SASE (Secure Access Service Edge) is a network architecture that unifies network and security solutions into a cloud-based service to enhance accessibility, efficiency, and cybersecurity.
The concept of SASE was introduced in Gartner's 2019 report 'The Future of Network Security Is in the Cloud'. The concept emerged from organizations' increasing demand for reliable access across transforming network approaches.
Gartner published a follow-up white paper ‘2021 Strategic Roadmap for SASE Convergence' with a migration plan for organizations shifting from legacy network infrastructure to SASE.
How Does SASE Work?
Traditionally, an organization's network traffic predominately flowed throughout its different locations, such as branch offices, with most security architecture and applications hosted at data centers or its headquarters and remotely accessed through a Virtual Private Network (VPN).
Digital transformation has disrupted traditional networks. Modern networks are considerably more complex, often comprising SaaS products, cloud technology, Internet of Things (IoT) devices, mobile devices, and remote workers.
These endpoints all require network security and connectivity. The large amount of traffic they generate to and from data centers paired with the security inspection process causes latency and diminished user experience (UX).
SASE aims to address these inefficiencies by allowing organizations to scale their networking and security capabilities directly across all endpoints at any location through its cloud delivery model.
The SASE Security Model
The SASE framework works through several technologies which allow necessary network and security functions to be deployed directly from the cloud in unison.
Gartner states that SASE works by 'combining comprehensive WAN capabilities with comprehensive network security functions … to support the dynamic secure access needs of digital enterprises'.
The SASE security model enables these technologies to work together seamlessly across the network to move away from siloed security stacks, where organizations must implement independent security solutions, policies, and systems.
Gartner outlines the following network and security capabilities as core components of the SASE security model:
Software-defined Wide Area Network (SD-WAN)
A traditional wide area network (WAN) routes all remote traffic through a data center firewall, resulting in latency and bottlenecks, which impede the performance of the network and applications.
SASE uses software-defined wide area network (SD-WAN), a cloud-based service that efficiently routes traffic across the WAN via strategically placed points-of-presence (PoPs). PoPs are distributed across the SASE network near devices, branch offices, and data centers. They directly route user traffic to the cloud and SaaS services to improve network speed, security, and SD-WAN performance.
Through SASE, organizations can add network security features onto the SD-WAN's functionality to avoid implementing them separately at each branch/data center on the network edge, saving significant time and costs.
Firewall-as a-service (FWaaS)
Firewall-as-a-service (FWaaS) can operate on-premises but is often leveraged through the cloud in a SASE configuration. FWaaS offers the same solutions as a stateful firewall - network monitoring, packet filtering, and IP mapping - with additional next-generation firewall (NGFW) capabilities.
NGFW features include:
- Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
- Advanced Threat Protection (ATP)
- Domain Name System (DNS) security
- Application Control
- Deep Packet Inspection (DPI)
Cloud Access Security Broker (CASB)
Cloud access security brokers (CASBs) are vital in enforcing security policies across an organization's SaaS applications. CASBs use authentication and authorization through standards like SAML to allow employees to access both internal and SaaS apps through the same portal, eliminating the need to route traffic externally from the SASE network.
CASBs also provide the following functionalities:
- Cloud Application Discovery
- Adaptive Access Control
- User and Entity Behaviour Analytics (UEBA)
- Malware Detection
- Data Loss Prevention (DLP) to prevent cloud leaks
Secure Web Gateway (SWG)
As employees often need access to resources beyond the network edge, this increases the attack surface can make it difficult to manage compliance. A secure web gateway (SWG) protects organizations from cybersecurity threats like phishing attacks, botnets, and malware.
SWGs can also perform the following security functions:
- Inspect web traffic and filter inappropriate content
- Implement security policies
- Prevent corporate data leakage
- Block unauthorized users from gaining access
Zero-trust Network Access (ZTNA)
The zero-trust network access (ZTNA) information security model assumes no trust from all users, whether inside or outside the network edge. Users must verify or authenticate themselves before accessing any sensitive data.
ZTNA provides organizations with visibility and access control of all users, devices, and applications through the least privilege principle. This principle only grants access to required applications/services to limit the attack surface should an unauthorized user compromise an employee's account.
ZTNA usually relies on multi-factor authentication (MFA) or two-factor authentication (2FA) to verify users' identities each time they request access to any network resources and cloud services.
The ZTNA model can also rely on the following technologies to provide network security:
- Security information and event management (SIEM)
- Identity and Access Management (IAM)
- File system permissions
Gartner SASE Predictions
Gartner has detailed its expectations about organizations' adoption and effectiveness of SASE in the future.
Some key predictions include:
- By 2023, to deliver flexible, cost-effective scalable bandwidth, 30% of enterprise locations will have only internet WAN connectivity.
- By 2023, 20% of enterprises will have adopted SWG, CASB, ZTNA, and branch FWaaS capabilities from the same vendor.
- By 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA, and branch office firewall as a service (FWaaS) capabilities from the same vendor.
- By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE.
- By 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch, and edge computing access.
Sources: The Future of Network Security Is in the Cloud, 2021 Strategic Roadmap for SASE Convergence
SASE consolidates functions that organizations would typically need several service providers to manage and requires fewer on-premises hardware components than traditional networks. These factors significantly reduce organizations' existing network and security overheads.
As the SASE model operates as a centralized service, IT teams can manage all applications from one access point rather than managing individual network devices across several locations.
The cloud-based nature of SASE also enables organizations to scale the architecture's application as quickly as the network grows.
Enhanced Network Security
SASE services enhance network security through their in-depth approach to network protection. An ideal SASE service can help detect and prevent cyber attacks like Distributed Denial-of-Service (DDoS) attacks, man-in-the-middle attacks, phishing, email spoofing, and different types of malware through in-depth security inspections.
ZTNA is a core component of SASE, ensuring all users and devices are granted authentication and authorization before accessing any network resources. Reputable SASE providers also offer encrypted connections and strict policy controls.
Network Performance Optimization
SASE architecture is designed to accommodate modern working models, providing faster, more reliable network connections to all endpoints, including mobile users and remote users. Cloud-native apps and SaaS services run on low-latency connections as access is facilitated through a unified platform.
As SASE platforms offer all network and security functions in a single service, they are much easier to monitor and maintain than legacy systems. Security teams are afforded visibility over all incoming and outgoing traffic from a single interface.
The global distribution of PoPs means these capabilities extend to areas of the remote workforce that were once more difficult to incorporate into the network.
As SASE requires the usually separate network management and security teams to work together, they need to on strategies, priorities, and objectives during its deployment and ongoing development.
If both departments struggle to agree across these areas, there could be delays and other operational roadblocks surrounding SASE implementation.
Unique SASE Offerings
SASE combines a package of services that organizations traditionally obtain from several different third-party vendors. As SASE is an adaptable framework, there is no one-size-fits-all solution available to organizations.
Organizations will likely need to shop between different SASE solutions to find suitable offerings to tie into their specific workloads and use cases.
Considering SASE's infancy, organizations may not know which combination of services they need to match their organization's specific needs. They may need to rely on trial and error across SASE vendors, which is resource and cost-intensive.
Increased Third-Party Risk
SASE implementation requires a number of technologies that organizations will likely source from several vendors. Not only do these technologies heighten cybersecurity risk, but each of these vendors carries third-party risks, which further extend to fourth-party risks. Organizations much account for these additional attack vectors through effective information security policies and vendor risk management strategies.
Top SASE Vendors
The following vendors can help organizations adopt the SASE model.
Akamai's cloud architecture offers secure access to cloud applications and other third-party apps, delivered through a global Content Delivery Network (CDN).
2. Barracuda Networks
Barracuda's platform offers users secure access to SaaS apps and on-device security for internal apps through proxy servers.
- Malware scanning
- Content filtering
3. Cato Networks
Cato's cloud infrastructure delivers SD-WAN and SASE services through a global network of PoPs.
- Mobile security
Cisco's cloud-native platform offers complete network and security functionalities in a comprehensive SASE solution.
Cloudflare offers a security stack through a global CDN that can be paired with an existing SD-WAN.
- Web filtering
Fortinet's SASE stack includes cloud-based security functionalities across a distributed network.
Netskope's cloud-native security functionality provides real-time protection at the network edge.
- NextGen SWG
- Public cloud security
8. Palo Alto Networks
Palo Alto provides in-depth cloud-delivered security offerings to offer complete network protection.
VMware's cloud-native architecture combines networking and security services for delivery across an expansive multi-cloud network.
Zscaler's cloud security platform delivers globally distributed services for sure access to apps and data.
- DNS Security
- Browser proxy
- Cloud Sandbox