Secure Access Service Edge (SASE) is a cybersecurity model, which was introduced by Gartner in a 2019 report titled “The Future of Network Security in the Cloud.”
SASE architecture combines VPN and software-defined wide area networking (SD-WAN) technologies with network and security functions, through a cloud-delivered service. These services usually include a CASB (cloud access security broker), and zero trust network access tools.
Of course, the “secure access” part of SASE refers to the ability of a SASE cloud service to provide access security to a network. The “service edge” refers to the dynamic edge capabilities provided by the solution, through cloud security services.
Every organization knows that network security is a priority when it comes to data protection, especially for sensitive data. With networks having a larger number of access points due to an increasingly remote workforce, and more mobile users, as well as the use of numerous SaaS (software as a service) products, the need for comprehensive threat protection is higher than ever before.
A traditional network security solution, such as one that protects the network perimeter, cannot provide this level of protection. However, SASE architecture is designed especially for protecting today’s corporate network, especially when there are remote users and mobile users that require secure access to the network.
A SASE forms a crucial part of an organization’s security stack, providing a cloud service that can be easily deployed for network protection anywhere, at any time.
Let’s find out exactly how a SASE solution works, and its benefits for organizations of all sizes.
SASE architecture works by combining VPN and/or WAN capabilities with network and security services. These network and security capabilities are cloud services.
SASE is often split into two subcategories – SSE (security service edge) and WAN edge infrastructure.
Security service edge (SSE) may include capabilities such as secure web gateways (SWG), cloud access security brokers (CASB), firewall as a service (FWaaS), remote browser isolation (RBI), and zero trust network access (ZTNA).
WAN edge infrastructure includes all SD-WAN and related connectivity optimization services.
As mentioned above, there are a number of different cloud security services offered as part of the SSE subcategory of SASE. Let’s look at each of these SASE capabilities in more depth:
A secure web gateway (SWG) provides web-based protection by preventing unsecured network traffic from entering a network, and enforcing enterprise network security policies, including acceptable use policies. A SWG usually includes URL filtering, application controls, data loss prevention, and malicious code filtering.
A CASB is considered one of the crucial components of a SASE framework, according to Gartner. A CASB secures cloud applications, and provides threat prevention, data protection, and data loss prevention tools. A CASB is located between cloud services and end-users, and can monitor user activity and web traffic, taking action to prevent threats and enforce policies as needed.
FWaaS is a firewall solution, delivered as a cloud service. This makes it easier to deploy and scale than a regular on-premises firewall. A good FWaaS solution will provide next generation firewall (NGFW) capabilities, such as advanced threat protection (ATP), DNS security, web filtering, and intrusion prevention systems (ITP).
Remote browser isolation (RBI) protects an organizational network from known or unknown web-based threats. When a user browses the web using an RBI solution, all active code is run in a virtual container, outside the network, so no malicious code can reach the endpoint computer, and consequently, the network. Users are provided with an interactive stream of content for a seamless experience.
Zero trust network access uses least-privilege access controls to authenticate at the application level, rather than at the access point of the network. By dividing a network into ‘microsegments’, and protecting each one with granular access controls, even a highly distributed network can be kept secure.
As part of secure access service edge (SASE), WAN edge computing infrastructure uses a virtual software-defined wide area network (SD-WAN) to allow for distributed access to cloud services, SaaS products, and resources located in a public or private data center.
SD-WAN capabilities include providing end users with high speed, secure connections to everything they need.
The Secure Access Service Edge (SASE) framework for network security provides the following benefits:
As SASE solutions provide cloud services, networking and security capabilities are provided to any network users, whether the users connect from remote locations or not, making it suitable for use with remote and mobile users, and for securing branch offices.
In a world where new network threats are constantly being developed, and organizations are undergoing digital transformation, security needs are always changing. In a legacy system, more solutions and on-premises infrastructure would need to be added to fill in any security gaps. In contrast, with one SASE solution forming the main bulk of a company’s security stack, capabilities can be upgraded and managed easily, and will always provide edge to edge network security functions.
SASE architecture is ideal for automating data loss prevention (DLP), covering the entire enterprise network, including data centers, and all corporate data within the internal network. SASE also introduces authentication to protect data by providing contextual access, and therefore reducing the associated security risk.
As SASE solutions have one central management dashboard, security teams will have a much easier time managing all SASE cloud apps from one place, even if the network itself grows.
With SASE, there is only one, central cloud service vendor to pay for. This often saves money when compared to patching together many different security solutions from different vendors, and the increased maintenance involved in such a complex setup.
Secure access service edge (SASE) uses an SD-WAN architecture, and is highly scalable. There is far less physical hardware and setup needed to expand the network, when compared to traditional network architecture, such as legacy point solutions.
As SASE is purely cloud-based, there is less physical hardware to be maintained, making it easier to fix issues, and reducing overall downtime.
For more information about SASE and its link to Zero Trust, check out the white paper What’s the Zero Trust – SASE Connection?