Secure Access Service Edge -- also known as SASE and pronounced "sassy" -- was originally described by Gartner in two market research reports: "Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge" and "The Future of Network Security Is in the Cloud." But what is SASE exactly, and what are the key SASE benefits?
For starters, the enterprise secure perimeter with open internal access has largely disappeared. Threats come from malware delivered to internal systems through spear phishing attacks. The network edge now exists wherever employees are located when connecting to the enterprise network, such as at home, at a coffee shop and on vacation. SASE envisions the mechanisms that are needed to provide IT security integrated with network connectivity at the point of access.
Applications have shifted from the corporate data center to cloud and SaaS providers. One application might still be in a corporate data center. Another application has moved to a public cloud, while a third application is provided by a SaaS provider. Other applications depend on data collected by IoT devices that do not have a human to provide authentication and authorization credentials. Essentially, network traffic patterns have changed, which means network and security systems need to adapt.
Security and network performance are challenged by network traffic flows that traverse communications infrastructure that is no longer under the control of the corporate networking and security teams. Instead, network security must become identity-centric for devices, employees, partners and customers alike.
This article is part of
SASE envisions optimal network performance for all applications, while integrating security controls closer to the user. It replaces the secure perimeter with integrated security across the network. Endpoints connect to cloud-based SASE analysis instances, which provide the security services, then forward permitted and safe network traffic to their intended destination. The cloud-based location makes it convenient to forward traffic to cloud and SaaS applications. Optimum routing and quality of service (QoS) are used to route traffic to applications that reside in the corporate data center.
Clearly, SASE introduces some innovation around network edge security. So, let's delve deeper into five key SASE benefits.
1. SASE doesn't care where applications live
Applications can be in a corporate data center, be in a private or public cloud, or be a SaaS offering. Centralized network connectivity and security are not optimal for this widespread distribution of applications. SASE's distributed architecture makes it easy to perform the security functions near the end user, while simplifying connectivity to the applications.
2. Centralized, dynamic, role-based policies streamline operations
Central management of security policies streamlines both the networking and security aspects of remote workers, regardless of their location. In essence, the network perimeter is where the endpoint exists, even if it's on a network not controlled by the organization's staff. Security is dynamically applied, with policies based on the role of the connecting entity.
For example, a salesperson gets a different policy than an IoT device, which, in turn, is different for unmanaged devices like phones and tablets. This setup is great for managing the security of devices that are traditionally difficult to secure because of their age, vendor or function, such as medical devices.
Additionally, remote browser isolation (RBI) provides web connectivity that protects the originating device from malware. Similarly, protections for IoT hardware help prevent hijacking of these devices.
Identity management is a fundamental requirement to identify the endpoint's role and uses appropriate security and connectivity policies. Network parameters, such as QoS and dynamic path selection -- the latter a software-defined WAN (SD-WAN) feature -- are automatically deployed on a per-endpoint basis to optimize application performance and provide the security policies suited for that endpoint's role.
The integrated security and networking with centralized management reduce the ongoing cost of maintaining the system. Centralizing the management reduces the opportunity for human error that could create undesirable holes.
3. Integrated security and routing
SASE integrates several security functions into one system:
- DNS reputation
- zero-trust network access
- data loss prevention
- malware protection
- cloud access security broker
- firewall as a service
- intrusion detection
- intrusion prevention
- secure web gateway
With the right structure, SASE mechanisms can perform network behavior analysis to identify cases where malware begins exploring and attacking internal infrastructure.
The consolidation of functions into a product by one vendor can significantly reduce the complexity of deploying comprehensive security functionality. The staff transitions from per-device policy maintenance to systemwide policy services, which makes them much more productive. Of course, make sure the functions are well integrated and not disparate components that are simply bolted together.
The integration with routing assures the traffic is secure and properly routed over the desired links. You should investigate the details of how traffic is routed and where the security controls reside during your product research. Some vendors will rely on a VPN to cloud-based security systems, while others may depend on customer premises equipment (CPE) devices.
4. Reduced WAN costs
The routing component inherent to SASE functions similarly to SD-WAN. You should expect to control WAN costs by reducing or eliminating the need for more expensive MPLS and leased circuits in favor of VPN connectivity over the public internet. WAN optimization technologies may also be used to make the WAN more efficient.
Cloud-based SASE implementations may further optimize traffic flows by taking advantage of cloud connectivity to major SaaS vendors. These connections are typically redundant and highly reliable. You may see an improvement in application availability.
5. Distributed architecture
SASE relies on a distributed architecture with centralized management to gain its efficiencies, just as SD-WAN does. Centralized management is often in a cloud instance. Endpoints and branches can use dedicated CPE devices or connect to a cloud instance that provides the security mechanisms. Network traffic flows are optimally routed to their destination. The cloud-based architecture can be more resilient when faced with denial-of-service attacks.
SASE provides better network latency characteristics than using a VPN to a corporate data center, where security has normally been implemented. Traffic that has been secured, either through the CPE devices or the cloud security systems, is routed directly to its destination. Trombone routing of traffic into and out of a data center just to transit the security systems is no longer necessary.
The challenges of SASE
You may now be wondering if there are any downsides to SASE as it simply sounds too good to be true. Every technology or framework has its detractors, and SASE is no exception.
The biggest challenge is likely to be a side effect of the tight integration of networking and security. A significant culture change may be required in organizations that have independent security and networking teams. Gartner recommends that SASE be driven by a CIO-level executive because it will require security and networking to work together.
You should keep in mind that SASE is a guiding principle or a framework, not a specific product or a compliance directive. As with any technology, you should understand its capabilities, match them with your requirements and choose vendors based on your analysis.