It should come as no surprise that the three largest cybersecurity markets today are endpoint security, network security, and identity. Yes, there are other large cybersecurity markets, such as email security, web security, cloud security, SIEM, and SOC, but the three I singled out account for over 50% of the cybersecurity market and are a big part of any customer's budget.
Of course, like any market or technology, network security has undergone several cycles of evolution over the past couple of decades, especially as new features have been added or consolidated into a platform. Today, network security has begun its third era of growth-but where did it all begin?
Trust everything and connect everything as fast as possible. That original objective of networking remains true today. However, malicious actors quickly made it their job to exploit those connections. So, back in the mid-1990s, the stateful firewall was invented to control access to private networks.
These initial stateful firewalls started to block traffic based on IP addresses, ports, and protocols. They created trusted and nontrusted networks and sometimes a demilitarized zone, which is in between both. This was a big improvement from just connecting everything. However, as application ports became well known owing to traffic migrating to application ports such as HTTP and HTTPS, simply allowing traffic on these ports was no longer an effective defense as its Layer 7 filtering was not granular enough. As a result, a lot of traffic would pass through without inspection.
Many firewall vendors also began to add secure remote access via virtual private networks (VPNs). This allowed remote users and branch offices to work as though they were on the network. However, this required them to add an agent to extend secure connectivity to remote endpoints. As users increasingly connected to the internet, a proxy was put in between the user and the internet; the proxy would act as intermediary between users and the internet. In fact, when bandwidth was at a premium, caching devices were incorporated to improve internet performance.
It should be noted that while the network firewall has evolved, traditional stateful firewalls will not disappear completely. Use cases such as internal segmentation remain essential to protecting networks against the lateral movement of threats.
As threat actors began to target application traffic, it became critical for security tools to inspect applications and content to assess whether the traffic was malicious. In other words, threat protection was becoming a critical job for the firewall. As a result, stateful firewalls evolved into unified threat management (UTM) devices, later known as next-generation firewalls (NGFWs).
These NGFWs were placed at the network edge, which was usually at the data center perimeter for traffic accessing external applications and the internet. They could identify applications and mitigate most threats in flight, making them critical for in-path communications. Deeper content inspection and understanding of a URL's application content provided more visibility and granularity to mitigate threats.
However, these additional layers of inspection, including SSL and deep packet inspection, required more security-specific processing power than the off-the-shelf processors powering most NGFW appliances. To address this challenge, Fortinet developed the industry's first security processing unit, a purpose-built ASIC designed to increase performance by offloading critical security functions.
At the same time, intrusion prevention systems (IPS) became a security tool used by InfoSec teams to protect endpoints from attack, with different IPS signatures for different types of applications. Because IPS and NGFW devices were usually deployed on the same edge, it became apparent that inspection and enforcement worked just as well-and sometimes better-as part of the NGFW.
And as attacks from the internet increased, additional security was also added to the traditional proxy and became known as the secure web gateway (SWG). This included URL filtering, antivirus, data leakage protection, and SSL inspection.
As we move into the third era of network security, the traditional perimeter has been completely reimagined. To secure today's highly distributed environment, a new, more expansive type of platform is required-one that can work across the hybrid workforce, distributed edge, and multi-cloud environments. It must also expand the convergence of networking and security across all edges by supporting multiple form factors-physical and virtual appliances, multi-cloud platforms, and as-a-Service. We call this Unified SASE (secure access service edge).
This new approach allows protections to move beyond simply defending against external threats to consistently securing data wherever it might be. To do this, Unified SASE components must be deeply integrated together, and the solution must be AI-based so it can detect, correlate, and respond to threats wherever they target the network in near real time.
Unified SASE goes beyond traditional SASE solutions by converging end-user connectivity with critical networking by incorporating a software-defined wide area network (SD-WAN). SD-WAN quickly became a critical technology for replacing simple routers at branches and campuses with faster, smarter, and more cost-efficient connections to the rest of the network. Adding SD-WAN to Unified SASE ensures end-to-end visibility and control.
Unfortunately, early SD-WAN solutions did not take security seriously. They needed a separate firewall appliance and security solutions that had to operate as a separate overlay, which diminished the value of the flexibility that SD-WAN provided. Fortinet solved this problem by building enterprise-class Secure SD-WAN directly into the firewall.
As SaaS applications became more popular, a cloud access security broker (CASB) based on API access was also included. When this was added to SWG, the solution became known as security service edge (SSE) and became cloud based. It plays a critical role in the Unified SASE solution.
So does zero-trust network access (ZTNA), which provides application-specific access. It is used in conjunction with SSE to replace or complement remote access via VPN.
As we move to Unified SASE, endpoint and network security must be intrinsically connected. VPN, SASE, and ZTNA ensure that endpoint devices function as an extension of the extended network. But there also needs to be a digital experience monitoring (DEM) element to measure end-to-end experience. And, of course, it should include endpoint protection platform and endpoint detection and response functionality along with agentless options.
The critical elements of Unified SASE include:
Unfortunately, most vendors are not taking an integrated approach to SASE. Instead, they are building their platforms by acquiring companies and bolting their technologies together. While this may look attractive on the surface, it's not really a platform underneath, which means things don't really work together the way they need to, making end-to-end visibility and control difficult to achieve. Indeed, not all platforms are equal.
A true Unified SASE platform should use a single OS, a unified client, a single analytics engine, and a single policy engine that can run on physical and virtual appliances, in the cloud (including all major cloud-provider platforms), and as-a-Service. It should also be powered by integrated threat intelligence and AI.
By integrating protections designed for clouds, connections, networks, and endpoint devices into a unified security strategy, this third era of network security expands security to every edge. The integrated, platform-based approach of Unified SASE enables organizations to build and evolve their networks as they need, allowing them to respond to business demands without compromising security, performance, or user experience. Its innate adaptability also provides a path forward to meet the next era of challenges headed our way.