Secure Access Service Edge

Barracuda’s unique approach to Secure Access Service Edge (SASE)

Print Friendly, PDF & Email

Earlier this week, Barracuda announced a cloud-native Secure Access Service Edge (SASE) platform that enables businesses to control access to data from any device, anytime, anywhere.

We shared the news on Tuesday about this and some other exciting product news that we introduced at Secured.21, our virtual customer conference. To give you a closer look at the SASE release, the new capabilities it enables, and the ways it will help customers, we sat down with Klaus Gheri, VP, Network Security at Barracuda.

Q&A with Klaus Gheri, VP of Network Security

What makes Barracuda’s approach to SASE unique?

Three things stand out to me that really make a difference here. First of all, Barracuda has most of the functional requirements for a SASE implementation in its product portfolio. It’s rather unusual for a single vendor to bring together so many of the piece, and that makes us stand out. And, it’s not just a bunch of parts stuck together through acquisitions. It’s something we’ve been building toward.

Secondly, as a vendor we were an early adaptor and started to extend our solutions  to public cloud environments more than seven years ago. This puts us in a fantastic position for the SASE construct because we’ve got the necessary elements and the expertise. We also have strengths both with cloud-based and on-premises implementations, which is a key ingredient to SASE. When puzzling all of this together into a SaaS service we decided to be as cloud native as possible.

The third unique aspect is that the Gartner definition of SASE extends to sites, people, and things. While a few vendors cover sites and people, we also have a strong industrial security and connectivity play. Having all three in place is unusual, and again cloud-based industrial connectivity solutions are something we have been working for several years now, which is more proof that Barracuda has something very unique to bring to the table.

What does it mean to be cloud-native, and why does that make a difference?

Cloud native means that the cloud hub components of our SASE solutions are fully baked into the public cloud fabric and, thus, are close to your data and applications. The hub service makes use of our security and connectivity technology stack but is operated and supported by the cloud provider. Additionally, communication between hubs makes use of the cloud backbone, so you get an ultra-performant network.

In comparison, a non-native approach would be to build these hubs outside of the cloud and then route traffic into the cloud. As a result, you would obviously no longer get the benefit of end-to-end SD-WAN connectivity and end-to-end management across all digital assets. Many other vendors take a non-native approach and run some form of global infrastructure that you can connect into and then from there it’s another stretch onto the public cloud. The problem is it’s not an end-to-end approach, so connectivity is not optimized all the way through.

Because of our close relationship with Microsoft, we decided to embed our components right into the cloud fabric. So, it's the cloud provider who operates and maintains the hubs, which means you’ve got the full coverage from SLAs because it's not something that's just hovering on top public cloud.

How do our solutions work together to help businesses achieve SASE convergence?

Convergence is the right topic here. SASE is a long list of things, and not all of them are equally relevant to organizations. Because SASE is still evolving, I want to talk about practical SASE that includes those functional elements that almost all customers need.

The core building blocks are the SD-WAN connectivity between the cloud and sites that you need to get reliable and performant access to your data from anywhere. We provide a solution for this that you can deploy through zero-touch deployment via drop shipment. Once it comes up, it will automatically do the right thing for you and does not require any further expert tweaks. So, it’s really easy for customers to get the solution in place, especially small teams.

The same technology stack can also be used for full security inspection both at the on-premises site level as well as the cloud hub level. You select if and where you want to make use of this. This comes in at no extra charge and adds Firewall-as-a-Service (FWaaS) or Secure Web Gateway-as-a-Service (SWGaaS) capabilities.

Finally, there’s the remote access piece of SASE. Single sign-on (SSO)/multifactor authentication (MFA)- secured access to hybrid cloud and on-premises networks that includes security inspection is the new element that helps organizations deal with flexible work-from-anywhere requirements. Through SSO with Azure Active Directory you can leverage conditional access rules that provide another control plane  to facilitate trusted access.

What are the most important new capabilities included in this release? How do they help customers?

The ability to make full use of the CloudGen Firewall’s security inspection stack at the hub service level is one of the most important pieces of these release. It gives customers the ability to inspect and microsegment cloud network traffic and internet breakout traffic from sites and cloud networks. This turns a hub service into a FWaaS or SWGaaS construct.

The release also includes Adaptive Forward Error Correction (FEC) to mitigate packet loss on the fly, which boosts performance and quality of communication dramatically. This improves communication  quality already with a single ISP. TLS 1.3 is another important piece we added. It’s a more performant TLS version with growing popularity that is now compatible with man-in-the-middle interception, ultimately helping customers stay even more secure.

We also added the ability for remote workers to connect back in to either the cloud hub or the nearest site device for latency minimization. Plus, customers can now allow our Secure Connector appliances with integrated LTE modems to connect to the same CloudGen Firewall gateway or hub service that spans an SD-WAN fabric. This streamlines OT/IoT deployments by enabling scalable connectivity and out-of-the-box security, with Barracuda Secure Connector now able to network directly with CloudGen Firewall or a cloud hub.

 How does XDR fit into this?

Extended detection and response (XDR) is a key element of any modern day security architecture. We can offer such capabilities today through several Open XDR ecosystem partnerships, such as our integration with Stellar Cyber. Detection is the beginning of extended detection and response, which means you need to aggregate data and analyze it in order to detect unusual activity and respond to it.

For our SASE implementation, log analytics that we send through these integrations provide audit trail information, and Azure Sentinel, for example, can be leveraged for extended detection. Going forward we will also aim for a deeper integration with SKOUT, a managed XDR  vendor that we recently acquired.

Is there anything else you want to mention that we haven’t covered?

I also wanted to highlight that we’re integrating our Zero Trust Network Access (ZTNA) product, Barracuda CloudGen Access, with our cloud secure web gateway product, Barracuda Content Shield. This is an endpoint protection connectivity play, and it blends in nicely with what we have. As SASE is evolving, we’re enriching the solutions and will continue to do so.

Webinar: 2021 Strategic Roadmap for SASE Convergence

Scroll to top