Secure Access Service Edge (SASE), pronounced “sassy,” is a cloud-based architecture that delivers network and security services meant to protect users, applications, and data. This term was coined by Gartner in 2019 and has quickly risen through the ranks to become one of the top aspirational security concepts of the current decade so far. Given that many users and applications no longer live and operate on a corporate network, access and security measures can’t depend on conventional hardware appliances in the corporate datacenter.
SASE promises to deliver the necessary networking and security capabilities in the form of cloud-delivered services. Done properly, a SASE model eliminates perimeter-based appliances and legacy solutions. Instead of delivering the traffic to an appliance for security, users connect to the SASE cloud service to safely access and use web services, applications, and data with the consistent enforcement of security policy.
Where is the “edge” in Secure Access Service Edge? The “edge” in SASE refers to the cloud provider’s global systems that exist on their hardware (data centers and devices). Users access cloud services by logging in and authenticating their identities, from any location, and are passed through this “edge” into the cloud environment.
Conventional security measures presumed that applications and users would be inside the network perimeter, which is no longer true. Corporate data is moving to the cloud, employees are increasingly working remote, and digital transformation initiatives require IT organizations to be nimble to capitalize on new business opportunities.
As a result, the traditional network perimeter is dissolving, and new models for access controls, data protection, and threat protection are necessary. In light of these changes, organizations are finding that their existing collection of standalone point products such as firewalls, secure web gateway, data loss prevention (DLP), and cloud access security brokers (CASB), are no longer applicable in a cloud-first world.
Gartner SASE predictions
of enterprises will adopt SWG, CASB, ZTNA and branch FWaaS by 2023
of enterprises will develop strategies to adopt SASE by 2024
SOURCE: GARTNER REPORT: THE FUTURE OF NETWORK SECURITY IS IN THE CLOUD
What does a SASE architecture look like?
Secure Access Service Edge, or SASE, unifies networking and security services in a cloud-delivered architecture to protect users, applications, and data everywhere. Given that users and applications are no longer on a corporate network, security measures can’t depend on conventional hardware appliances at the network edge.
There are two sides of SASE architecture: Security and Networking
Instead, SASE promises to deliver the necessary networking and security as cloud-delivered services. Done properly, a SASE model eliminates perimeter-based appliances and legacy solutions. Instead of delivering the traffic to an appliance for security, users connect to the SASE cloud service to safely use applications and data with the consistent enforcement of security policy.
SASE Includes the Following Technologies and Capabilities
A SASE architecture is capable of identifying users and devices, applying policy-based security controls, and delivering secure access to the appropriate applications or data. SASE makes it possible to provide secure access regardless of where users, data, applications or devices are located.
Cloud-native microservices in a single platform architecture
Ability to inspect SSL/TLS encrypted traffic at cloud scale
Advanced threat protection, including AI/ML, UEBA, sandboxing, etc. (ATP)
Threat intelligence sharing and integration with EPP/EDR (Endpoint Protection Platform/Endpoint Detection and Response), SIEM (Security Information and Event Management), and SOAR (Security Orchestration, Automation, and Response)
Software-defined perimeter with zero trust network access, replacing legacy VPNs (SDP, ZTNA)
Protection for the branch, including support for branch networking initiatives such as SD-WAN (Software-Defined Wide Area Network)
Carrier-grade, hyper-scale network infrastructure with a global POP (Point of Presence) footprint
1. Flexibility: Allows for direct-to-net or direct-to-cloud access from anywhere for easy adoption of new digital business models
2. Cost savings: Eliminates CapEx for on-premises infrastructure and provides lower, predictable OpEx due to its Security-as-a-Service model
3. Reduced complexity: Consolidated services into a cloud-delivered model eliminates complex stack of legacy point solutions and simplifies operational effort
4. Increased performance: Enhances and accelerates access to internet resources via a global network infrastructure optimized for low-latency, high-capacity, and high-availability
5. Zero trust network access: Provides secure, contextual access to private apps in public/private clouds
6. Threat protection: Stops cloud and web attacks such as cloud phishing, malware, ransomware, and malicious insiders
7. Data protection: Protects data everywhere it goes, inside and outside of the organization, including within public clouds as well as between company and person instances of cloud apps
What are the Four Questions to Ask When Adopting SASE?
1. How does your current web or cloud security give you full visibility and context across all web and cloud traffic?
Consider consolidating your secure web gateway (SWG) and cloud access security broker (CASB). This will provide critical visibility and control for data loss protection (DLP) and advanced threat protection (ATP) defenses that are also cloud-hosted in the same platform. Along with retiring your legacy SWG appliances, migrate to zero trust network access (ZTNA) to replace your legacy VPN appliances to modernize your overall secure access posture.
2. What level of cloud-scale does your current security solution provide?
The majority of cloud traffic is encrypted, and a growing number of attackers are leveraging the cloud to evade traditional network controls. Using cloud-scale SSL/TLS inspection helps you stay on top of the threat landscape.
3. Does your current network support high performance and consistent availability?
Users expect high performance with low latency, because if the SASE is slow, unhappy users will look for ways around your system. In order to deliver great user experience, make sure that your SASE solution is engineered for high performance and located in the places that your users are.
4. How many consoles and policies do you currently have to use to manage your existing security stack?
Many vendors are adapting or virtualizing their software and calling it a cloud-based solution. If it isn’t designed to be a SASE, you may end up with multiple administrative consoles, complex policies that are hard to manage, and time-wasting tools for conducting investigations. Choose a solution that has a single management console, single client, and a single policy engine to streamline operations and effectiveness for network and security teams.
Sponsored by Netskope, The SASE Accreditation is an introductory training on Secure Access Service Edge (SASE), an architectural framework for security and networking that addresses the security challenges modern organizations face as they embrace cloud applications, protect data, and unify networking and security services.
In this two-day accreditation, you will learn how SASE helps networking and security professionals gain greater visibility and real-time actionable information about cloud services, activity, traffic, and data while also simplifying your security stack.