SASE คืออะไรและทำไมต้องใช้
SASE (Secure Access Service Edge) เป็น cloud-native architecture ที่รวม network security functions (SWG, CASB, FWaaS, ZTNA) กับ WAN capabilities (SD-WAN) เข้าด้วยกันเป็น single cloud service ออกแบบโดย Gartner เพื่อตอบโจทย์ remote work, cloud adoption และ edge computing
Components หลักของ SASE ได้แก่ SD-WAN (Software-Defined WAN) จัดการ network routing อัจฉริยะ, SWG (Secure Web Gateway) กรอง web traffic และป้องกัน malware, CASB (Cloud Access Security Broker) ควบคุม access ไปยัง cloud applications, FWaaS (Firewall as a Service) cloud-based firewall, ZTNA (Zero Trust Network Access) ให้ access ตาม identity ไม่ใช่ network location และ DLP (Data Loss Prevention) ป้องกันข้อมูลรั่วไหล
Low Code/No Code approach สำหรับ SASE ช่วยให้ IT teams deploy security policies ได้เร็วขึ้นโดยไม่ต้องเขียน code ซับซ้อน ใช้ visual interfaces, drag-and-drop policy builders และ pre-built templates ลดเวลา deployment จากสัปดาห์เหลือชั่วโมง เหมาะสำหรับองค์กรที่ไม่มี dedicated security engineering team
SASE Architecture และ Components
โครงสร้าง SASE architecture
# === SASE Architecture Overview ===
# 1. Network Architecture
# ===================================
# Traditional: User -> VPN -> Data Center -> Internet/Cloud
# SASE: User -> SASE Edge -> Direct to Cloud/Internet
#
# Benefits:
# - Lower latency (direct path to cloud)
# - Consistent security everywhere
# - Simplified management (single pane of glass)
# - Scale automatically with cloud
# 2. SASE Deployment Models
# ===================================
# a) Single-vendor SASE
# - Zscaler, Palo Alto Prisma SASE, Netskope
# - All components from one vendor
# - Easiest to manage
#
# b) Multi-vendor SASE
# - SD-WAN from one vendor + SSE from another
# - More flexibility, more complexity
# - Example: VMware SD-WAN + Zscaler SSE
# 3. Configuration Example (Zscaler-style)
# ===================================
# Policy configuration via API
cat > sase_policy.json << 'EOF'
{
"name": "Corporate SASE Policy",
"description": "Default security policy for all users",
"rules": [
{
"name": "Block Malware Downloads",
"action": "BLOCK",
"conditions": {
"threat_categories": ["malware", "phishing", "ransomware"],
"file_types": ["exe", "bat", "ps1", "vbs"]
},
"applies_to": "ALL_USERS"
},
{
"name": "DLP - PII Protection",
"action": "BLOCK_AND_LOG",
"conditions": {
"data_patterns": [
"credit_card_number",
"thai_national_id",
"passport_number"
],
"direction": "upload"
},
"applies_to": "ALL_USERS"
},
{
"name": "CASB - Restrict Shadow IT",
"action": "CAUTION",
"conditions": {
"app_risk_score": {"min": 4, "max": 5},
"unsanctioned_apps": true
},
"notification": "This app is not approved by IT"
},
{
"name": "ZTNA - Secure App Access",
"action": "ALLOW_WITH_MFA",
"conditions": {
"applications": ["erp.company.com", "crm.company.com"],
"user_groups": ["employees"],
"device_posture": {
"os_updated": true,
"antivirus_active": true,
"disk_encrypted": true
}
}
}
],
"logging": {
"level": "detailed",
"retention_days": 365,
"export_to": "siem"
}
}
EOF
# Apply policy via API
curl -X POST https://api.sase-provider.com/v1/policies \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d @sase_policy.json
echo "SASE architecture configured"ติดตั้ง SASE ด้วย Low Code/No Code
Deploy SASE โดยไม่ต้องเขียน code มาก
#!/usr/bin/env python3
# sase_deployer.py — SASE Deployment Automation
import json
import logging
from datetime import datetime
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("sase")
class SASEDeployer:
def __init__(self, provider="generic"):
self.provider = provider
self.policies = []
self.locations = []
self.users = []
self.deployment_log = []
def add_location(self, name, location_type, ip_range=None):
location = {
"name": name,
"type": location_type, # office, branch, cloud, remote
"ip_range": ip_range,
"created_at": datetime.utcnow().isoformat(),
}
self.locations.append(location)
self._log("add_location", location)
return location
def add_user_group(self, name, members_count, auth_method="sso"):
group = {
"name": name,
"members": members_count,
"auth_method": auth_method,
"mfa_required": True,
}
self.users.append(group)
self._log("add_user_group", group)
return group
def create_policy(self, name, policy_type, rules):
policy = {
"name": name,
"type": policy_type,
"rules": rules,
"enabled": True,
"created_at": datetime.utcnow().isoformat(),
}
self.policies.append(policy)
self._log("create_policy", {"name": name, "type": policy_type})
return policy
def deploy_web_security(self):
"""Deploy SWG policies (no code needed)"""
rules = [
{"category": "malware", "action": "block"},
{"category": "phishing", "action": "block"},
{"category": "adult_content", "action": "block"},
{"category": "gambling", "action": "block"},
{"category": "social_media", "action": "caution", "schedule": "work_hours"},
{"category": "streaming", "action": "bandwidth_limit", "limit_mbps": 10},
]
return self.create_policy("Web Security", "swg", rules)
def deploy_cloud_security(self):
"""Deploy CASB policies"""
rules = [
{"app": "dropbox", "action": "block_upload", "reason": "Use OneDrive instead"},
{"app": "gmail_personal", "action": "dlp_scan"},
{"app": "chatgpt", "action": "caution", "log": True},
{"risk_score_above": 3, "action": "block"},
]
return self.create_policy("Cloud Security", "casb", rules)
def deploy_zero_trust(self):
"""Deploy ZTNA policies"""
rules = [
{
"app": "internal_erp",
"require_mfa": True,
"device_posture": ["os_updated", "antivirus", "encrypted"],
"allowed_groups": ["employees"],
},
{
"app": "admin_portal",
"require_mfa": True,
"device_posture": ["os_updated", "antivirus", "encrypted", "managed"],
"allowed_groups": ["it_admins"],
"allowed_countries": ["TH"],
},
]
return self.create_policy("Zero Trust Access", "ztna", rules)
def deploy_dlp(self):
"""Deploy DLP policies"""
rules = [
{"pattern": "credit_card", "action": "block", "channels": ["email", "cloud"]},
{"pattern": "thai_id", "action": "block", "channels": ["all"]},
{"pattern": "source_code", "action": "log", "channels": ["cloud"]},
]
return self.create_policy("Data Loss Prevention", "dlp", rules)
def full_deployment(self):
"""One-click full SASE deployment"""
results = []
results.append(self.deploy_web_security())
results.append(self.deploy_cloud_security())
results.append(self.deploy_zero_trust())
results.append(self.deploy_dlp())
return {
"deployment_id": f"dep-{datetime.utcnow().strftime('%Y%m%d%H%M')}",
"policies_deployed": len(results),
"locations": len(self.locations),
"user_groups": len(self.users),
"status": "completed",
"policies": [{"name": p["name"], "type": p["type"]} for p in results],
}
def _log(self, action, details):
self.deployment_log.append({
"action": action,
"details": details,
"timestamp": datetime.utcnow().isoformat(),
})
deployer = SASEDeployer("zscaler")
deployer.add_location("Bangkok HQ", "office", "10.0.0.0/16")
deployer.add_location("Remote Workers", "remote")
deployer.add_user_group("employees", 500, "sso")
deployer.add_user_group("it_admins", 10, "sso+hardware_key")
result = deployer.full_deployment()
print(json.dumps(result, indent=2))Security Policies Automation
Automate security policies
#!/bin/bash
# sase_automation.sh — SASE Policy Automation
# === 1. Terraform for SASE Infrastructure ===
cat > main.tf << 'TFEOF'
# Zscaler ZIA Provider Example
# terraform {
# required_providers {
# zpa = {
# source = "zscaler/zpa"
# version = "~> 3.0"
# }
# }
# }
#
# # Application Segment (ZTNA)
# resource "zpa_application_segment" "erp" {
# name = "Internal ERP"
# description = "ERP Application Access"
# enabled = true
# domain_names = ["erp.company.internal"]
# segment_group_id = zpa_segment_group.corporate.id
#
# tcp_port_ranges {
# from = "443"
# to = "443"
# }
#
# server_groups {
# id = [zpa_server_group.erp_servers.id]
# }
# }
#
# # Access Policy
# resource "zpa_policy_access_rule" "erp_access" {
# name = "ERP Access Policy"
# description = "Allow employees to access ERP"
# action = "ALLOW"
# operator = "AND"
#
# conditions {
# operator = "OR"
# operands {
# object_type = "APP"
# values = [zpa_application_segment.erp.id]
# }
# }
#
# conditions {
# operator = "OR"
# operands {
# object_type = "SCIM_GROUP"
# values = [data.zpa_scim_groups.employees.id]
# }
# }
#
# conditions {
# operator = "AND"
# operands {
# object_type = "POSTURE"
# values = [
# data.zpa_posture_profile.os_updated.id,
# data.zpa_posture_profile.antivirus.id,
# ]
# }
# }
# }
TFEOF
# === 2. Policy-as-Code with OPA ===
cat > policy.rego << 'REGO'
package sase.access
default allow = false
# Allow if user is employee AND device is compliant
allow {
input.user.group == "employees"
input.device.os_updated == true
input.device.antivirus_active == true
input.device.disk_encrypted == true
input.user.mfa_verified == true
}
# Allow admin access with additional checks
allow {
input.user.group == "it_admins"
input.device.managed == true
input.user.mfa_verified == true
input.source.country == "TH"
}
# Block high-risk countries
deny {
input.source.country in ["KP", "IR", "SY"]
}
# DLP check
block_upload {
contains_pii(input.content)
input.destination.app_risk > 3
}
contains_pii(content) {
regex.match(`\d{13}`, content) # Thai ID
}
contains_pii(content) {
regex.match(`\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}`, content) # Credit card
}
REGO
# === 3. Automated Compliance Check ===
cat > compliance_check.py << 'PYEOF'
#!/usr/bin/env python3
import json
COMPLIANCE_REQUIREMENTS = {
"pdpa": [
{"check": "dlp_enabled", "required": True},
{"check": "data_encryption", "required": True},
{"check": "access_logging", "required": True},
{"check": "consent_management", "required": True},
],
"iso27001": [
{"check": "mfa_enforced", "required": True},
{"check": "network_segmentation", "required": True},
{"check": "incident_response", "required": True},
{"check": "vulnerability_scanning", "required": True},
],
}
def check_compliance(current_config, framework="pdpa"):
requirements = COMPLIANCE_REQUIREMENTS.get(framework, [])
results = []
for req in requirements:
passed = current_config.get(req["check"], False) == req["required"]
results.append({
"check": req["check"],
"required": req["required"],
"current": current_config.get(req["check"], False),
"passed": passed,
})
total = len(results)
passed = sum(1 for r in results if r["passed"])
return {
"framework": framework,
"total_checks": total,
"passed": passed,
"failed": total - passed,
"compliance_pct": round(passed / total * 100, 1),
"details": results,
}
config = {
"dlp_enabled": True, "data_encryption": True,
"access_logging": True, "consent_management": False,
"mfa_enforced": True, "network_segmentation": True,
"incident_response": True, "vulnerability_scanning": False,
}
for fw in ["pdpa", "iso27001"]:
print(json.dumps(check_compliance(config, fw), indent=2))
PYEOF
python3 compliance_check.py
echo "Security automation complete"Zero Trust Network Access
ZTNA implementation
#!/usr/bin/env python3
# ztna_engine.py — Zero Trust Access Engine
import json
import logging
from datetime import datetime
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("ztna")
class ZTNAEngine:
def __init__(self):
self.policies = []
self.access_log = []
self.risk_scores = {}
def add_policy(self, name, app, conditions):
policy = {"name": name, "app": app, "conditions": conditions, "enabled": True}
self.policies.append(policy)
def evaluate_access(self, request):
user = request.get("user", {})
device = request.get("device", {})
context = request.get("context", {})
app = request.get("app", "")
# Find matching policies
matching = [p for p in self.policies if p["app"] == app and p["enabled"]]
if not matching:
return self._deny("No policy found", request)
for policy in matching:
conditions = policy["conditions"]
# Check user group
if "allowed_groups" in conditions:
if user.get("group") not in conditions["allowed_groups"]:
return self._deny("User group not allowed", request)
# Check MFA
if conditions.get("require_mfa") and not user.get("mfa_verified"):
return self._challenge("MFA required", request)
# Check device posture
if "device_posture" in conditions:
for check in conditions["device_posture"]:
if not device.get(check):
return self._deny(f"Device posture failed: {check}", request)
# Check geo
if "allowed_countries" in conditions:
if context.get("country") not in conditions["allowed_countries"]:
return self._deny("Access from unauthorized country", request)
# Check time
if "allowed_hours" in conditions:
hour = datetime.utcnow().hour
start, end = conditions["allowed_hours"]
if not (start <= hour <= end):
return self._deny("Access outside allowed hours", request)
# Risk score
risk = self._calculate_risk(request)
if risk > 80:
return self._deny(f"Risk score too high: {risk}", request)
elif risk > 50:
return self._challenge(f"Elevated risk: {risk}", request)
return self._allow(request)
def _calculate_risk(self, request):
score = 0
device = request.get("device", {})
context = request.get("context", {})
if not device.get("os_updated"): score += 20
if not device.get("antivirus"): score += 25
if not device.get("encrypted"): score += 15
if not device.get("managed"): score += 10
if context.get("vpn"): score -= 10
if context.get("new_device"): score += 20
if context.get("unusual_location"): score += 15
return max(0, min(100, score))
def _allow(self, request):
result = {"decision": "ALLOW", "timestamp": datetime.utcnow().isoformat()}
self.access_log.append({**result, "request": request})
return result
def _deny(self, reason, request):
result = {"decision": "DENY", "reason": reason, "timestamp": datetime.utcnow().isoformat()}
self.access_log.append({**result, "request": request})
return result
def _challenge(self, reason, request):
result = {"decision": "CHALLENGE", "reason": reason, "action": "require_mfa"}
self.access_log.append({**result, "request": request})
return result
engine = ZTNAEngine()
engine.add_policy("ERP Access", "erp", {
"allowed_groups": ["employees", "it_admins"],
"require_mfa": True,
"device_posture": ["os_updated", "antivirus", "encrypted"],
})
# Test cases
tests = [
{"user": {"group": "employees", "mfa_verified": True},
"device": {"os_updated": True, "antivirus": True, "encrypted": True},
"context": {"country": "TH"}, "app": "erp"},
{"user": {"group": "employees", "mfa_verified": False},
"device": {"os_updated": True, "antivirus": True, "encrypted": True},
"context": {"country": "TH"}, "app": "erp"},
{"user": {"group": "contractor", "mfa_verified": True},
"device": {"os_updated": True, "antivirus": False, "encrypted": True},
"context": {"country": "US"}, "app": "erp"},
]
for i, test in enumerate(tests):
result = engine.evaluate_access(test)
print(f"Test {i+1}: {result['decision']} — {result.get('reason', 'OK')}")Monitoring และ Threat Detection
ตรวจจับภัยคุกคาม
# === SASE Monitoring & Threat Detection ===
# 1. Security Dashboard Metrics
# ===================================
# - Blocked threats per hour/day
# - Top blocked categories (malware, phishing, etc.)
# - DLP violations (data leak attempts)
# - ZTNA access denials
# - Bandwidth usage by application
# - User risk scores
# - Compliance status
# 2. SIEM Integration
# ===================================
# Export SASE logs to SIEM (Splunk, ELK, etc.)
#
# Syslog forwarding configuration:
# sase_config:
# log_forwarding:
# - name: splunk_siem
# type: syslog
# protocol: tcp_tls
# host: siem.company.com
# port: 6514
# format: cef
# log_types:
# - web_access
# - firewall
# - dlp
# - ztna
# - casb
# 3. Threat Detection Rules
# ===================================
# alert_rules:
# - name: brute_force_detection
# condition: "failed_logins > 5 within 5m from same IP"
# action: block_ip_30m
# severity: high
#
# - name: data_exfiltration
# condition: "upload_volume > 500MB within 1h to unsanctioned_app"
# action: block_and_alert
# severity: critical
#
# - name: impossible_travel
# condition: "login from 2 countries within 1h"
# action: require_mfa_and_alert
# severity: high
#
# - name: malware_outbreak
# condition: "blocked_malware > 10 within 10m"
# action: alert_soc_team
# severity: critical
# 4. Automated Response Playbook
# ===================================
# playbooks:
# compromised_account:
# - step: "Disable user account"
# - step: "Revoke all active sessions"
# - step: "Block user IP address"
# - step: "Notify security team"
# - step: "Create incident ticket"
# - step: "Collect forensic logs"
#
# data_breach:
# - step: "Block data transfer"
# - step: "Identify affected data"
# - step: "Notify DPO within 1 hour"
# - step: "Preserve evidence"
# - step: "Notify affected parties within 72 hours (PDPA)"
# 5. Monthly Security Report
# ===================================
# Sections:
# - Executive Summary
# - Threats Blocked (count, categories, trends)
# - Policy Violations (DLP, CASB, web)
# - Access Analytics (ZTNA denials, MFA usage)
# - Compliance Status (PDPA, ISO 27001)
# - Recommendations
echo "SASE monitoring configured"FAQ คำถามที่พบบ่อย
Q: SASE กับ VPN ต่างกันอย่างไร?
A: VPN สร้าง encrypted tunnel ระหว่าง user กับ corporate network ให้ full network access เมื่อเชื่อมต่อ มีปัญหา performance (traffic ต้องผ่าน data center), security (lateral movement เมื่อ compromise), scalability SASE ให้ access เฉพาะ application ที่ได้รับอนุญาต (zero trust), traffic ไปตรงไป cloud ไม่ต้อง backhaul, security policies apply ที่ edge ใกล้ user, scale อัตโนมัติ SASE แทนที่ VPN สำหรับ remote access และเพิ่ม security layers อีกมาก
Q: Low Code/No Code approach เพียงพอสำหรับ enterprise security ไหม?
A: เพียงพอสำหรับ 80-90% ของ use cases ทั่วไป SASE vendors ให้ visual policy builder, pre-built templates, one-click deployment สำหรับ standard policies แต่ complex scenarios เช่น custom DLP patterns, advanced threat detection rules, integration กับ legacy systems อาจต้องเขียน code หรือ scripts เพิ่ม แนะนำเริ่มจาก no-code แล้วเพิ่ม custom code เฉพาะที่จำเป็น
Q: SASE vendors ที่แนะนำมีอะไรบ้าง?
A: Leaders ใน Gartner Magic Quadrant ได้แก่ Zscaler (strong SSE, growing SD-WAN), Palo Alto Networks Prisma SASE (complete solution), Netskope (strong CASB and DLP) Challengers ได้แก่ Cisco (Umbrella + Meraki SD-WAN), Fortinet (FortiSASE), Cloudflare One (developer-friendly, competitive pricing) สำหรับ SMB แนะนำ Cloudflare One หรือ Zscaler Business สำหรับ enterprise แนะนำ Zscaler หรือ Palo Alto
Q: SASE ใช้เวลา deploy นานแค่ไหน?
A: ขึ้นกับ scope Basic deployment (SWG + ZTNA) สำหรับ 100 users ใช้เวลา 1-2 สัปดาห์ Full SASE deployment (SWG + CASB + ZTNA + DLP + SD-WAN) สำหรับ 1000+ users ใช้เวลา 2-6 เดือน ขั้นตอนหลัก planning (2 สัปดาห์), pilot group (2-4 สัปดาห์), phased rollout (4-8 สัปดาห์), optimization (ongoing) Low code/no code approach ลดเวลา configuration ได้ 50-70% เทียบกับ manual setup
