What is Secure Access Service Edge (SASE)?
Secure Access Service Edge (SASE) is a network architecture that combines software-defined wide area networking (SD-WAN) and security functionality into a unified cloud service that promises simplified WAN deployments, improved efficiency and security, and application-specific bandwidth policies. First outlined by Gartner in 2019, SASE (pronounced “sassy”) has quickly evolved from a niche, security-first SD-WAN alternative into a popular WAN sector that analysts project will grow to become a $10-billion-plus market within the next couple of years.
What is Secure Access Service Edge (SASE)?
Secure Access Service Edge (SASE) is a cloud architecture model that combines network and security-as-a-service functions together and delivers them as a single cloud service. Conceptually, SASE extends networking and security capabilities beyond where they’re typically available. This lets work-from-anywhere and remote workers, take advantage of the firewall as a service (FWaaS), secure web gateway (SWG), zero-trust network access (ZTNA), and a medley of threat detection functions. SASE is composed of Security Service Edge (SSE) and SD-WAN.
The term SASE (pronounced “sassy”) was first described by Gartner in an August 2019 report called, “The Future of Network Security in the Cloud.” Gartner notes that in the SASE market trend report, “Customer demands simplicity, scalability, flexibility, low latency, and pervasive security force convergence of the WAN edge and network security markets.”
How does SASE work?
A SASE architecture combines a software-defined wide area network (SD-WAN) or other WAN with multiple security capabilities (e.g., cloud access security brokers, anti-malware), securing your network traffic as the sum of those functions.
Legacy approaches inspection and verification, such as forwarding traffic through a multiprotocol label switching (MPLS) service to firewalls in your data center, are effective if that’s where your users are. Today, though, with so many users in remote locations, home offices, and so on, this “hair pinning”—forwarding remote user traffic to your data center, inspecting it, and then sending it back again—tends to reduce productivity and hurt the end-user experience.
What makes SASE stand out from point solutions and other secure networking strategies is that it’s both secure and direct. Rather than relying on your data center security, traffic from your users’ devices is inspected at a nearby point of presence (the enforcement point) and sent to its destination from there. This means more efficient access to applications and data, making it the far better option for protecting distributed workforces and data in the cloud.
Why is Secure Access Service Edge necessary?
Enterprise networks are increasingly reliant on cloud-based applications to run their businesses and support distributed workflows to support remote and mobile users. This has resulted in the conventional enterprise network rapidly growing beyond the conventional network edge, challenging infrastructure leaders to secure and manage an ever-expanding attack surface. While networks have advanced rapidly enough to support the workflows of these remote endpoints, most security tools have not kept pace, rendering VPN-only solutions obsolete. For organizations to remain competitive, all endpoints must be secured and managed with the same security and networking policies as their on-premises infrastructure, regardless of where they’re located.
Benefits of SASE
Meeting the challenge of implementing a SASE architecture would benefit enterprises by providing:
- Lower costs and complexity – Network Security as a Service should come from a single vendor. Consolidating vendors and technology stacks should reduce cost and complexity.
- Agility – Enable new digital business scenarios (apps, services, APIs), and data shareable to partners and contractors with less risk exposure.
- Better performance/latency – latency-optimized routing.
- Ease of use/transparency – Fewer agents per device; less agent and app bloat; consistent applicate experience anywhere, any device. Less operational overhead by updating for new threats and policies without new HW or SW; quicker adoption of new capabilities.
- Enable ZTNA – Network access based on the identity of user, device, and application – not an IP address or physical location for seamless protection on and off the network; end-to-end encryption. Extended to the endpoint with public Wi-Fi protection by tunneling to the nearest Point of Presence (POP).
- More effective network and network security staff – Shift to strategic projects like mapping business, regulatory, and application access requirements to SASE capabilities.
- A centralized policy with local enforcement – Cloud-based centralized management with distributed enforcement and decision-making.
SASE represents the best way to achieve a direct-to-cloud architecture that doesn’t compromise on security visibility and control, performance, complexity, or cost. Speed without compromising security.
What are the key components of SASE?
- Software-Defined WAN (SD-WAN): SD-WAN enables optimal WAN management. SASE leverages SD-WAN capabilities to provide optimized network routing, global connectivity, WAN and Internet security, cloud acceleration, and remote access
- Firewall as a Service (FWaaS): A firewall is the foundation of any network security stack. SASE includes FWaaS to provide the scalability and elasticity needed for the digital business and to extend a full network security stack wherever needed
- Zero-Trust Network Access (ZTNA): ZTNA offers a modern approach to securing application access for users. It embraces a zero-trust policy, where application access dynamically adjusts based on user identity, location, device type, and more
- Cloud Access Security Broker (CASB): CASB helps enterprises adapt to the new threats that come with cloud computing. When delivered as part of a SASE service, the complexity of integrating CASB with other point security solutions is eliminated
- Secure Web Gateway (SWG): SWG solutions protect users against malware, phishing, and other web-borne threats. SASE offers SWG protection to all users, at all locations, and eliminates the need to maintain policies across multiple-point solutions
- Unified Management: SASE solves the complexity of managing multiple disparate products. A true SASE allows users to monitor and manage all network and security solutions from a single pane of glass.
Who needs Secure Access Service Edge?
SASE solutions are designed to meet the networking and security needs of the increasingly distributed enterprise. As companies adopt cloud technology, remote work, and mobile devices, a growing percentage of their IT infrastructure lies outside of the headquarters network. SASE solves this problem by moving security services to the network edge, through a global network of PoPs, and integrating networking capabilities into a single solution. By doing so, it enables companies to ensure that all branches and users enjoy high performance while securing access to corporate applications, SaaS, and the web regardless of location or device.
How does SASE compare to traditional networking?
In a traditional network model, data and applications live in a core data center. In order to access those resources, users, branch offices, and applications connect to the data center from within a localized private network or a secondary network that typically connects to the primary one through a secure leased line or VPN.
This model has proved to be ill-equipped to handle the complexities introduced by cloud-based services like software-as-a-service (SaaS) and the rise of distributed workforces. It is no longer practical to reroute all traffic through a centralized data center if applications and data are hosted in the cloud.
By contrast, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering cloud services that require separate configuration and management, SASE streamlines network and security services to create a secure network edge. Implementing identity-based, Zero Trust access policies on the edge network allows enterprises to expand their network perimeter to any remote user, branch office, device, or application
Is SASE the future of SD-WAN & security?
SASE is an evolving framework that addresses the challenges and issues with traditional security and network solutions like SD-WAN. With the rise of hybrid work and cloud adoption, traditional approaches to security and networks are no longer sufficient. Perimeter-based security isn’t built for a distributed workforce and remote world—leaving organizations with disjointed security stacks and gaps in visibility that leave them vulnerable in an ever-expanding attack surface. SASE offers a streamlined, integrated solution that addresses most network and security requirements at scale within a more efficient, manageable, and cost-effective model.