SASE, or the secure access service edge, is a term coined by analysts at Gartner in 2019 representing a framework that describes the necessary branch WAN edge network functions combined with cloud-delivered security services and all managed in the cloud. The proper integration of these network and security functions is now commonly referred to as SASE.
SASE has emerged as a key concept in edge security
Security leaders should view SASE favorably for its capabilities to better support Software as a Service (SaaS), cloud computing and colocation-based, or identity-centric computing. SASE enables security functionality to embed into a global network fabric and have it scale for users who may be anywhere. Instead of a complex and endless line of software agents on each endpoint, the SASE approach offers a new dimension to identity-based protection and policy enforcement throughout enterprises.
In addition to SASE, enterprises should have a complementary zero trust security framework, often referred to as role-based access control, that can identify users, devices and respective roles to ensure they can only reach destinations — data and applications — on the network that are consistent with their role in the business.
Does SASE replace SD-WAN?
The simple answer is no. It is best not to think of this transformation as “SASE vs. SD-WAN” because SD-WAN is a key, foundational component of a SASE architecture. The important takeaway is that the SD-WAN must be able to support adaptive internet breakout. This means the SD-WAN must be able to identify the application on the very first data packet in order to steer it to its proper destination.
Once a session or flow has been initiated, it can’t be moved to an alternate path. For example, a business might define security and quality-of-service policies to direct Microsoft 365 traffic or IP-camera security data directly to the SaaS provider to minimize delay and provide the best quality of experience for users but then direct Box, Dropbox, Facebook and LinkedIn traffic first to a cloud-delivered security service before handing off to the SaaS provider.
The emerging SASE framework, enabled by an open versatile SD-WAN infrastructure for distributed branch office settings, can best be labeled as a natural conclusion for the industry’s myriad challenges. This approach works directly in concert with the revolution that the industry has seen in adopting the cloud and mobile applications over the last decade. Organizations no longer have static and predictable data, and thus the network of the past simply cannot support it. After all, security is paramount to any cloud-backed connection.
How does SASE fit in 2022?
The short answer is that SASE makes sense today because so much has changed about the network edge over the past decade. If we look back a dozen years or so, all enterprise applications were hosted in the data center. All users and devices — regardless of where they were located — connected back to the data center to access their respective business applications. An enterprise could build a proverbial moat around the data center to protect it. Users connected from branch locations over secure private line connections or from remote locations across a virtual private network (VPN). This model worked fine — but then came the cloud and its decentralized approach. The data center as we have known it is no longer the center of the universe for most enterprises today. Quickly, SaaS apps like Salesforce, Service Now, Dropbox and unified communications including Ring Central, Zoom, Microsoft 365 and many others have come to dominate the everyday workflow of global business.
The cloud also includes Infrastructure as a Service providers (IaaS) like Microsoft Azure, Amazon Web Services, Google Cloud and others. However, sending cloud traffic that is destined for the internet back to headquarters simply doesn’t make sense. It adds delay that degrades application performance, and it consumes costly leased-line bandwidth.
Malicious attacks on the network are multiplying: The edge has evolved
To further challenge IT teams, network traffic is far more distributed than in the past, as enterprise applications continue to migrate to the cloud instead of being hosted in the corporate data center. As a result, the number of workers accessing enterprise applications remotely continues to increase, and the number of IoT devices connecting to the network keeps growing.
This creates a rather complex scenario of connectivity needs that must be satisfied in a secure and well-managed fashion. Better answers are required. Necessary WAN edge functions include SD-WAN; routing to communicate with the world outside the WAN fabric; basic security functions such as a zone-based firewall and segmentation to protect the branch from any incoming threats; IDS/IPS; application and network visibility; and even WAN optimization.
Ideally, all these functions are unified in a single WAN edge platform that greatly simplifies branch WAN edge infrastructure. Gartner calls this a “thin” WAN edge. WAN edge functions are married with cloud-delivered security functions that include Firewall as a Service (FWaaS), a secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), data loss prevention (DLP), sandboxing, antivirus, intrusion detection and prevention (IDPS) and more.
Protecting from edge to cloud with SASE
With the increase in remote workers connecting directly to cloud applications, traditional perimeter-based cybersecurity is insufficient. By transforming WAN and security architectures with SASE, enterprises can ensure direct and secure access to applications and services across multi-cloud environments, regardless of location or the devices used to access them. Cloud-delivered security services place security enforcement closer to the user where they are working instead of backhauling traffic to a headquarters or hub site for inspection. Furthermore, cloud security enforcement points are usually deployed in the same data centers where common SaaS apps are hosted. Application response time is significantly improved by connecting users to security and cloud-hosted application doorsteps closer to where they are working, improving quality of experience and business productivity. And keeping cloud security enforcement points up to date with the latest threat intelligence and remediation measures is also far easier than doing so with firewalls deployed at potentially hundreds or thousands of branch locations.
The real goal of the SASE architecture is to connect users more intelligently to their applications without compromising any security. Business benefits of SASE are many, including:
- Improved business productivity and customer satisfaction
- Enhanced, consistent security policy enforcement across the enterprise
- Reduced risk and brand image protection
- Increased IT efficiency and lower overall WAN and security costs through centralized management
- Ability to evaluate and easily adopt new security technologies as they emerge
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.