What is Secure Access Service Edge (SASE)?

Secure Access Service Edge — or what is better known as SASE — is a new architectural model for enterprise networking and network security, defined by Gartner as a means of supporting the fast and secure application access needs of today’s workforce. SASE architectures converge networking and cloud-delivered security into a high-performance, single-pass architecture with unified management.

Explore additional SASE topics

Why is SASE Needed?

There are three primary market trends driving the shift to SASE in networking and security:

  • Apps are moving to SaaS: In traditional architectures, backhauling SaaS traffic to the data center will worsen latency and increase network costs. Security must move from the data center closer to users, in-path between them and the cloud, as cloud services become more prevalent.
  • Workers are more mobile and remote: Employees expect the same experience and security regardless of their location. Unfortunately, traditional VPNs do not offer granular security controls and in turn worsen that experience.
  • Threats are evolving rapidly: Security teams need to continually upgrade and update their infrastructure to keep pace with new threats. This is complex, time-consuming work that still often leaves their organizations open to zero-day threats.

Today’s enterprise needs to empower all employees with a fast, consistent and secure experience, no matter the location or device. Enterprise IT teams have to become more agile and operationally efficient, focusing on the delivery of new digital services rather than managing complex networking and security stacks.

What is SASE’s role in addressing these trends? It is a framework for ensuring that networking and security both evolve and converge, to enable:

  • Agile, unified, single-pane-of-glass administration — including provisioning, granular policy control and visibility — across networking and security. 
  • Consistently fast and secure app access everywhere, by virtue of comprehensive WAN capabilities that overcome the unpredictability of local internet breakouts.
  • Consistent security policy enforcement through a global security cloud, for all users, regardless of their locations.

What Does a SASE Architecture Look Like?

SASE converges comprehensive WAN and network security capabilities into a single-pass architecture, administered via a unified management plane for networking and cybersecurity. Gartner, which coined the term SASE, has listed “Core” and “Recommended” capabilities for SASE architectures1:

  • Core
    • SD-WAN: SD-WAN enables resilient, low-latency connectivity over any type of network transport, while allowing for reduced complexity compared with traditional router-based solutions. Cloud-native and real-time apps in particular benefit from SD-WANs. SD-WANs achieve this through capabilities such as path selection based on path quality assessment, WAN optimization, and peering with SaaS applications. In addition, some SD-WANs feature network security measures such as integrated intrusion detection/prevention systems (IDS/IPS) and simplified setup of VPN tunnels between branch offices and SaaS apps.
    • Secure Web Gateway: A secure web gateway (SWG) is an enterprise cybersecurity solution, typically implemented inline as a cloud service, that sits between users and the web. User traffic is forwarded to the SWG for inspection and further action as necessary, through built-in network security capabilities such as URL filtering, application control and anti-malware defense.
    • Cloud Access Security Broker: With a cloud access security broker (CASB), an enterprise can manage access control for all approved and unapproved SaaS apps. CASB security solutions are built upon four main pillars:
      • improved visibility, including across shadow IT applications.
      • data security for shielding sensitive assets from unauthorized access.
      • threat protection through capabilities like behavioral analysis.
      • simplified proof of compliance.
    • Zero Trust Network Access: Zero trust network access (ZTNA) enforces the principle of least privilege for authorized users accessing sanctioned applications. It is also identity- and context-aware, evaluating access attempts based on identity information from cloud services like Microsoft Azure Active Directory and on parameters like time of day and location. Access may even be granted to applications instead of the underlying network, to prevent lateral movement of threat. Overall, ZTNA allows for a better user experience, tighter security controls and reduced complexity compared with traditional VPN solutions.
    • FWaaS: Firewall as a Service (FWaaS) implements ingress and egress security controls across an enterprise network, to ensure that only trusted traffic may pass. More specifically, a FWaaS solution can integrate anomaly-based (signature-less) threat detection, network sandboxing, geolocation, anti-malware software and IDS/IPS solutions. FWaaS is often integrated with analytics solutions for comprehensive protection for data centers, cloud instances and branch offices.
    • Data Loss Protection: Data loss protection (alternatively data loss prevention) capabilities are integrated into the single-pass architecture of a SASE platform. A data loss protection engine offers visibility into data in use, in motion and at rest. It can quarantine risky data or activity, enforce encryption and send network security alerts to lower the overall risk of a data breach.
    • Encryption/Decryption of Content at Line Speed, at Scale: The single-pass architecture of SASE allows encrypted traffic to be opened and inspected just once, to reduce the latency of traditional security stacks with service-chained inspection engines.
  • Recommended:
    • Web Application and API Protection: As usage of web applications increases, it is important to keep malicious traffic and requests at bay. Web application and API protection, or WAAP, may integrate security solutions such as advanced rate limiting, runtime application self protection and DDoS mitigation.
    • Remote Browser Isolation: By using remote browser isolation, it’s possible to protect the enterprise network from browser-based attacks. Data from websites, including possibly compromised ones, is not transferred to end-user devices, lowering the possibility of a breach or infection.
    • Network Sandbox: A network sandbox sends suspicious content to an isolated environment, in which it can run without affecting other applications. FWaaS solutions within the SASE platform can then inspect it further and block any malicious files and assets, if they are discovered.
    • Support for Managed and Unmanaged Devices: A SASE platform offers a better framework for securing enterprise- and employee-supplied devices, with multiple security solutions protecting against threats such as data loss, unauthorized access and malware.

The above capabilities must be delivered in a unified “thin branch, heavy cloud” model – SD-WAN functionality is offered as a “thin” branch appliance, while security functionality is provided as a “heavy” cloud service.

Benefits of Implementing a SASE Architecture

SASE architectures were designed with the intent of enabling fast, reliable and secure access to cloud applications by mobile and remote workers, while concurrently also improving IT agility. Assuming that enterprises pay attention to the nuances in functionality offered, such as unified management across networking and security, single-pass architectural design and powerful SD-WAN functionality, enterprises can achieve the following benefits from a SASE deployment:

Improved User Experience, Collaboration and Engagement – Direct Internet Access eliminates latency from backhauled connections. However, SDWAN and WAN optimization functionality within SASE solutions is required to ensure consistent performance even as Internet performance fluctuates. Singlepass architectures ensure that the inspection and policy engines themselves do not added unnecessary latency.

Improved Security Regardless of Employee Location – Identity-aware, zero-trust access is enabled for sanctioned applications. This reduces the attack surface and impedes lateral movement of malware within the enterprise network. For web and unsanctioned applications, comprehensive, cloud delivered security ensures a consistent security posture, regardless of employee location.

Simplified Operations with Better IT Agility – SASE architectures can help consolidate vendors across networking and security. Single-vendor solutions offer deeper integrations and unified management which simplifies deployment, configuration, reporting and support services. Since SASE architectures require moving security to the cloud, overall hardware footprint is reduced which in turn improves architectural elasticity and scale.

 

Nuances To Look For In A SASE Framework

While many vendors promote the individual components of a SASE architecture, delivering all of the requisite functionality is critical, as the unified whole is greater than the sum of the parts.

Only with a full “SASE stack” can enterprises enable fast, consistent and secure access to all apps, from anywhere and any device while also improving IT agility. The most powerful SASE architectures include the following nuances that differentiate them from the competition:

  • Deep integrations across enterprise networking and security: A SASE platform combines cloud security with comprehensive WAN functionality, with both of these capabilities building upon one another. While cloud security enables local internet breakouts (for eliminating latency from backhauled architectures), it does nothing to overcome the overall unpredictability of internet connections. SD-WAN and WAN optimization ensure changes in network performance do not impact employee experience. 
  • Single-pane-of-glass management: Through SASE, teams get unified views into infrastructure deployments (including for cybersecurity), network policy configurations and comprehensive reports. It all adds up to more holistic and agile control across your enterprise architecture.
  • Single-pass architecture: The service chaining of functionality often forces traffic through multiple inspection and policy engines, adding latency and minimizing any performance improvements expected from the SASE architecture. In contrast, well-designed SASE architectures will follow a single-pass approach, under which traffic is opened and inspected just once by all policy engines in parallel. 
  • Privacy / data segregation within the SASE architecture itself: Privacy and regulatory requirements such as GDPR often require segregation of data, selective decryption and visibility and control over how and where data will flow. With cloud-delivered security, meeting these obligations can be challenging, making evaluation of compliance measures important for any potential SASE solution. 
  • Unified vendor management: One of the primary goals of SASE is to improve IT agility. By consolidating vendors, you can minimize the number of conversations required to plan, deploy, manage and support a comprehensive, unified architecture across networking and security solutions. This consolidation not only accelerates operations but also helps nurture cross-functional conversations in IT, leading to better, more strategic decision-making. Moreover, from a pure technology perspective, a single-vendor architecture offers deeper integrations across all functionality than possible through technology alliances between organizations.

Use-Cases For SASE

Organizations need to evolve their enterprise networking and security infrastructure in response to changing usage patterns — i.e., which apps are accessed, and from where — in order to meet employee expectations as well as business requirements. This evolution will support broader strategic initiatives, such as enabling a “work-from-anywhere” workforce and improving business continuity through agile, elastic and efficient infrastructure deployment.

Broadly, the downstream IT use-cases can be broken into three categories:

  • Transform your networking and security architectures: Traditional hub-and-spoke appliance-based architectures add latency, increase WAN costs, and are complex to manage. Replacing them with a SASE architecture will allow secure local internet breakouts for fast, consistent and secure access to all applications from any location. Unification of cloud-delivered cybersecurity and SD-WAN within the SASE architecture enables better application performance, agile management, and visibility without blind spots.
  • Secure your SD-WAN deployment: While SD-WAN solutions are critical for improving the performance of applications, leveraging an SD-WAN alongside a data center-based security stack adds avoidable latency and reduces the overall benefits of SD-WAN. Appliance-based security in the branch location also requires frequent upgrades as the volume of encrypted traffic increases, raising costs and operational complexity. Cloud-delivered security is a viable alternative but must be delivered as a unified, single-pass SASE architecture in tandem with the SD-WAN solution. This setup ensures that the benefits expected from SD-WAN – faster app performance, operational agility, reduced OpEx – are maximized.
  • Deliver a secure and productive digital workspace: Digital workspace solutions enable a streamlined and productive employee experience, for all work applications and desktops, regardless of the device being used. When supported by a SASE architecture, application performance can be further improved with intelligent traffic prioritization and WAN optimization, and security bolstered with identity-aware, zero-trust access and powerful malware protection for all traffic.

How Does 必威手机app Help Businesses With SASE?

必威手机app converges all SASE capabilities into a single, unified architecture. The 必威手机app unified approach to SASE offers 5 key benefits:

  1. Most comprehensive, cloud-delivered security stack that protects all users, regardless of location, against all threats, at scale. 
  2. Identity-aware, zero trust access for continuous and dynamic access to sanctioned enterprise applications, while minimizing the enterprise attack surface.
  3. Best application experience, always, with powerful SD-WAN and application optimization functionality. 
  4. Deep Forensics and AI powered analytics to locate specific security incidents, atypical activity and policy violations for incidence analysis and regulatory compliance. 
  5. Unified management with fully integrated networking and security for simple and agile operations.

必威手机app is trusted by 100 million users across 400,000 organizations to empower them to do their best work. We’d love to join you on your journey toward a more productive, agile and efficient architecture.  

Additional Resources:

1Gartner, The Future of Network Security is in the Cloud, Neil MacDonald, Lawrence Orans, and Joe Skorupa, 30 August 2019
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.