SASE – Secure Access Service Edge

Overview

SASE – The secure access service edge (pronounced “sassy”) is an emerging technology category of products and services that converge SD-WAN with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA).  SASE solutions connect and secure devices together through one global platform.

The category was first defined by Gartner in its Hype Cycle for Enterprise Networking, 2019 and later in The Future of Network Security Is in the Cloud. Below you’ll find in-depth explanation of SASE and it’s market importance: 

What Problems Do SASE Solutions Solve?

As enterprises evolve they’re increasingly less dependent on the private datacenter. More applications run in the cloud as SaaS than on-premises. More data and workloads live in cloud data centers and IaaS platforms than in datacenters. We also work off-site with mobility being the norm and mobile users routinely accessing the cloud.

These two shifts —  the cloud and mobility —  have forced us to rethink how we’re going to network and secure our offices, users, and resources. If the data center is no longer the hub of enterprise activity then where we inspect traffic and apply policy also needs to change. Backhauling traffic for security inspection undermines cloud performance, as we’ve already seen on legacy MPLS networks. At the same time, pushing security inspection out to the offices fails to address the other tenant of the enterprise, the mobile user. 

And if our networks are going to be built by connecting resources and users in large part outside of our offices, how do we deliver optimal network experiences? SD-WAN provided a solution for sites but not for mobile users. SD-WAN alone is also Internet-based, opening the way for unpredictable and unoptimized Internet routing to impact the user experience. This is particularly the case when running latency-sensitive applications, such as real-time sessions, across global connections. 

Alongside the question of where security inspection and network control is handled. There’s another question of how we inspect traffic. Today there’s a wide array of security technologies that need to be integrated together if companies are too adequately protect themselves. It’s expensive, time-consuming, and for many companies, requires skills they lack.

Ultimately it comes to finding one way to network any kind of resource, location or user, anywhere, and do so in a way that protects them and the business against the range of emerging threats. 
Back to TOC

What is SASE?

SASE solutions are ideally delivered as services (says Gartner) but can be delivered as turn-key edge appliances. The use of networking technologies (SD-WAN, WAN optimization, Route optimization and more ) to deliver the best possible network experience to any connecting entity —  group (a site), users, devices, applications, services, and IoT system — regardless of location. 

At the same time, they also restrict restricted based on identity and real-time context (such as location) in accordance with enterprise security/compliance policies and continuously assessed throughout the session. 

Although there are dozens of characteristics associated with SASE, four main attributes are essential:

  • Global SD-WAN Footprint. SASE service providers should provide, in effect, a global SD-WAN service with its own private network comprised of points of presence (PoPs) worldwide. Traffic is routed across their network, avoiding the global Internet’s latency problems. 
  • Distributed Inspection and Policy Enforcement.  Security inspection and policy enforcement are distributed across a SASE provider’s PoPs. Traffic is not backhauled for security inspection. Core security services include SWG, CASB, ZTNA, and FWaaS. 
  • Cloud-native Architecture. A SASE service should use a converged, multi-tenant cloud-native software stack not discrete networking and security devices service chained together. SASE solutions delivered as a CPE should be turnkey boxes just “turn it on and forget it,” as Gartner says.
  • Identity-driven. Security and network access are delivered based on user identity, not an IP address. The identity can be the name of the user but will also consider the device being used and the user’s location.

Back to TOC

What is an Example of a SASE Use Case

To get a better understanding of SASE, let’s see it in action. These scenarios are based on similar cases in the Gartner reports: 

Salesperson Working Remotely 

Sarah, a sales executive, goes to Starbucks late one evening with his company-issued laptop. While sipping a latte, he jumps on to the public Wi-Fi and accesses his company’s CRM system while browsing the Internet. 

A SASE platform connects and protects him. He might run a SASE client to establish a tunnel to the SASE platform or use clientless access. Regardless, once connected, the SASE platform would provide prioritize the ERP traffic while applying the necessary acceleration and optimization techniques to improve access. Malware inspection, DLP, and UEBA would be used to detect and prevent, potential infections, data loss, and malicious activity.  Internet browsing might be given a lower priority and but still secured using DLP and SWG. Finally, Wi-Fi protection would protect Joe while sitting on Starbuck’s public Wi-Fi.

Contractor Access Key Company Application

Beth, a contractor to Widget Corp, comes Widget’s offices to work for the day and uses her own laptop. During the day she needs to access the company inventory system and only that system. The inventory system is a web-enabled application hosted in the company’s on-site, data center. 

A SASE platform uses ZTNS to allow Beth to access that inventory database only from that particular location. The platform uses WAAP services to protect the web-enabled application from attack and inspects the encrypted traffic stream for sensitive data loss.

Back to TOC

What Are the Benefits of SASE?

SASE brings many, many benefits to the enterprise. Some of the more notable ones include: 

  • Reduced costs by reducing the number of components and vendors. Competition among SASE solutions will lead to additional cost savings.
  • Better network performance by using a global SD-WAN service with its own private backbone and built-in optimization
  • Security improvement and performance by inspecting traffic flow at the source (performance) and inspecting every data flow user (security improvement) Seeing policies based on identity —  not IP address — will also help. 
  • Less overhead due to the fact that SASE vendors run and maintaining the security engines. IT is freed from the updating, patching, and scaling appliances. 

What are the Drawbacks? 

SASE as a technology sector is far too new for drawbacks to emerge. Implementations are still far and few between. What’s more, there are different approaches to SASE, which makes it reasonable to assume that there will be different solution limitation:

  • Nothing new can be found in SASE as it is the integration of existing technologies not the introduction of new ones. This is a common refrain from several analysts. My belief is that integration is innovation and for that, you need to look no further than our smartphone that “only” replaced a bunch of existing technologies. If SASE providers are truly able to package existing technologies in a seamless, global services whose costs are amortized across all customers (multitenant) that will be remarkable. 
  • High degree of trust is being placed in SASE providers. By packaging together so much functionality, SASE providers assume IT professionals are willing to give up a degree of freedom that comes from multisourcing. If SASE is done right, one provider will deliver all networking and security needs. Trust and reputation will be important selling points.

Back to TOC

Who Are the Players 

As Gartner makes clear, SASE players are coming from many different vectors —  SD-WAN, CDN, security appliances, firewall-as-a-Service (FWaaS). Here is a summary of the current market state. Contact us for a current, more in-depth analysis.

Click here to receive our SASE Jumpstart Kit, which includes our independent SASE RFP and one-hour of consulting time to get you started.

Back to TOC

Additional Information

For additional information related to SASE and SD-WAN, check out the following: