secure access service edge (SASE)
What is secure access service edge (SASE)?
Secure access service edge, also known as SASE and pronounced sassy, is a cloud architecture model that bundles together network and cloud-native security technologies and delivers them as a single cloud service.
SASE lets organizations unify their network and security tools in a single management console. This provides a simple security and networking tool that's independent of where employees and resources are located. SASE requires little to no hardware and uses the widespread connectivity of cloud technology to combine software-defined wide area network (SD-WAN) with network security functions, including the following:
- Firewall as a service (FWaaS).
- Software as a service (SaaS).
- Secure web gateways (SWGs).
- Cloud access security brokers (CASBs).
- Zero-trust network access (ZTNA).
With the number of remote workers increasing and organizations using cloud services more often to run applications, SASE offers a convenient, fast, cost-effective and scalable SaaS product for networking and security.
How does SASE architecture work?
SASE platforms bundle multiple elements -- SD-WAN with network security services, such as FWaaS, SaaS, SWGs, CASBs, endpoint security and ZTNA. The result is a multi-tenant, multiregional platform for security that's unaffected by the locations of employees, data centers, cloud services or on-premises offices.
This article is part of
The complete Secure Access Service Edge (SASE) guide
A SASE platform doesn't rely on inspection engines in data centers. Instead, SASE inspection engines are brought to a nearby point of presense (POP). A SASE client, such as a mobile device with a SASE agent, an internet of things (IoT) device, a mobile device with clientless access or branch office equipment, sends traffic to the POP for inspection and forwarding to the internet or across the central SASE architecture.
SASE services have the following four defining traits:
- Global SD-WAN service. SASE uses an SD-WAN service with a private backbone, which avoids latency issues from the internet and connects the individual POPs used for security and networking software. Traffic rarely touches the internet and only does so to connect with the global SASE backbone.
- Distributed inspection and policy enforcement. SASE services don't just connect devices; they protect them. Inline traffic encryption and decryption are table stakes. SASE services should inspect traffic with multiple engines that operate in parallel. Inspection engines include malware scanning and sandboxing. SASE should provide other services as well, such as domain name system-based protection and distributed denial-of-service protection. Regulations, such as the General Data Protection Regulation, should be enforceable in the SASE's routing and security policies.
- Cloud architecture. SASE services should use cloud resources and architectures with no specific hardware requirements but shouldn't include service chaining. Software should be multi-tenant for cost-effectiveness and able to instantiate for rapid expansion.
- Identity-driven. SASE services have access based on user identity markers, such as specific user devices and locations, as opposed to the site.
Organizations looking for a more advanced user-centric network for their company network management needs could benefit from exploring SASE architecture. Due to the adoption of cloud services, mobile workforces and edge networks, digital and cloud transformation are changing the way organizations are consuming network security. In the past, organizations consumed their security through legacy hardware networks and an outdated security architecture mindset.
Why is SASE important?
As organizations increasingly adopt cloud applications and services, many are quickly learning that network and cybersecurity aren't so simple. Traditional network security was built on the idea that organizations should send traffic to corporate static networks, where the necessary security services were located. This was the accepted model as the majority of employees worked from site-centric offices.
The concept of user-centric networks has changed traditional networking. Over the past decade, there has been an increase in the number of people working remotely from home around the world. As a result, the standard, hardware-based security appliances network administrators used are no longer adequate for securing remote users and their network access.
The importance of SASE can also be seen in edge devices. Automobiles, refrigerators, web cameras, IoT devices on industrial product lines, smart health monitoring sensors and other gadgets are connecting to enterprise networks and sharing data. Since every edge device serves as a potential entry point for a cyber attack, edge security is crucial. SASE provides a method for securely connecting edge devices and protecting the data they exchange.
SASE also enables companies to consider security services without being dictated by the whereabouts of company resources, with consolidated and unified policy management based on user identities. This shifts the question from "What is the security policy for my site or my office in New York?" to "What is the security policy of the user?" This change creates a major shift in the way companies consume network security, enabling them to replace several different security vendors with a single platform.
What are the benefits of SASE?
The cloud-based approach of SASE offers the following benefits for network security:
- Ease of use. One management platform controls and enforces an entire organization's security policies, offering operational simplification. This is a major improvement for IT teams, enabling them to move away from site-centric security to user-centric security.
- Overall simplicity of the network. There's no need for complex and expensive Multiprotocol Label Switching (MPLS) lines or network infrastructure. The entire network infrastructure is adapted to make it simple, maintainable and easy to consume -- regardless of where employees, data centers or cloud environments are located.
- Enhanced network security. Effective implementation of SASE services can protect sensitive data and help mitigate a variety of attacks, such as man-in-the-middle interceptions, spoofing and malicious traffic. Leading SASE services also provide secure encryption for all remote devices and apply more rigorous inspection policies for public access networks, such as public Wi-Fi. Privacy controls can also typically be better enforced by routing traffic to POPs in specific regions.
- Backbone and edge unification. SASE combines a single backbone with edge services, such as content delivery networks, CASBs, virtual private network replacement and edge networking. SASE lets a provider offer cloud, internet access, data center services, networking and security functions all through a single service -- as a joint effort across networking, security, mobile, app development and systems administration teams.
- Reduced costs. SASE is cost-effective because both network and security options are consolidated into one service. It eliminates the need for multiple security appliances and tools, reducing hardware, software and maintenance costs.
- Scalability. Depending on the network requirements, SASE can be easily scaled up or down. This offers the flexibility to add or remove services as needed.
What are the challenges of SASE?
As the term SASE describes an emerging technology with variable approaches, drawbacks are nonspecific. However, the following challenges can be sometimes associated with SASE:
- Vendor lock-in. Generally speaking, the most significant potential drawbacks are that IT teams forfeit certain benefits of multisourcing, such as ensuring that various elements are sourced from the best possible providers for individual functions and diversifying risk in vendor operations.
- Single point of failure. With SASE architecture, users risk a single point of failure or exposure. As SASE delivers all networking and security functions together as a single service, technical issues on the provider side can potentially result in entire system shutdowns for end users.
- Integration issues. Since SASE represents a fundamental change in how networks and security are managed, it can sometimes be difficult to integrate existing and legacy systems with new SASE technology.
- Collaboration between network and security teams. Network and security functions should both collaborate on SASE deployments. However, in most organizations, security teams are frequently in charge of the process, and network technicians are usually only considered after the deployment process has already begun. This can sometimes cause conflicts in the process.
- Lack of industry standards. Since SASE is still in its early stages, there's a lack of commonly accepted industry standards for deployment, security and performance.
The difference between SASE and SD-WAN
Both SASE and SD-WAN are methods of connecting and securing networks. SASE is originally gleaned from SD-WAN and incorporates its functionalities, but there are also some differences between the two.
SD-WAN is a networking technique that controls data delivery over a WAN. It enables companies to build dependable, affordable links across many sites by using a variety of network connections, including broadband internet, 4G and MPLS. These services come in both physical and cloud-based options, and although certain SD-WAN systems integrate a full security stack into their offerings, not all of them do.
SASE, on the other hand, is primarily cloud-based and brings together WAN capabilities and network security services, including SWGs, CASBs and ZTNA into a single offering. By combining networking and security operations into one cloud-delivered service, SASE aims to simplify and secure network access.
The future of SASE
SASE has the potential to become a key cloud security and optimization technology. Enterprises are becoming more interested in SASE, and research forecasted that usage of this technology will increase in the coming years. Gartner -- the company that first coined the term in 2019 – predicted that total worldwide end-user spending on SASE will increase 39% from 2022 to 2023, reaching $9.2 billion.
SASE serves the needs of mobile workforces by combining networking and security capabilities. By lowering the number of providers IT teams require, this integration can help reduce complexity and cost. In addition, SASE enables a more efficient approach to delivering a secure digital workspace and can aid businesses in their digital transformation journey.
SD-WAN adoption necessitates extensive market research and analysis so that enterprises can understand what they require from their WANs. Explore 10 SD-WAN vendor offerings, and see how they compare.