Secure Access Service Edge (SASE) What is SASE?
Secure Access Service Edge or SASE (pronounced “sassy”) is an architecture that combines comprehensive WAN capabilities including SD-WAN, routing, and WAN optimization with cloud-delivered security services or SSE (Security Service Edge) such as SWG, CASB, and ZTNA.
- SASE Explained
- How does SASE work?
- Components of SASE
- Why should I consider SASE?
- Single-or multivendor SASE?
- What is a single-vendor SASE platform?
- Benefits of SASE
SASE Explained
As users connect from anywhere and access sensitive data in the cloud, SASE brings a more secure and flexible way to connect by not backhauling application traffic to a data center. Instead, SASE intelligently steers the traffic to the cloud and performs advanced security inspection directly in the cloud.
SASE addresses the need for improved application performance and increased network security as the number of remote users increases and as enterprises continue to migrate applications to the cloud.
How does SASE work?
SASE is the combination of an advanced SD-WAN edge deployed at the branch and comprehensive cloud-delivered security services (SSE).
Traditionally, all application traffic from branch locations traversed over private MPLS services to the corporate data center for security inspection and verification. This architecture was appropriate when applications were hosted exclusively in the corporate data center. Now that applications and services have migrated to the cloud, the traditional network architecture falls short. Because internet-destined traffic must first traverse through the data center and corporate firewall before reaching its destination, application performance and user experience suffers.
With the increase in remote workers connecting directly to cloud applications, traditional perimeter-based security is insufficient. By transforming WAN and security architectures with SASE, enterprises can ensure direct, secure access to applications and services across multi-cloud environments, regardless of location or the devices used to access them.
Components of SASE
The main components of SASE are advanced SD-WAN and comprehensive cloud-delivered security (Security Service Edge or SSE).
There are key advanced SD-WAN capabilities to fully enable SASE:
- Seamless integration with an SSE solution to form a unified, consistent SASE architecture.
- First-packet application identification to enable granular steering of traffic to SSE based on security policies.
- Best path selection by exploiting SD-WAN path diversity and automatically selecting the closest SSE point of presence (PoP).
- Tunnel bonding to combine multiple links and support automated failover.
- WAN optimization and forward error correction (FEC) to overcome the latency effects of WAN and mitigate the effects of internet and wireless links that often suffer from packet loss and jitter.
- Multi-cloud networking to provide end-to-end connectivity with public clouds and private clouds.
- Built-in firewall with advanced security capabilities such as IDS/IPS, DDoS protection and role-based segmentation for advanced threat protection in branch locations.
- Zero-touch provisioning to automatically deploy configurations and policies and seamlessly implement change.
There are key SSE capabilities to fully enable SASE:
- ZTNA or Zero Trust Network Access: assumes that no user can be trusted by default and supports least privileged access. It provides secure access to remote users.
- CASB or Cloud Access Security Broker: protects sensitive data in cloud applications by enforcing security policies.
- SWG or Secure Web Gateway: protects organizations from web-based threats using several techniques such as URL filtering and malicious code detection.
- FWaaS or firewall as a service provides firewall functionality in the cloud to analyze the traffic from multiple sources.
- Other security services such as Data Loss Prevention (DLP), Remote Browser Isolation (RBI) and sandboxing.
Why should I consider SASE?
- SASE secures hybrid work
As employees connect from anywhere and from any device, ZTNA ensures consistent policy enforcement and access control for users and devices. It supports least privilege access and ensures that no user is trusted by default. Unlike a VPN that gives broad access to the corporate network, ZTNA limits user access to only specific applications or microsegments that have been approved for the user. - SASE safeguards users against web-based threats
To protect organizations against web-based threats such as ransomware and phishing, SWG monitors and inspects traffic through URL filtering, malicious code detection and web access control, establishing policies that restrict access to specific categories of websites, including adult content, gambling platforms, and sites known to pose significant risks. - SASE helps protect sensitive data in SaaS apps
More sensitive data is now hosted in SaaS applications, in sanctioned or unsanctioned apps. Cloud Access Security Broker (CASB) plays a vital role in identifying and detecting sensitive data in cloud applications, monitoring user activity, discovering shadow IT and preventing data loss. - SASE helps cloud-first organizations modernize their network
Traditional architectures often use MPLS links to connect branch offices to the headquarters. In this architecture, cloud traffic must be backhauled to the data center to perform security inspection, increasing latency, and therefore impacting application performance. With SD-WAN, organizations intelligently steer traffic to the cloud, directly from branch offices, and implement a robust and flexible way to connect branch offices to headquarters. - SASE augmented with a business-driven secure SD-WAN provides IoT security
IoT devices usually include basic security features and don’t include a ZTNA agent. Secure SD-WAN solutions can go beyond what is defined by SASE by integrating next-generation firewall capabilities. They can implement Zero Trust network segmentation, based on identity and access control, ensuring that users and IoT devices can only reach network destinations consistent with their role in the business.
Single or multivendor SASE?
Networking and security, while heavily interrelated, are two different and very complex domains of expertise. Security evolves rapidly to ensure protection against ever changing cybersecurity risks while wide area networking is about providing fast, robust, and flexible connections. The real power of a SASE architecture is realized when combining advanced WAN edge functions with comprehensive SSE, security services delivered in the cloud.
The choice to select a single or multivendor solution can vary depending on existing security and WAN requirements. A tight integration of SSE and SD-WAN in a single-vendor SASE platform provides organizations with many benefits including faster deployment, centralized management, consistent security policies, and the ability to adapt seamlessly to the evolving threat landscape. A multivendor approach is recommended for organizations preferring to adopt SASE with their choice of security services or to integrate with an existing security ecosystem. In this multivendor environment, it is critical to choose an SD-WAN that automates the orchestration with third-party SSE solutions to minimize deployment time and reduce management complexity.
What is a single-vendor SASE platform?
A single-vendor SASE platform streamlines the complexity associated with managing multiple security components. This integrated architecture not only simplifies deployment but also ensures unified security policies, centralized management and consistent Zero Trust access. Key capabilities include:
- Cloud-native architecture and scalability
A single-vendor SASE platform is designed with a cloud-native architecture, leveraging the scalability and agility of cloud computing. This architecture enables organizations to dynamically allocate resources based on traffic demand, enabling a more efficient and adaptable network. - Global network presence
A single-vendor SASE platform provides a global network presence through geographically distributed Point of Presence (PoPs) to ensure consistent performance and low latency, regardless of user location. It simplifies the management of these points of presence, eliminating the need for multiple points of presence required by a multivendor SASE approach. - Unified policy management
A single-vendor SASE platform manages all security policies from a single interface, streamlining operations, reducing complexity, and helping organizations to deploy and enforce consistent policies effectively. - Centralized UI, comprehensive dashboards
A single-vendor SASE platform provides IT teams with the ability to manage all network and security operations in a centralized user interface, with enhanced visibility into network traffic, security events and policy enforcement. It enhances reporting capabilities, providing organizations with the means to demonstrate compliance with regulatory requirements and industry standards. - Combined SASE capabilities
With a single-vendor SASE platform, organizations can easily combine multiple SASE capabilities to enhance their security posture and inspect traffic in a single pass. SSL inspection is performed only once, improving performance, and reducing complexity. Furthermore, by combining SWG and CASB with DLP, organizations can better monitor user activities to protect sensitive data from leaking out and enforce even more granular controls over web access. - AIOps
A single vendor SASE solution includes AI capabilities to improve visibility into connected users and devices and enable adaptive access control. It automates common troubleshooting activities and diagnoses common network issues, while providing predictive analytics to anticipate future threats and performance issues.
Benefits of SASE
SASE isn’t just the latest buzzword. There are important business benefits enterprises realize from a SASE architecture.
- Enhanced security
At a time when organizations embrace a cloud-first model, SASE provides consistent security policy enforcement across the network and brings security inspection in the cloud. It secures remote access and protects enterprise data from malicious activities. - Improved business productivity and customer satisfaction
By implementing a SASE architecture, organizations can streamline their network infrastructure based on advanced SD-WAN capabilities. SD-WAN removes the complexity and the rigidity of traditional router-based networks. It adds the flexibility required by digital transformation and significantly improves application performance and reliability. - Zero Trust security model
SASE embraces the Zero Trust Security model by requiring continuous verification of user identity before granting access to resources. Zero Trust is particularly relevant in today’s threat landscape, where traditional security models are no longer sufficient to protect against sophisticated cyber threats.