secure access service edge (SASE) Explore 5 SASE vendors to cut through the truth vs. hype

Top 5 benefits of SASE to enhance network security

A cloud-based distributed architecture, centralized management and endpoint-specific security policies are just some of the benefits of Secure Access Service Edge.

Secure Access Service Edge -- also known as SASE and pronounced "sassy" -- was originally described by Gartner in two market research reports: "Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge" and "The Future of Network Security Is in the Cloud." But what is SASE exactly, and what are the key SASE benefits?

For starters, the enterprise security perimeter with open internal access has largely disappeared. Threats come from malware delivered to internal systems through spear phishing attacks. The network edge now exists wherever employees are located when connecting to the enterprise network, such as at home, at a coffee shop or on vacation. SASE architecture envisions the mechanisms that are needed to provide IT security integrated with network connectivity at the point of access.

Applications have shifted from the corporate data center to cloud and SaaS providers. One application might still be in a corporate data center. Another application has moved to a public cloud, while a third application is provided by a SaaS provider. Other apps depend on data collected by IoT devices that do not have a human to provide authentication and authorization credentials. Essentially, network traffic patterns have changed, which means network and security systems need to adapt.

Security and network performance are challenged by network traffic flows that traverse communications infrastructure that is no longer under the control of the corporate networking and security teams. Instead, network security must become identity-centric for devices, employees, partners and customers alike.

Network traffic patterns have changed, which means network and security systems need to adapt.

SASE envisions optimal network performance for all applications, while integrating security controls closer to the user. It replaces the secure perimeter with integrated security across the network. Endpoints connect to cloud-based SASE analysis instances, which provide the security services, and then forward permitted and safe network traffic to their intended destination. The cloud-based location makes it convenient to forward traffic to cloud and SaaS applications. Optimum routing and quality of service (QoS) are used to route traffic to applications that reside in the corporate data center.

Clearly, SASE introduces some innovation around network edge security. So, let's delve deeper into five key SASE benefits.

What are the benefits of SASE?

1. SASE doesn't care where applications live

Applications can be in a corporate data center or in a private or public cloud. They can also be SaaS offerings. Centralized network connectivity and security are not optimal for this widespread distribution of applications. SASE's distributed architecture makes it easy to perform the security functions near the end user, while simplifying connectivity to the applications.

SASE architecture
SASE architecture converges networking and security functions into a cloud-based platform.

2. Centralized, dynamic, role-based policies streamline operations

Central management of security policies streamlines both the networking and security aspects of remote workers, regardless of their location. In essence, the network perimeter is where the endpoint exists, even if it's on a network not controlled by the organization's staff. Security is dynamically applied, with policies based on the role of the connecting entity.

For example, a salesperson gets a different policy than an IoT device, which, in turn, is different for unmanaged devices, like phones and tablets. This setup is great for managing the security of devices that are traditionally difficult to secure because of their age, vendor or function, such as medical devices.

Additionally, remote browser isolation (RBI) provides web connectivity that protects the originating device from malware. Similarly, protections for IoT hardware help prevent hijacking of these devices.

SASE's distributed architecture makes it easy to perform the security functions near the end user, while simplifying connectivity to the applications.

Identity management is a fundamental requirement to identify the endpoint's role and uses appropriate security and connectivity policies. Network parameters, such as QoS and dynamic path selection -- the latter a software-defined WAN (SD-WAN) feature -- are automatically deployed on a per-endpoint basis to optimize application performance and provide the security policies suited for that endpoint's role.

The integrated security and networking with centralized management reduce the ongoing cost of maintaining the system. Centralizing the management reduces the opportunity for human error that could create undesirable holes.

3. Integrated security and routing

SASE integrates several security functions into one system:

  • DNS reputation.
  • RBI.
  • Zero-trust network access.
  • Data loss prevention.
  • Malware protection.
  • Cloud access security broker.
  • Firewall as a service.
  • Intrusion detection.
  • Intrusion prevention.
  • Secure web gateway.

With the right structure, SASE mechanisms can perform network behavior analysis to identify cases where malware begins exploring and attacking internal infrastructure.

The consolidation of functions into a product by one vendor can significantly reduce the complexity of deploying comprehensive security functionality. The staff transitions from per-device policy maintenance to systemwide policy services, which make them much more productive. Of course, make sure the functions are well integrated and not disparate components that are simply bolted together.

The integration with routing assures the traffic is secure and properly routed over the desired links. Investigate the details of how traffic is routed and where the security controls reside during product research. Some vendors rely on a VPN for cloud-based security systems, while others may depend on customer premises equipment (CPE) devices.

4. Reduced WAN costs

The routing component inherent to SASE functions similarly to SD-WAN. Expect some WAN cost savings by reducing or eliminating the need for more expensive MPLS and leased circuits in favor of VPN connectivity over the public internet. WAN optimization technologies may also be used to make the WAN more efficient.

Cloud-based SASE implementations may further optimize traffic flows by taking advantage of cloud connectivity to major SaaS vendors. These connections are typically redundant and highly reliable. There might be an improvement in application availability.

5. Distributed architecture

SASE relies on a distributed architecture with centralized management to gain its efficiencies, just as SD-WAN does. Centralized management is often in a cloud-delivered instance. Endpoints and branch offices can use dedicated CPE devices or connect to a cloud instance that provides the security mechanisms. Network traffic flows are optimally routed to their destination. The cloud-based architecture can be more resilient when faced with DoS attacks.

SASE offers better network latency characteristics than using a VPN for a corporate data center, where security has normally been implemented. Traffic that has been secured, either through the CPE devices or the cloud security systems, is routed directly to its destination. Trombone routing of traffic into and out of a data center just to transit the security systems is no longer necessary.

What are the challenges of SASE?

Are there any downsides to SASE? It simply sounds too good to be true. Every technology or framework has its detractors, and SASE is no exception.

1. Team integration

The biggest challenge is likely to be a side effect of the tight integration of networking and security. A significant culture change may be required in organizations that have independent security and networking teams. Gartner recommends that SASE be driven by a CIO-level executive because it requires security and networking to work together.

2. Lack of product clarity

Keep in mind that SASE is a guiding principle or a framework, not a specific product or a compliance directive. As with any technology, understand its capabilities, match them with requirements and choose vendors based on analysis.

Editor's note: This article was updated to improve the reader experience.

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center