Secure Access Service Edge (SASE) is a cloud architecture model that combines network and security functions into a single cloud service, saving external traffic loads from routing back through the data center. Cloud-based applications, IoT sensor traffic and an expanded remote workforce have driven SASE adoption. This guide, and the links throughout, go in-depth on the cloud model's benefits and challenges, best practices for deployment and management, and tips to evaluate provider offerings.
What is SASE?
SASE is a relatively new framework that addresses a common dilemma: how to handle the network and security demands of external traffic without routing it through the data center. In the past few years, enterprises have shifted more traffic to the cloud, creating significant congestion and latency in the data center.
SASE distributes critical network and security functions from the cloud, close to the user and applications, alleviating the burden on the data center and speeding network response times. SASE, which builds on software-defined WAN (SD-WAN), is characterized by its cloud architecture, ability to distribute packet inspection and policy enforcement and its support of identity-driven access.
SASE's consolidated and unified policy management enables companies to quickly and efficiently secure traffic regardless of its origins or the location of corporate resources, making it an attractive option for most organizations.
SASE features a combination of these network and security functions:
How has the COVID-19 pandemic affected SASE adoption?
When the COVID-19 pandemic first took hold in 2020, enterprises scrambled to migrate their network and security from an inside-to-inside strategy, where workers and the resources they accessed were internal to the organization, to an outside-to-outside strategy that addressed the traffic needs of the at-home workforce. VPNs, a traditional option for remote workforces, can become too expensive when scaled up to meet increased demand, according to Nemertes CIO and Principal Analyst John Burke.
SASE, which connects users to nearby points of presence (PoPs) instead of routing them back to the data center, has emerged as a viable outside-to-outside strategy. SASE handles critical network and security functions such as authentication and policy enforcement. The increased interest in SASE has led Gartner to forecast that at least 40% of enterprises will have SASE adoption strategies in place by 2024.
Companies aren't likely to go back to pre-pandemic numbers of employees in the office, so enterprises are thinking long-term about their SASE investments. Nemertes' research shows organizations that adopt SASE have a better median total time to contain a security breach.
What are SASE's benefits?
SASE's greatest benefit is its support of cloud-based enterprise security vs. on-premises security and its ability to blend network and security functions. A cloud model enables organizations to cost-effectively apply the latest network and security features without disrupting application performance or the end-user experience, or burdening IT teams with intense refresh cycles. With SASE, organizations can easily scale their networking and security capabilities to properly protect enterprise users and corporate data.
The following are five key benefits of SASE:
- applications that can live anywhere;
- centralized, dynamic, role-based policies that streamline operations;
- integrated security and routing;
- reduced WAN costs; and
- distributed architecture.
What are SASE's challenges?
SASE presents some issues for organizations entrenched in their IT team structure. For instance, enterprises might have difficulty moving out of network and security team silos and managing competing interests and change controls.
A switch to SASE might require a change in IT culture to facilitate integrated networking and security teams. IT should also ensure the systems they consider support multi-tenancy and role-based access control because -- as John Cavanaugh, vice president and CTO of NetCraftsmen, pointed out -- most larger firms have distinct architecture, engineering, implementation and operations teams.
SASE can seem incredibly complex because it takes what were once individual services and moves them into a framework, yet it isn't a single product. IT teams can partner with their providers to determine which architectural components they require and deploy them in a simpler manner.
How has SASE evolved from SD-WAN?
Although SASE and SD-WAN are somewhat related, they have different objectives: SASE focuses on endpoints and end-user devices, while SD-WAN connects branch offices to the data center. SASE is a cloud-based platform with PoPs, and SD-WAN is a branch-office overlay network. The move to at-home work favors the SASE environment compared to branch-office work, which is more geared toward SD-WAN. At-home networks tend to be more mobile and have less standardized designs, so they pair well with SASE's more flexible deployment options.
SASE and SD-WAN differ in five key areas:
- deployment and architecture;
- traffic and connectivity;
- remote access; and
- required expertise.
As Andrew Froehlich, president of West Gate Networks, wrote, "SASE can stand alone without SD-WAN, but for SD-WAN to thrive in 2021 and beyond, SASE is a complementary data security architecture."
How are enterprises using SASE?
Early adopters of SASE are eager to share their experiences, including why they chose to implement it. For instance, Akamai Technologies uses SASE to combat the proliferation of distributed denial-of-service attacks that increased at the same time cloud computing began to take off. Focus Services, a call center service provider, deployed SASE when SD-WAN didn't meet its needs. And Thornton Tomasetti, a scientific and engineering consulting firm, found SASE could bring together cloud security, next-generation firewalls, threat management and role-based access control into one cost-effective service.
SASE has other use cases, including providing consistent security, improving network performance and managing cloud-heavy environments.
Types of SASE
Some vendors offer SASE as an extension of SD-WAN, adding a security overlay to the SD-WAN offering to provide security functionality in addition to SD-WAN connectivity. The goal of the overlay is to satisfy security concerns while providing optimal routing for hybrid environments, according to NetCraftsmen's Cavanaugh. He added that the SASE overlay approach is better suited for more siloed network and security teams.
Native SASE is the idealized version of SASE architecture, pulling together all network and security services into a single platform with centralized policy management. It converges these different functions into one universal CPE device or a combination of uCPE and cloud services and is best for maximum routing and security functionality.
The SASE market has broken itself into two categories: single-vendor SASE and multivendor SASE (where network and security functions are stitched together from an array of providers).
Cato Networks and Open Systems, both of which already had fairly complete SASE architectures when Gartner introduced the SASE model, are examples of single-vendor SASE providers. Most multivendor SASE providers shifted from a networking- or security-focused portfolio to add the functionality they lacked. For example, Palo Alto Networks completed an acquisition to integrate SD-WAN capabilities into its portfolio, while Cisco made moves to integrate security into its SD-WAN offering.
Multivendor SASE provides flexibility, but it introduces complexity. Single-vendor SASE streamlines the number of devices, contracts and analytics tools companies need to manage.
Read more about five SASE vendors and their offerings in this vendor roundup.
What are best practices for deploying and managing SASE?
For proper deployment, enterprises should understand some key elements of SASE architecture:
- the vendor's PoPs;
- user distance to those PoPs;
- the vendor's technology stack;
- distance to user's SaaS applications -- such as Microsoft 365 or Salesforce;
- office locations;
- end-user devices; and
- existence of agent onboarding.
Enterprises also should be able to calculate SASE's return on investment in three-year and five-year increments. Evgeniy Kharam, director of network security architecture at Herjavec Group, and Dmitry Raidman, CTO at Cybeats, recommended analyzing the breakdown of cost factors in the current IT budget to identify the items that will become obsolete in the transition to SASE. Some areas to target include physical infrastructure, inbound and outbound connectivity, logging and monitoring, data sources, and administration and manpower.
Enterprises should then assess the Capex and Opex costs associated with the SASE components, including CASBs, SD-WAN and an identity provider. From there, Kharam recommended working through SASE metrics such as scalability, cost optimization, UX, operational efficiency, speed and agility, and more to create an ROI model tailored to the organization.
The ability to manage and troubleshoot the SASE environment is as important as understanding SASE's architecture and ROI. According to Terry Slattery, principal architect at NetCraftsmen, a strong SASE system incorporates good troubleshooting and analysis tools. For instance, IT will need visibility to answer questions about whether flows can use multiple paths or if the right firewalls are being traversed. Slattery said IT teams should be able to determine if the tools are built into the SASE architecture or need to be provided separately, as well as other troubleshooting and management considerations.
As SASE continues to gain momentum, organizations will have to assess the value of this cloud-based model for their own remote workforce and other external traffic loads.