www.aryaka.com Open in urlscan Pro
185.114.78.99  Public Scan

Form analysis
2 forms found in the DOM

GET https://www.aryaka.com

<form role="search" method="get" id="aryakasearch" class="aryakasearch" action="https://www.aryaka.com"> <input type="search" aria-label="Search" value="" autocomplete="off" name="s" id="search"> <button
    type="submit"><i class="fa fa-search"></i></button> </form>

<form id="mktoForm_3667"></form>

Text Content

Webinar: Your future in connectivity awaits. Embrace it with Aryaka

Register Now >> X
 * Blog
 * Resources
 * Customers
 * Customer Login
 * 1-888-692-7925
 * 


 * Solutions
    * Managed Solutions
    * Managed SASE
    * Managed SD-WAN
    * Multi-Cloud Networking
    * Remote VPNaaS (Private Access)
    * Secure Web Gateway
    * Last Mile Services
    * CDN
   
   The Total Economic ImpactTM
   of Aryaka
   
   Download Study
 * Use Cases
    * Hybrid workplace
    * Secure Internet Access (SWG)
    * Multi Cloud Connectivity
    * MPLS to SD-WAN Migration
    * Application Performance
    * MS 365 and SFDC Performance
    * UCaaS Performance
    * China Connectivity
   
   Unified SASE: Considerations for Single-Vendor SASE
   
   Download Report
 * Resources
 * Blog
 * Customer Login
 * Customers
 * Partners
   
   Aryaka Accelerate
   Global Partner Program
   
   Learn More
    * Channel Partners
    * Accelerate Partner program
    * Become a Partner
    * Partner Portal Log in
    * Technology Partners
    * Reseller Partner program
    * Contact Channel Team

 * Company
   
   Where Do I Start With SASE Evaluations: SD-WAN, SSE, Single-Vendor SASE, or
   Managed SASE?
   
   Download Report
    * About Us
    * Leadership
    * Investors
    * Press Releases
    * Blog
    * In the News
    * Dreamers and Doers Podcast
    * Events & Webinars
    * Careers

 * Academy
   
   Get SASE in 15 is a series of talks on everything SASE and beyond
   
   Watch Now
    * SD-WAN Academy
    * SD-WAN Definition
    * SD-WAN Features
    * SD-WAN Architecture
    * SD-WAN Deployment Models
    * SD-WAN Vendors
    * SASE Academy
    * SASE Definition
    * Why SASE?
    * SASE Architecture
    * SASE Deployment
    * SASE Benefits
    * SASE Certifications
    * SASE Vendor
    * Aryaka SASE

 * Contact Us


« Back to Blog


CHOOSING THE UNIFIED SASE PROVIDER: THE EXECUTION ISOLATION FACTOR

By Srini Addepalli | October 2, 2023



SHARED PROCESSES FOR PACKET-LEVEL SECURITY TECHNOLOGIES

Networking and security technologies at the packet level, such as stateful
inspection firewalls, IPSEC, and load balancing, impose lower computational
demands in terms of the number of CPU cycles required for each packet.
Furthermore, the processing per packet is highly consistent, simplifying
performance prediction.

In today’s landscape, security functions (e.g., FWaaS) are delivered as services
by service providers who deploy these functions in the Cloud/Points of Presence
(PoPs). To cater to multiple tenants, the underlying security technology
implementations leverage a Virtual Routing and Forwarding (VRF) tenancy model.
Under this model, traffic from multiple tenants traverses the same security
device or container/process, effectively addressing challenges related to
overlapping IP addresses among tenants. Tenant traffic is identified either
through tunnel interfaces or other mechanisms, and specific configurations
tailored to each tenant, such as tenant-specific security policies, are then
applied accordingly.

To mitigate any potential “noisy neighbor” issues, packet rate limiting is
applied at the ingress on a per-tenant basis. This strategy guarantees that the
security performance of each individual tenant remains unaffected by the
activities of other potentially problematic tenants. Given the consistent
per-packet processing, rate limiting proves effective in ensuring equitable
processing treatment for all tenants.

Another significant concern for organizations is the potential leakage of
sensitive data resulting from the exploitation of vulnerabilities within shared
processes or containers by malicious packets from other tenants. One argument
often presented by security service providers is that the processing on a
per-packet basis is straightforward, reducing the likelihood of vulnerabilities
and corresponding exploitation. It is indeed true that packet-level security
technologies are simpler, and this argument has some validity.

Both challenges mentioned earlier, namely the “noisy neighbor” problem and
“shared resource vulnerabilities,” may not pose significant issues for
packet-level security technologies that utilize shared processes. However, we
believe that these challenges can be more pronounced and substantial for SASE
(Secure Access Service Edge) or SSE (Secure Service Edge) security technologies.

DISTINGUISHING SASE/SSE SECURITY FROM PACKET-LEVEL SECURITY TECHNOLOGIES AND
CHALLENGES

SASE/SSE (Secure Access Service Edge/Secure Service Edge) security technologies
transcend traditional packet-level security, offering a comprehensive suite of
features:

 * Comprehensive Security Functions: SASE/SSE encompasses a wide array of
   security functions, including IDPS (Intrusion Detection and Prevention), DNS
   Security, SWG (Secure Web Gateway), ZTNA (Zero Trust Network Access), CASB
   (Cloud Access Security Broker) with IP/URL/Domain/File reputation firewall,
   access control with deep traffic-level attributes such as URI, request
   headers, response headers, Anti-Malware, and DLP (Data Leak Prevention). Zero
   Trust Networking (ZTN) in SASE/SSE is fundamental, ensuring access only upon
   user authentication and authorization, with granular control over application
   resources while considering identity and device context.
 * Deep Content Inspection: The core of SASE/SSE security lies in deep content
   inspection. Utilizing proxies that manage client connections, initiate server
   connections, decrypt streams, extract relevant data from traffic, perform
   security functions, and prevent the transmission of malicious content.

Now, let’s delve into the execution differences between SASE/SSE and
packet-level security technologies:

 * Shift from Per-Packet to Session-Based Processing: In the context of
   SASE/SSE, security execution no longer operates at the per-packet level but
   rather at the level of traffic session streams. Unlike per-packet
   technologies, there is variability in the number of compute cycles used in
   SASE/SSE security processing across tenants, for the following reasons:
   * Security functions applied to the traffic stream can vary among tenants.
   * Even when similar security functions are applied, the nature of the data
     being exchanged can necessitate more intensive processing. For example,
     consider scenarios involving Anti-Malware and DLP, which require extracting
     text from various file types, decompressing transferred files, untarring
     file collections, and more. Some tenants may transfer compressed files,
     resulting in extensive processing, impacting throughput and latency for
     other tenants. Noise generated by a particular tenant, whether due to
     infection or high business traffic during a significant event, can affect
     other tenants’ traffic performance.
 * Complex Security Processing: SASE/SSE security processing is inherently
   intricate, often incorporating various libraries, including third-party and
   open-source components. These encompass functions such as OIDC (OpenID
   Connect) clients, Kerberos clients, SAMLv2 clients for authentication,
   complex policy engines for enforcement, SDKs from threat intelligence
   providers, data extraction , JSON/XML decoding, base64 decoding, data
   decompression engines, and text extraction via open-source projects like
   Tika, among others for data level security such as Anti-Malware and DLP. This
   complexity increases the attack surface for potential exploitation. Although
   SASE/SSE providers prioritize swiftly addressing vulnerabilities, a time gap
   may exist between exploitation and resolution. When shared processes are
   employed for multiple tenants, attackers can potentially exploit
   vulnerabilities and access sensitive information from not only the intended
   tenant but also all tenants’ data sharing that execution context.
 * Bring your own Security Function: While SASE/SSE services offer comprehensive
   security features out of the box, they also provide organizations with the
   flexibility to introduce their custom security functions using Lua modules or
   WebAssembly (WASM) modules. However, in such cases, shared processes pose
   significant challenges, as they can potentially lead to data exfiltration
   from other tenants if not managed carefully. Addressing this concern becomes
   more complex when shared processes are employed, and there may always be
   potential ways to circumvent these controls.

In summary, SASE/SSE security offers a comprehensive security framework beyond
packet-level security, but it introduces complexities and challenges related to
variable compute usage, intricate processing, and shared resources. Maintaining
robust security in such environments is critical to safeguard against
performance challenges AND data breaches & privacy violations.

SEEK SASE/SSE SOLUTIONS THAT OFFER EXECUTION ISOLATION

Organizations undoubtedly value the rationale behind SASE/SSE providers
employing shared processes for multiple tenants. This approach efficiently
utilizes compute resources among tenants, contributing to sustainability and
cost-effectiveness. Service providers can, in turn, pass on these cost savings
to their customers.

However, certain industry segments are reluctant to accept the security risks
associated with multi-tenancy architecture and shared processes. Some
organizations may anticipate future needs for a more risk-averse approach. In
such cases, organizations should seek SASE/SSE services that offer flexibility,
providing options for both shared processes and dedicated processes/containers.

Dedicated execution contexts with dedicated processes/containers for traffic
processing, can effectively address the challenges outlined in the previous
section:

 * Performance Isolation: Achieving deterministic performance becomes feasible
   without concerns about disruptive “noisy tenants.” With a dedicated execution
   context, it is relatively straightforward to allocate dedicated compute
   resources to individual tenants. One can also configure resource caps from
   noisy neighbors using up all resources in the compute nodes.
 * Security Isolation: A dedicated execution context ensures that any malicious
   intent or insider threats attempting to exploit SASE/SSE services of one
   tenant will not lead to data leakage for tenants that opt for dedicated
   execution contexts.
 * Worry free ‘Bring your own security function’: A dedicated execution context
   unquestionably ensures that Lua scripts/WASM modules are exclusively executed
   within dedicated processes. Consequently, any processing or data exfiltration
   challenges are confined to the tenant bringing their custom security
   functions, providing peace of mind for other tenants in this regard, if
   service providers enable this feature only for dedicated processes.

ANTICIPATING FUTURE NEEDS: THE IMPORTANCE OF CONFIDENTIAL COMPUTING

As we look ahead, some organizations are becoming increasingly aware of the
growing importance of confidential computing. This awareness is particularly
relevant in the context of TLS inspection and the management of numerous
sensitive data, including secrets and passwords, within SASE/SSE services. A
recurring concern revolves around the possibility that personnel with access to
the server infrastructure, including service provider staff, might gain
unauthorized access to the memory of processes and containers. Additionally,
even attackers who manage to exploit server operating systems may potentially
breach the memory of these containers and processes. This concern becomes more
pronounced in situations where services are available in multiple Points of
Presence (POPs) across different countries with varying levels of legal
definitions and implementations.

Modern processors, such as those equipped with Intel Trust Domain Extensions
(TDx), offer advanced features for trusted execution. These technologies play a
crucial role in ensuring that even infrastructure administrators or attackers
with elevated privileges cannot decipher the memory content, as it remains
securely encrypted by TDx hardware.

SASE/SSE providers that offer dedicated execution contexts are better positioned
to provide this essential confidentiality feature compared to others. Therefore,
organizations are strongly advised to consider providers that offer the
flexibility of both shared processes and dedicated execution contexts. This
flexibility will help future-proof their risk mitigation strategies and ensure
the highest level of data security in evolving landscapes.


 * CTO INSIGHTS BLOG
   
   The Aryaka CTO Insights blog series provides thought leadership for network,
   security, and SASE topics. For Aryaka product specifications refer to Aryaka
   Datasheets.

Our Related Services
 * Managed SASE

Our Use Cases
 * Hybrid Workplace
 * Secure Internet Access (SWG)
 * Multi Cloud Connectivity
 * MPLS to SD-WAN Migration
 * Application Performance
 * MS 365 And SFDC Performance
 * UCaaS Performance
 * China Connectivity

Top Guides on SASE
 * SASE Guide for Business

Top Webinar on SASE
 * Cutting Through the SASE Confusion
 * Enterprise Networks at an Inflection Point: The Motivations for SASE
 * Managed Multi-Cloud Connectivity and SASE
 * Demystifying SASE Adoption
 * Fully Managed SASE for Better TCO – Check Point & Aryaka
 * Re-Defining Hybrid Workplace with SASE and a Cloud-First Solution
 * Re-Defining VPN with SASE and a Cloud-First Solution
 * Which SASE is right for you?

Top Solution Briefs on SASE
 * Next Generation Security with Check Point
 * Industrial Grade Security — Zscaler & Aryaka
 * Next Generation Security with Palo Alto Networks

Top Whitepapers on SASE
 * The Top 5 Trends in Enterprise Networking
 * Why SD-WAN & SASE over MPLS And Business-Class Internet
 * SASE (Secure Access Service Edge) Planning & Design Guide
 * Unified SASE: Considerations for Single-Vendor SASE

About the author

Srini Addepalli
Srini Addepalli is a security and Edge computing expert with 25+ years of
experience. Srini has multiple patents in networking and security technologies.
He holds a BE (Hons) degree in Electrical and Electronics Engineering from BITS,
Pilani in India.
Previous Post


CTO INSIGHTS

 * Choosing the Unified SASE Provider: The Execution Isolation Factor
 * Thwart Security Risks with Comprehensive IDPS in Unified SASE
 * Make Security Simple: Streamline Policies in Unified SASE
 * Unified SASE empowers Observability with Precision

 * Today’s ZTNA is not enough for diverse applications
 * Unlocking the Potential: The Crucial Role of Reputation in a SASE
   Architecture
 * Role of DNS-level security for SASE
 * Identity Broker

 * Convergence of various kinds of proxies for SASE
 * Unified SASE role Cyber Threat Hunting
 * Realizing Identity-aware SASE
 * Evolution of SASE Architecture

 * Securing the Data – SASE, CNAPP and CSMA roles
 * Deciphering SASE, Unified SASE and Universal SASE
   

POPULAR POSTS

 * Aryaka Security Service Edge Enables an Intelligent Hybrid Edge
 * 2023 Enterprise Network Transformation Report
 * User-to-Cloud Workloads and SASE: Why the Internet Isn’t Good Enough
   
 * Identity Broker

 * SASE and the (sometimes) futility of predictions
 * Decoding the different flavors of Zero Trust
 * Trust and transparency matter more than ever in a world of uncertainty
 * Remote or Not Remote? That’s Actually NOT the Question
   

SUBSCRIBE AND

STAY UP TO SPEED!




FOLLOW US ON:

 * 
 * 
 * 
 * 

2023 Enterprise Network Transformation Report

Download Report >>

Unified SASE Whitepaper

Download Whitepaper >>

Where Do I Start With SASE Evaluations: SD-WAN, SSE, Single-Vendor SASE, or
Managed SASE?

A Gartner® Emerging Tech Report

Download Report >>
 * Use Cases
   * Hybrid Workplace
   * Secure Internet Access (SWG)
   * Multi Cloud Connectivity
   * MPLS to SD-WAN Migration
   * Application Performance
   * MS 365 and SFDC Performance
   * UCaaS Performance
   * China Connectivity
 * Managed Solutions
   * Managed SASE
   * Managed SD-WAN
   * Multi-Cloud Networking
   * Remote VPNaaS (Private Access)
   * Secure Web Gateway
   * Last mile services
   * CDN
 * Resources
   * SD-WAN
   * What is SD-WAN
   * SASE
   * Case Study
   * Data Sheets
   * Infographics
   * Reports
   * Solution Briefs
   * Videos
   * Webinars
   * Whitepapers
   * Podcasts
 * Company
   * About Us
   * Aryaka Leadership
   * Investors
   * Press Releases
   * In the News
   * Awards & Recognition
   * Brand Guidelines & Logos
   * Customers
   * Events & Webinars
   * Newsletters
   * Careers
 * Partners
   * Channel Partners
   * Accelerate Partner program
   * Partner Login
   * Technology Partners
   * Partner Newsletters

© COPYRIGHT 2015-2023 ARYAKA NETWORKS,INC. ALL RIGHTS RESERVED.

 * Terms & Conditions
 * Privacy Policy & DATA AGREEMENT
 * Security & compliance


STAY CONNECTED WITH US:

 * 
 * 
 * 
 * 

 * 

Aryaka, the Aryaka logo, MyAryaka, Aryaka SmartCONNECT, Aryaka SmartCDN, Aryaka
SmartOptimize, Aryaka SmartCloud, Aryaka SmartSecure, Aryaka SmartInsights, and
Aryaka SmartManage are trademarks or registered trademarks of Aryaka Networks,
Inc. in the U.S. and/or other countries. All other trademarks are the property
of their respective owners.

X


THE TOTAL ECONOMIC IMPACTTM OF ARYAKA

Download Study