Secure access service edge, or SASE (pronounced “sassy”), is an emerging cybersecurity concept that Gartner described in the August 2019 report The Future of Network Security in the Cloud.
Before diving into the specifics of SASE, it’s important to understand a bit of background on this new term. Existing network approaches and technologies simply no longer provide the levels of security and access control digital organizations need. These organizations demand immediate, uninterrupted access for their users, no matter where they are located. With an increase in remote users and software-as-a-service (SaaS) applications, data moving from the data center to cloud services, and more traffic going to public cloud services and branch offices than back to the data center, the need for a new approach for network security has risen.
SASE is the convergence of wide area networking, or WAN, and network security services like CASB, FWaaS and Zero Trust, into a single, cloud-delivered service model. According to Gartner, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.”
Gartner expects that, “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.” A SASE architecture identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data. This approach allows organizations to apply secure access no matter where their users, applications or devices are located.
Benefits and Uses*
- Reduction in complexity and costs. By consolidating secure access services from a single provider, the overall number of vendors will be reduced, the number of physical and/or virtual appliances in a branch will be reduced, and the number of agents required on an end-user device will be reduced. Costs should also be reduced over the longer term as more SASE services are adopted; savings will come from the consolidation of vendors and technology stacks.
- Enable new digital business scenarios. SASE services will enable enterprises to make their applications, services, APIs and data securely accessible to partners and contractors, without the bulk risk exposure of legacy VPN and legacy demilitarized zone (DMZ) architectures.
- Improvement in performance/latency. Leading SASE vendors will provide latency-optimized routing across worldwide points of presence. This is especially critical for latency-sensitive apps such as collaboration, video, VoIP, and web conferencing. Based on policy, users can be routed through the SASE provider’s high-bandwidth backbones (and its peering partners).
- Ease of use/transparency for users. Implemented correctly, SASE will reduce the number of agents required on a device (or the amount of customer premises equipment [CPE] at a branch) to a single agent or device. It reduces agent and appliance bloat and should automatically apply access policy without requiring user interaction. This provides a consistent access experience for users, regardless of where the user is, what they are accessing and where it is located.
- Improved security. For SASE vendors that support content inspection (identification of sensitive data and malware), any access session can be inspected and the same set of policies applied. An example is scanning for sensitive data in Salesforce, Facebook and cloud-hosted applications all using a consistent policy that is applied consistently regardless of where the user/device is located.
- Low operational overhead. As threats evolve and new inspection mechanisms are needed, the enterprise is no longer limited by hardware capacity and multiyear hardware refresh rates to add new functionality. With cloud-based SASE offerings, updating for new threats and policies requires no new deployments of hardware or software by the enterprise and should allow quicker adoption of new capabilities.
- Enable zero trust network access. One of the principles of a zero trust networking approach is that network access is based on the identity of the user, the device and the application — not on the IP address or physical location of the device. (See “Zero Trust Is an Initial Step on the Roadmap to CARTA.”) This shift to logically defined policies greatly simplifies policy management. SASE provides protection of the entity’s session seamlessly and consistently on and off of the enterprise network. Further, assuming the network is hostile, SASE offerings will provide end-to-end encryption of the entire session and optional web application and API protection (WAAP) services (see “Defining Cloud Web Application and API Protection Services”). Leading SASE vendors will extend this all the way to the endpoint device with public Wi-Fi network protection (coffee shop, airport and so on) by tunneling to the nearest POP.
- Increased effectiveness of network and network security staff. Instead of the routine tasks of setting up infrastructure, network security professionals can focus on understanding business, regulatory, and application access requirements and mapping these to SASE capabilities.
- Centralized policy with local enforcement. SASE allows cloud-based centralized management of policy with distributed enforcement points logically close to the entity and including local decision making where needed; for example, local to a branch office using a CPE appliance. Another example is local agents on managed devices for local decision making.