADEM
Cloud native architecture supports infinite, on-demand scalability
Global, high-performance network of over 100 points of presence in 76 countries
Industry-leading latency SLAs of less than 10ms.
And native and pervasive visibility with ADEM that leverages all the deep insights to choreograph itself to deliver truly exceptional user experiences
Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA)
Zscaler Internet Access is a secure web gateway built on a proxy architecture with add-ons like firewall and sandboxing to address security use cases. Low starting price for basic package, with expensive add-ons.
Does not inspect all traffic. Requires separate Zscaler Private Access for access to public cloud/data center (as an offering in the Software Defined Perimeter market).
Cisco AnyConnect and Umbrella
Cisco AnyConnect is a traditional remote access VPN. Cisco pitches Umbrella for mobile user protection when the user disconnects from AnyConnect. Solution does not provide consistent security, and the multiple products are not integrated.
Pulse Secure
Remote access VPN spun off from Juniper. Does not provide comprehensive security. Company is moving to pivot away from remote access VPN to Software Defined Perimeter.
Most organizations utilize remote access VPN for off-prem users that need access to internal applications. When these remote users need access to temporarily connect to the VPN when they need to use an application, and then disconnect to get better performance to internet/cloud. Users lose performance when connected to the VPN, and security teams lose visibility and control when users disconnect.
The #1 strategic priority for CIOs, post-COVID - …a typical employer can save about $11,000/year for every person who works remotely half of the time.
Big Revenue: Market to reach $15B by 2024 according to Gartner and 36% CAGR
High Growth: Gartner expects that, “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.” A SASE architecture identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data. This approach allows organizations to apply secure access no matter where their users, applications or devices are located.