This topic describes the process from purchase to use of Secure Access Service Edge (SASE) to help you get started with SASE.
Intended users
First-time users of SASE
SASE introduction
SASE description
SASE delivers security capabilities to the edge based on the nation-wide edge nodes of Alibaba Cloud, leased lines, and the zero trust security model. For enterprises that run multiple branches or stores and enterprises whose employees need to work remotely or from different locations, SASE provides zero trust-based remote access, audit of behaviors in internal networks, data loss prevention (DLP), network access control, and application acceleration. For more information, see What is SASE?
Capabilities of different SASE editions
SASE supports only the subscription billing method. The following table describes the capabilities of each SASE edition. You can select a SASE edition based on your business requirements. For more information about the billing methods and billable items of SASE, see Billing overview.
Edition | Description |
Private Access VPN | Private Access VPN of SASE supports zero trust VPNs to allow users to access cloud or on-premises applications within an enterprise. This edition is suitable for enterprises that have less than 100 employees and require an office bandwidth of less than or equal to 10 Mbit/s. |
Private Access Basic Edition | Private Access Basic Edition of SASE supports zero trust VPNs to allow users to access cloud or on-premises applications within an enterprise. This edition is suitable for enterprises that have more than 100 employees and purchase office bandwidth resources based on business requirements. |
Private Access Advanced Edition | Private Access Advanced Edition of SASE supports zero trust VPNs to allow users to access cloud or on-premises applications within an enterprise. The edition also supports the network access control and global office features. |
Internet Access DLP Edition | Internet Access DLP Edition uses the cloud data loss prevention (DLP) architecture to allow enterprises to identify, monitor, and protect office data in real time. |
Configuration of each SASE feature
Prerequisites
The identity providers (IdPs) and user groups of an enterprise are configured before the enterprise uses the features of SASE. For more information, see Connect an LDAP IdP to SASE and Configure an IdP combination.
SASE supports third-party and self-managed identity authentication systems. Users can use the assigned usernames and passwords to log on to the SASE client and authenticate identities. SASE supports the following third-party IdPs: Lightweight Directory Access Protocol (LDAP), DingTalk, WeCom, Lark, and Identity as a Service (IDaaS). You can also use custom SASE IdPs to manage the organizational structures of enterprises.
Private access configuration
The private access feature supports SaaS-based zero trust access by adopting the software-defined perimeter (SDP) approach. SaaS is short for Software as a Service. The feature allows you to manage access permissions of employees without the need to expose public IP addresses or reconstruct your existing network architecture.
Step 1: Create an office application
Office applications of an enterprise refer to IT resources such as internal-facing applications, servers, or databases that are used by users at work. Users do not need to configure public IP addresses for office applications. If a user wants to access applications or resources in a LAN from a terminal, the user needs to only install the SASE client on the terminal and pass the required identity and security verification. For more information, see Configure office applications.
Step 2: Enable network connections
Enable network connections based on your business deployment.
Business resource deployment | Solution | Environment requirement |
Business resources are deployed on Alibaba Cloud. | You can use the network settings feature to enable network connections between business resources in Alibaba Cloud VPCs and the SASE client. You can access the page of the SASE console and turn on Network Connection for the VPC in which your server is deployed. | Computer requirements:
|
Business resource are deployed outside Alibaba Cloud and Alibaba Cloud virtual border routers (VBRs), Cloud Connect Network (CCN) instances, and VPN gateways are used for the business resources. For example, business resources are deployed on Amazon Web Services (AWS) or Tencent Cloud. | You can use Alibaba Cloud Express Connect, Smart Access Gateway (SAG), and IPsec-VPN to allow access from the SASE client to business resources outside Alibaba Cloud. You can access the tab of the SASE console, configure a back-to-origin VPC, and turn on Network Connection for your connector. | Computer requirements:
|
Business resource are deployed outside Alibaba Cloud. | SASE provides the connector feature. You can deploy a connector to allow access from the SASE client to the business resources that are deployed outside Alibaba Cloud. This solution allows users to access the business resources without the need to use other network services. You can access the tab of the SASE console, create a connector, and then run commands to deploy the connector. Make sure that the connector is enabled. | Computer requirements:
Requirements on the servers on which you can deploy connectors:
|
Step 3: Create a zero trust policy
Zero trust policies help manage access to applications and resources for users and enterprise partners. The process of creating a zero trust policy is to distinguish the resource permissions of enterprise user groups from office applications. The system has a built-in policy that prohibits all access. You must configure an allow policy to allocate different resources to different user groups. For more information, see Configure zero trust policies.
Step 4: Log on to the SASE client
Users use the username and password assigned by the system to log on to the SASE client and connect to an internal network. The configured policy is used to manage the private access from users. For more information, see Install and log on to the SASE client and Enable or disable network protection for private access.
Network access control
The network access control feature allows you to use the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) standard to access an office network. This way, you do not need to enter the username or the password. When you use SASE to connect to an office network, the access permissions of the SASE client users are determined based on the configured IP address whitelist.
Step 1: Create a wireless network instance
Create a wireless network instance in SASE and use EAP-TLS to connect to the office network.
Step 2: Obtain information about the SASE network access server
Before you connect to the office network, you must configure the region, IP address, UDP port, and key of the SASE RADIUS server on the network access controller of your enterprise to establish the network connection between the SASE RADIUS server and the network access controller. The RADIUS server is the network access server.
If you want to isolate and manage the users, you can configure network access permissions and use VLAN IDs to divide the network access permissions of users and terminals in a more fine-grained manner.
If the automatically issued certificate is not applicable to your business scenarios, you can modify the installation scope and validity period of the certificate or replace the certificate with a custom certificate of your enterprise.
DLP configuration
DLP provides the following methods to ensure data security: sensitive file detection, peripheral management, and watermark management. You can select a method based on your business requirements. If you require extremely strict data management, we recommend that you enable all methods.
Detect files transferred outbound to ensure data security
If you want to check whether users transfer files that contain sensitive data by using multiple channels, such as instant messaging and emails, you can use sensitive file detection to specify a sensitive data dictionary, build a data template, and create a detection policy. This way, you can obtain statistics on outbound file transfers. For more information, see Detect files transferred outbound to ensure data security.
Step 1: Configure a policy to detect files transferred outbound
Sensitive file detection of SASE uses custom keywords as characteristics to automatically identify sensitive content in files, builds a sensitive data template based on the characteristics, data types, and sensitivity levels, and then creates a detection policy based on the handling action. This way, you can determine whether the files transferred outbound are sensitive files.
To configure a detection policy, perform the following steps:
Create a sensitive data dictionary to define the characteristics of sensitive content.
Build a data template based on the sensitive data dictionary.
Create a detection policy and associate the policy with a data template. You must specify applicable objects, detection channels, and handling actions in the policy.
Step 2: View the sensitive file detection results
After the policy is configured, DLP automatically detects files that are transferred by users. Then, DLP analyzes the outbound transferring events and abnormal events that are triggered in the last 30 days, 7 days, and 24 hours based on the detection results.
Sensitive file detection helps you detect sensitive files that are up to 30 MB in size, and collect statistics on the top 5 sensitive file types and their proportion.
Abnormal events record the outbound transfers of files that are larger than 30 MB in size, copying of files by peripherals, and outbound transfers of files whose total size is larger than 1 GB from the same user. However, the content of the files are not checked. Take note of abnormal events and manually check whether the files contain sensitive data.
Manage peripherals to ensure data security
If you want to check the peripherals of users, such as USB flash drives, printers, and optical drives, to determine whether the users transfer sensitive data, you can use peripheral management to create a policy to disable specific peripherals. For more information, see Manage peripherals to ensure data security.
Step 1: Configure a policy to manage peripherals
You can specify the applicable user group. You can also configure policies to manage peripherals for Windows and macOS.
Step 2: View the sensitive file detection results
If you set USB Flash Drive and USB Storage to Read/Write, sensitive behavior detection is triggered when a user uses a USB flash drive or USB storage to transfer internal files. Then, DLP analyzes the data in the last 30 days, 7 days, or 24 hours based on the detection results.
Manage watermarks to ensure data security
If you want to configure watermarks for screens and printers to ensure data security, you can use watermark management to configure watermarks for the screens and printers of specific users. For more information, see Manage watermarks to ensure data security.
Step 1: Configure a watermark management policy
You can specify the applicable user group and configure a watermark. You can create custom screen watermarks and printer watermarks.
Step 2: View the sensitive file detection results
If a user prints data, sensitive behavior detection is triggered. DLP automatically detects files printed by the user and analyzes the data in the last 30 days, 7 days, and 24 hours based on the detection results.
Feedback and suggestions
If you have questions or suggestions about SASE, you can use the following methods to provide feedback and obtain technical support:
Online help: You can obtain online technical support.
Submit a ticket: You can submit a ticket to contact technical support.
Feedback on documentation: If you find errors in the documentation, including link errors, content errors, and API operation errors, you can select the error content or click Feedback in the lower part of the documentation page and submit your feedback.