Secure Access Service Edge, also known as SASE -- pronounced "sassy" -- is a cloud architecture model that bundles network and security-as-a-service functions together and delivers them as a single cloud service.
SASE allows organizations to unify their network and security tools in a single management console. This provides a simple security and networking tool that is independent of where employees and resources are located. SASE requires little to no hardware, using the widespread connectivity of cloud technology to combine SD-WAN with network security functions, including:
- firewall as a service (FaaS)
- software as a service (SaaS)
- secure web gateways
- cloud access security brokers (CASBs)
- zero-trust network access
With the number of remote workers increasing, and organizations increasingly using cloud services to run applications, SASE offers a convenient, agile, cost-effective and scalable SaaS product for networking and security.
Organizations looking for a more advanced and user-centric network for their company network management needs would benefit from learning about SASE architectures. Due to the adoption of cloud services, mobile workforces and edge networks, the digital and cloud transformation is changing the way organizations are consuming network security. In the past, organizations would consume their security through legacy hardware networks and an outdated security architecture mindset.
This article is part of
How does a SASE architecture work?
SASE platforms work by bundling multiple elements -- combining SD-WAN with network security services like FaaS, SaaS, secure web gateways, cloud access security brokers, endpoint security and zero-trust network access. The result is a multi-tenant and multi-regional platform for security that is unaffected by locations of employees, data centers, cloud services or on-premises offices.
SASE does not rely on inspection engines in data centers. Instead, SASE inspection engines are brought to a nearby point of presence (PoP). A SASE client (such as a mobile device with a SASE agent, an IoT device, a mobile device with clientless access, or branch office equipment) will send traffic to the PoP for inspection and forwarding -- to the internet, or across the central SASE architecture.
SASE services have four defining traits:
- Global SD-WAN service. SASE uses an SD-WAN service with a private backbone, which avoids latency issues from the global internet and connects the individual PoPs used for security and networking software. Traffic rarely touches the internet, and only does so to connect with the global SASE backbone.
- Distributed inspection and policy enforcement. SASE services don't just connect devices; they protect them. Inline traffic encryption and decryption are table stakes. SASE services should inspect traffic with multiple engines that operate in parallel. Inspection engines include malware scanning and sandboxing. SASE should provide other services as well, such as DNS-based protection and distributed denial-of-service (DDoS) protection. Local regulations, such as General Data Protection Regulation (GDPR), should be enforceable in the SASE's routing and security policies.
- Cloud architecture. SASE services should use cloud resources and architectures with no specific hardware requirements, and should not include service chaining. Software should be multi-tenant for price friendliness and able to instantiate for rapid expansion.
- Identity-driven. SASE services have access based on user identity markers such as specific user device and location, as opposed to the site.
What are the benefits of SASE?
Ease of use. There is one management platform that controls and enforces an entire organization's security policies, offering operational simplification. This is a major improvement for IT teams, enabling them to move away from site-centric security to user-centric security.
Overall simplicity of the network. There is no need for complex and expensive Multiprotocol Label Switching (MPLS) lines or network infrastructure. The entire network infrastructure is adapted to make it simple, maintainable and easy to consume -- regardless of where employees, data centers or cloud environments are located.
Offers enhanced network security. Effective implementation of SASE services can protect sensitive data and help mitigate a variety of attacks, such as man-in-the-middle interceptions, spoofing and malicious traffic. Leading SASE services also provide secure encryption for all remote devices, and apply more rigorous inspection policies for public access networks (such as public Wi-Fi). Privacy controls can also usually be better enforced-- by routing traffic to PoPs in specific regions.
Backbone and edge unification. SASE lets a single backbone be combined with edge services -- like content delivery networks (CDNs), cloud access security brokers (CASBs), VPN replacement and edge networking. SASE lets a provider offer cloud, internet access, data center services, networking and security functions all through a single service -- as a joint effort across networking, security, mobile, app development and systems administration teams.
What are the challenges of SASE?
As the term SASE describes an emerging technology with variable approaches, drawbacks are nonspecific. Generally speaking, the most significant potential drawbacks are that IT teams forfeit certain benefits of multisourcing -- such as ensuring that various elements are sourced from the best possible providers for individual functions, and diversifying risk in vendor operations. With SASE architecture, users risk massive single point of failure (SPOF) or exposure -- as SASE delivers all networking and security functions together as a single service, technical issues on the provider side can potentially result in entire system shutdowns for end users.
Why is SASE important?
As organizations increasingly adopt cloud services, many are quickly learning that network security isn't so simple. Traditional network security was built on the idea that organizations should send traffic to corporate static networks where the necessary security services were located. This was the accepted model as the majority of employees worked from site-centric offices.
The concept of user-centric networks has changed the traditional network we once knew. Over the past decade, there has been an increase in the amount of people working remotely from home around the world. As a result, the standard, hardware-based security appliances network administrators depended on are no longer adequate in securing remote network access.
SASE allows companies to consider security services without being dictated by the whereabouts of company resources, with consolidated and unified policy management based on user identities.
This shifts the question from "What is the security policy for my site or my office in New York?" to "What is the security policy of the user?" This change creates a major shift in the way companies consume network security, allowing them to replace seven to 10 different security vendors with a single platform.