HPE Aruba Networking

Secure Access Service Edge (SASE)

HPE Aruba EdgeConnect SD-WAN + Axis Atmosphere SSE
AXIS SECURITY
Now part of HPE Aruba Networking

• Why - Drivers of HPE acquisition of Axis Security

• Who - Axis Security Introduction
• What - Axis SSE Solution Portfolio
• Where - EdgeConnect + Axis Integration
• When - Availability and engagement timeline/process

2
NEW DEMANDS AND WORKLOADS ARE CONSTANTLY PLACED ON THE
EDGE

Transformation to Cloud Services Such as SaaS, IaaS, PaaS The Proliferation of Connectivity Options such as
require a new type of network to provide a high performance Broadband, Satellite, and Cellular are Adding New
and secure experience. Use Cases and Challenges Daily.

3
 LEGACY NETWORK AND SECURITY APPROACHES HAVE LIMITATIONS
IaaS Workloads
+ Bandwidth

- Control

+/- Latency
- Bandwidth
SaaS Applications
Local Breakout
- Automation
Internet Backhaul

➔
Latency

- Control
Internet Traffic

Internet WAN
WAN Internet
On-Premise Workloads

VPN Increased latency, limited bandwidth, routing and

Branch, Campus, Mobile User, Retail Site Datacenter
security complexity, coupled with multiple
products and a total lack of automation impedes
performance and creates security risk.
4
IT IS TASKED WITH DELIVERING A WORLD CLASS EXPERIENCE

Securely and Reliably Connect Users Provide Reliable Connectivity to Rapidly Identify Problems or Deploy
to Applications from the Office, Home Mission Critical Applications Even in Changes to the Network Within
or Anywhere Else an Ever-Evolving Landscape Minutes, Not Months

5
ENTERPRISES ARE LOOKING FOR A NEW SET OF OUTCOMES

Secure Connectivity to Total Visibility of Every Inspection of All Traffic to Simplified User Access
Applications in the Cloud Application on the Mitigate Threats to the with Application
or On-Premise Network Network Dashboard

Cloud First, Zero Trust Security with Total Visibility

High Quality Real-Time Direct, Optimized

High Performance SaaS Automation of Changes
Application Experience Connectivity to IaaS
Application Performance Across the Entire Network
Over Any Circuit Workloads

Optimized Connectivity to Any Application, In the Cloud or On-Premise

6
Secure Access Service Edge
2015 Software Defined WAN (SD-WAN) solutions provide a
replacement for traditional WAN routers and are agnostic to WAN
transport technologies. SD-WAN provides dynamic, policy-based,
application path selection across multiple WAN connections and
supports service chaining for additional services such as WAN
optimization and firewalls.

2019 - Secure Access Service Edge (SASE) is an architecture that

delivers converged network and security as a service capabilities,
including SD-WAN, SWG, CASB, NGFW and zero trust network
access (ZTNA). SASE supports branch office, remote worker and
on-premises secure access use cases. SASE is primarily delivered
as a service and enables zero trust access based on the identity
of the device or entity, combined with real-time context and
security and compliance policies.

2021 Secure Services Edge (SSE) is the security component of

SASE that secures access to the web, SaaS applications, and
private applications. It includes advanced security capabilities
such as Secure Web Gateway (SWG), Cloud Access Security
Broker (CASB), Zero Trust Network Access (ZTNA) and Firewall
as a Service (FWaaS). Gartner - https://www.gartner.com/en/information-
technology/glossary/
7
Axis Security Overview
Definition: Zero Trust Network Access Definition: Secure Web Gateway
Platform to access private Feature to secure & protect against
applications in private cloud or private malicious online threats (i.e url filtering
datacenter gambling/porn sites, DNS control, SSL
(i.e VPN/VDI replacement) inspection for malware)

Definition: Cloud Access Security Broker

Feature to access private SaaS Definition:
applications & Data Loss Prevention Feature to monitor user performance
(i.e control block upload/download from and to troubleshoot user access issues
Box, Sharepoint, Facebook, Salesforce etc for all traffic (i.e network ops for private
& public traffic)

CONFIDENTIAL | NON-DISCLOSURE AGREEMENT REQUIRED | DO NOT DISTRIBUTE

CONFIDENTIAL | NON-DISCLOSURE AGREEMENT REQUIRED | DO NOT DISTRIBUTE
Ent erprise journey to w ork in harmony
Securit y Services Edge (SSE)
complet e
Securit y services
edge Work From Anyw here

All connect ivit y ext ended t o edge

Adopt ‘Int ernet -connect ed’ branch IoT device connect ivit y is handled
via Axis
Int ernet -connect ed
St andardize on Int ernet as t ransit
business for sit e connect ivit y.
The Int ernet becomes t he new
corporat e net w ork

Leverage agent -less access for Secure East -t o-West t raffic

w eb, SSH, RDP, Git and DBs Secure Nort h-t o-Sout h t raffic w it h
Ident it y-aw are policy.
Transform True zero t rust access for all
business apps (privat e and
Support access from all devices
Employee Hybrid w ork model ext ernal)

More visibilit y (logs) Digit al Experience Monit oring Decommission on-premise dat a
Rapid onboarding of zero t rust cent ers.
service and scale up usage
Simplify Direct -t o-Cloud apps access Reduce gat ew ay appliances
Reduce Technical Debt and
Consist ent user experience Consolidat e RAS plat forms Direct -t o-Cloud access operat ional overhead

Built least -privilege policies Secure 3rd part y access SSL inspect ion at scale Prevent East / West t hreat s
Secure CASB and DLP policies
Replaced VPN w it h ZTNA service Bring users back t o office securely Secure access t o Int ernet & SaaS Secure w orkload communicat ions

1
CONFIDENTIAL
2
| NON-DISCLOSURE AGREEMENT3REQUIRED | DO NOT DISTRIBUTE4 5
Tier 1– Major cloud providers
MainClusters

Caching

Tier 2 – Cloud providers & local hosting services

Local PoPs:
NEW! Added PoPs in HongKong, London, Frankfurt,
Tel Aviv, Sydney, and San Jose this quarter
Traffic accelerat ion

Tier 3 – Peered to local ISPs across the w orld

350 Edge Locations

At mos Agent At mos Connect or

CONFIDENTIAL | NON-DISCLOSURE AGREEMENT REQUIRED | DO NOT DISTRIBUTE
ELEVATE BUSINESS CONNECTIVITY Internet (SWG)

Axis in Motion
1. User requests access
2. Identity & MFA verified
3. Policy is evaluated for access
4. Atmos cloud brokers connection
5. Atmos cloud continuously authorizes session Data Center (ZTNA)

Atmos SWG
Employee access to resources

Atmos ZTNA

Branch user & server access

Atmos CASB

Third-party access Public Cloud (ZTNA)

Benefits
Identity Provider
• Agentless for Web/SSH/RDP/Git/DB
access/VNC
• Visibility into user traffic SaaS (CASB)
• Flexible policy assignment
• Simple for Admins & Users
• SaaS application control
• Single platform for ZTNA, SWG, CASB & DEM
Example: High reliability, availability and scale

Telemetry-based access across Better disaster recovery

multi-cloud backbone with auto-failover

46 (ms)

Atmos Agent on
PoP endpoint device

Atmos Connector More redundancy with auto-load

balancing

Network-as-a-Service Edges

• Geo-proximity routing
• Smart routing based on latency
• Extremely high availability
START SMALL – ADOPT ZTNA
ZTNA 1.0 Axis
Keep Users Off The Network

Reduce attack surface of infrastructure

DDoS proof Private Apps

Application Discovery

Agentless Web, SSH, RDP, Git, DB, VNC Access

Full SSE Inspection/ Continuous Authorization / Visibility

Per app segments, User group pairing

Any Port / Protocol (P2P / VOIP, AS400, etc.)

Server Initiated Flows / Push Patching

Multi-cloud PoP resilience

Smart Routing for ZTNA Connectors

IPsec Tunnels for ZTNA

Local Edge Private POP

 Three Components of the Aruba SASE Journey

Secure Remote User Access with Zero Cloud First Security with Secure Web Network Modernization Replacing
Trust Network Access (ZTNA) Gateway (SWG) and Cloud Access Routers and Firewalls with SD-WAN
Replacing Legacy VPN Access Security Broker (CASB)

16
 Key Benefits of SASE Architecture

Accelerate digital Mitigate risks Enable new ways of

transformation Put cybersecurity risks under working
Facilitate migration to cloud by control and accelerate Consistently apply and enforce
securing apps, data and compliance to regulations and security policies across
connections security policies enterprise, branches and home
offices

17
 The Aruba SASE Portfolio

Software Defined WAN (SD-WAN) Secure Service Edge (SSE)

Atmos Zero Trust Network Access (ZTNA)

Client or clientless endpoint access solution to securely
Aruba Orchestrator provision access to network resources.
Centralized policy orchestration,
monitoring and reporting
(on prem, cloud or as-a-service)

Atmos Secure Web Gateway (SWG)

Cloud based firewall to securely access, monitor
and inspect all web traffic.
Aruba EdgeConnect
Unified SD-WAN edge platform: routing,
Aruba EdgeConnect Aruba EdgeConnect Aruba EdgeConnect security, SD-WAN and WAN Optimization
Atmos Cloud Access Security Broker (CASB)
(Physical) (Virtual) (Cloud)
Cloud based security to manage, control and monitor
user access to SaaS applications.

Atmos Experience
Aruba Advanced Security Aruba Boost WAN Optimization Cloud based security to manage, control and monitor
On-demand WAN Optimization user access to SaaS applications.
Intrusion Detection and Prevention.

18
EdgeConnect Service Orchestration
Automated Orchestration of secure, redundant tunnels to
Primary/Secondary Axis SSE gateways and managing policy
 Tightly Integrate EdgeConnect with SSE

Orchestrator
▪ Service orchestration to SSE
solutions. Continued Best of
Breed approach, now with Axis
INET1 Primary Tunnel as a single vendor complete
Primary Cloud
INET1 Security Node SASE Architecture
Branch INET1 Secondary Tunnel
▪ Simple drag-and-drop policy
orchestration in the overlays

Secondary Cloud
Security Node ▪ Automatically associate sites
with proximity-based cloud
security services

20
 Tightly Integrate EdgeConnect with SSE

Orchestrator
▪ Service
Ability toorchestration
leverage multiple
to SSE
solutions.
transports Continued
for scalability
Best and
of
INET1 Breed
high availability
approach, now with Axis
INET1 Primary Tunnel as a single vendor complete
Primary Cloud
INET1 Security Node SASE Architecture
Branch ▪ Pre-defined load balancing
INET1 Secondary Tunnel
▪ Simple
policiesdrag-and-drop policy
per BIO
INET2 orchestration in the overlays

Secondary Cloud ▪ IPSLA monitoring and failover

▪ Automatically
policies acrossassociate
Security Node sites
primary and
with proximity-based cloud
secondary tunnels, and even
security
to services

21
 Service Orchestration

• User-customizable service policy for breakout traffic to 3rd party partners

• Automates creation of secure, primary/backup IPsec tunnels & configuration
of IP SLAs, from branches to service endpoints
• Monitors tunnel health (loss/latency) & automates traffic redirection in event
of connectivity degradation
• Enables simple drag-and-drop into Business Intent Overlay breakout policy
22
VPN Replacement In an EdgeConnect
Environment
Secure Remote User Access to Hosted Applications
Agentless, Secure VPN Access

AS400 Axis portal

RDP INET
INET
Connector Secondary Cloud Axis portal
Security Node

SSH

VoIP
Resources

• Acquisition News Release

• Hewlett-Packard-Enterprise-fortifies-network-security-with-acquisition-of-Security-Service-Edge-provider-Axis-
Security

• 2023 Aruba Atmosphere

• 2023 ATM Opening Keynote
• 2023 ATM Technical Keynote

• Please channel any questions or requests through your HPE/Aruba Territory or Channel Account Managers
• HPE/Aruba has the ability to transact Axis Solutions on May 1, 2023.

25