What is SASE (Secure Access Service Edge)? Meaning, Working, and Benefits
SASE is an IT architecture that bundles network and security functions into a single platform.
SASE (Secure Access Service Edge), pronounced ‘sassy’, is defined as an IT architecture that bundles network and security functions into a single platform. This article explains in detail what SASE is, how it works, and why organizations must consider it.
Table of Contents
What is SASE (Secure Access Service Edge)?
SASE (Secure Access Service Edge), pronounced ‘sassy’, is an IT architecture that bundles network and security functions into a single platform. Gartner first used the term in its 2019 Hype Cycle For Emerging Technologies report.
When the term ‘network’ is used in an organization’s context, it conjures up the image of a spider web. There are multiple points connected to each other. External players, like prey, would get trapped if they tried to enter this web. The spiders are equipped to move through the web to reach any point.
This image of a closed network, however, is not accurate anymore. Technology is rapidly evolving. New pieces of inexpensive yet high-performing hardware are coming out every day. Today’s end user can be a human, a machine, or an algorithm. Wireless and cellular networks connect devices in every corner of the world.
Till a few years ago, the network perimeters were marked by routers and firewalls. Today’s IT architectures are much more complicated. An organization’s network is inextricably connected to users, IoT devices, third-party services, and remote data centers.
Why SASE?
Companies need infrastructure and business strategies that align with a dynamic market, no matter the industry. User endpoints keep changing. New technology stacks appear. Global crises like the COVID pandemic have shifted modes of operation. A Pew Research Center survey in 2022 showed that 60% of workers in the United States want to continue working from home even after the pandemic ends.
This scenario has led to businesses adopting cloud-based computing, storage, and services. According to Gartner’s 2022 forecasts, worldwide spending on public cloud services is expected to reach around $600 billion by 2023. This makes sense because a cloud-based infrastructure requires considerably lesser capital and in-house expertise.
Cloud and SaaS platforms have resulted in architecture with fragmented services offered by varied vendors. Security requirements for each differ, and integration of these requirements becomes a crucial part of infrastructure planning. The attack surface – the various points through which malicious actors can breach an organization’s system – has grown multifold.
Considering these factors, organizations cannot afford to keep building on top of their traditional network models. This is where secure access service edge or SASE comes in. SASE is a re-imagination of the IT infrastructure that merges security and traffic management. Implementing a SASE architecture ensures speed, uniformity, and ease of maintenance across multiple applications and platforms.
See More: What Is Edge Computing? Components, Examples, and Best Practices
How Does SASE Work?
Network security has always been based on perimeters. All users inside the network are deemed safe. All users outside the network are treated as a threat until cleared by authentication and authorization software, content filters, and malware scanners.
This premise is inadequate when dealing with attacks such as social engineering and distributed denial of service (DDoS). Social engineering attacks, like phishing, rely on the fact that the victim is already within the network.
SASE works assuming that every user, irrespective of whether they are within or outside the network, is a threat. SASE networks are zero trust networks.
The secure access service edge model needs two key elements: networking and security elements.
The networking element
The networking element, as of today, is SD-WAN. SD-WAN stands for software-defined wide area network. SD-WAN is a programmatic approach to network connectivity that does not rely on conventional routers alone. SD-WAN uses these existing routers with virtual customer premises equipment (vCPE), all of which run a version of networking software. This software handles policy management and routing. vCPEs are generic x86 devices that can be used as anything from WAN edge routers to firewalls with the right software.
SD-WAN implementations can ideally handle multiple connection types, ensure dynamic path selection, and support third-party services and VPNs. They also provide a central management system for configuration, management, and logging.
This aspect of the secure access service edge architecture allows for faster, optimized network performance with low costs and high scalability.
The security element
What sets SASE apart from the existing ideologies is the marriage of network and security at the architectural level.
SASE networks use identity and context to secure the network. The security element always lives in the cloud as a service.
A user’s ‘identity’ refers to their role and access rights within the network. All users are segregated based on the levels of access they need. Access policies are fine-tuned and granular enough not to allow unwarranted usage of applications. Unnecessary retrieval of data is stopped at the request level.
Users are broadly classified into three types based on their business roles –
- Internal users: These users are the employees who have been granted varying levels of access to one or more assets within the system. For example, a sales executive can access the company’s Salesforce, while a DevOps personnel can access AWS.
- External users: Business partners, contractors, and suppliers fall into the external user category. These users can access limited assets and are bound by an SLA.
- Internet of Things devices: Many industries now work with IoT devices to improve various aspects of the operation. One example is the continuous monitoring and communication of machine temperature on factory floors to prevent overheating.
External users are mostly remote users. Internal users can be within the corporate network or work remotely – the latter category increasing in number by the day.
SASE networks do not just use identity to gauge a user request’s authenticity. Once the identity has been verified, the ‘context’ of the request is analyzed.
Various aspects of the request are questioned to validate security. What device is this user connecting from? From which location? Is this device registered and secure with up-to-date security patches? What assets does this request seek? Does the user have sufficient access rights? Is the resource critical to business continuity? What kind of connection is the request made from? Is this request allowed on an open, public wireless network?
Valid contexts are defined using security policies. Only those requests that satisfy these policies are allowed access to the network.
Traditional architecture vs. SASE architecture
The SASE structure works better than the traditional one because traffic does not need to be routed to the organization’s system to run security protocols. SASE uses the nearest points of presence (PoP) for traffic inspection.
Points of presence can be simple, single servers that act at multiple capacities for traffic management. PoPs act as switches, routers, firewalls, or bandwidth managers. They are simpler edge servers, typically more advanced hardware with full deployments.
Traditional security requires VPN tunnels or proxies for remote users to connect to the company network. It relies on the IP addresses of the user request and the network devices. SASE relies on user request intelligence.
Network controls are generally placed in the company’s servers in the traditional architecture, while network controls are on the cloud’s edge with SASE.
SASE requires the cloud to be at the center of the architecture, creating a central engine to deal with assets across on-premise and cloud locations. Traditional security and network controls can be a mix of on-premise and cloud services that one must integrate to work together.
| How Traditional Networks Work | How SASE Networks Work |
|---|---|
| Traffic is routed to the company servers to run security protocols. | Traffic is managed at the nearest points of presence (PoP). |
| VPN or proxy servers are required for remote users to connect to company assets. | SASE’s security protocols ensure secure connections without VPN tunnels. |
| It relies on IP addresses for user request verification. | User identity and request context are analyzed for verification. |
| Network controls are generally in company servers. | Network controls are placed on the cloud’s edge. |
| Security and network components of the system are a mix of several services that need to be integrated to work together. | SASE provides all network and security capabilities from a single cloud-based service. |
See More: What Is Multicloud Infrastructure? Definition, Components, and Management Best Practices
Architecture of SASE
The SASE architecture is multi-tenant, with the cloud at the center of it. This section shows how the networking and security aspects are structured within a secure access service edge network.
Networking
The critical networking aspect of SASE is an internet-based SD-WAN solution, with a few tweaks to serve the SASE ideology. SD-WAN is meant for multi-region systems, making SASE the ideal candidate for businesses with widespread users and assets.
The network fabric in SASE is made up of user devices, PoPs, and edge servers. The organization or SASE vendor sometimes deploys these PoPs. Sometimes, PoPs provided by public cloud vendors are used.
Some tweaks that go into an SD-WAN network to make it SASE include:
- SD-WANs entirely rely on PoPs for networking functions. In SASE, end-user devices are leveraged to make networking decisions, particularly with routing.
- The SD-WAN solution executes required security and networking functions sequentially. For example, the payload runs through a content filtering system first. After the filters are done, the same payload is opened again and reexamined by a malware scanner.
SASE runs these varied but necessary functions parallelly across multiple engines, bound together by the same software stack. This means that the anti-virus solution runs simultaneously while deep packet inspection occurs.
For connectivity, the best SASE implementations use a combination of links such as wireless, virtual private networks (VPN), multi-protocol label switching (MPLS), and the public internet. This enables multiple devices in multiple locations to connect effortlessly.
One of the critical advantages of an SD-WAN is the separation of control and management of networks. This advantage is passed on to SASE. Network administrators do not need multiple software to configure and deploy hardware from different vendors in the network, as with a traditional network. A centralized system allows them to create and enforce configuration and deployment policies for all devices simultaneously. This does not just make SASE highly scalable. It also means that it is set up for future automation activities.
The networking software stack also includes bandwidth optimization and traffic management, with some SASE networks implementing network prioritization for sensitive and urgent information.
Security
The security stack of the SASE software uses an army of traditional security solutions and services to ensure network protection. All traffic in a SASE network is encrypted.
Some of the critical security components in the SASE architecture are:
1. Zero trust network access (ZTNA)
A zero-trust network functions on the assumption that every user, every device, and every request is a threat.
It relies on real-time verification of all data movement, irrespective of where it originates. As mentioned above, identity and context play a key role in zero trust networks.
ZTNA is a security model that houses a combination of technologies that operate on adaptive trust. These technologies include identity and access management (IAM) solutions, emphasizing multi-factor authorization (MFA). They also log user activity alongside the network monitoring software. This combined data makes incident response easier while making the system compliance audit-ready.
ZTNA operates on least privileged access policies at a granular level. This way, no extra information is exposed to the public.
2. Firewall-as-a-Service (FWaaS)
SASE relies on all components being on the cloud, including the firewall. This is where FWaaS solutions come in. Cloud-based firewall solutions protect the platform, applications, and connected services.
When a user connects to the FWaaS on the internet, the solution functions as the typical firewall that applies domain rules and URL filtering.
Most FWaaS solutions, however, fall under the next-generation firewall (NGFW) category. NGFW solutions provide advanced capabilities like web content filtering, DNS security, intrusion detection, and advanced threat protection (ATP).
3. Secure web gateway (SWG)
Secure web gateway solutions are guards that prevent unsecured traffic from entering the organization’s network. They are an essential part of the security toolkit for businesses that rely on a lot of remote work.
Their main goal is to secure encrypted data in transit. Filtering solutions allow administrators to specify which categories of content they deem harmful. For example, streaming video content on the company network can take up valuable bandwidth.
Upload and download policies are carefully crafted. This ensures that sensitive information isn’t uploaded outside the network, even by mistake. It also prevents the download of harmful malware or virus into the system.
SWG plays a significant role in restricting the applications and services embedded in the system. Application policies prevent the questionable practice of shadow IT by DevOps or even individual employees. Shadow IT is installing and running unsanctioned applications without following the company’s SDLC policies. It leads to zombie servers or applications, which are vulnerable to cyber-attacks.
4. Cloud access security broker (CASB)
CASB solutions, as the name suggests, are intermediaries between the cloud service provider and its customers.
These solutions typically focus on authentication, including more secure forms such as single sign-on (SSO). Some CASB solutions include basic SWG capabilities like malware detection and data loss prevention (DLP).
Most CASB solutions leverage the APIs provided by cloud vendors for security. This is where it varies from the broader spectrum of SWG solutions, which focuses on protecting users from all of the internet.
Infrastructures connected with a CASB tend to have the most visibility. All user and application activity between the various cloud solutions and the system is monitored and logged. Most CASBs also ensure that compliance regulations are enforced.
5. Remote browser isolation (RBI)
Remote browser isolation programs are cloud-based solutions that download webpages and assets a user requests on their device.
Browser isolation works by downloading and executing the code of a requested webpage on a separate server, then passing them on to be rendered on the user’s device.
This ensures that malicious scripts or malware aren’t inadvertently downloaded onto the user’s device.
SASE tries to solve the performance and security problems of a majorly remote user base. This is why RBI has become an essential part of it.
6. Central manager
Efficiency of the SASE model lies in the fact that all these varied components within both networking and security domains are tackled through a single interface.
The central manager is a core part of SASE that provides a uniform way to configure, deploy and manage all the security and networking policies. Ideally, this console would provide nuanced administrator features such as patch management, version management, and downtime trackers.
Most SASE solutions offer other security components in their stacks as well. These components may be anything from cloud app discovery platforms to web application and API protection (WAAP). When choosing a SASE solution, users must thoroughly vet the portfolio of available security components to check if it’s in line with the organization’s requirements.
See More: What Is SD-WAN (Software-Defined WAN)? Definition, Solutions, and Benefits
Advantages of Using SASE
As far as an organization is concerned, security trends are constantly evolving. Investment in such trends is resource and time-intensive. When investing in the SASE architecture, the returns are more than evident. Some advantages of using SASE are:
Advantages of Using SASE
1. Streamlined and transparent management
The most significant advantage of SASE is the accumulation of all networking and security needs under one umbrella. Single-point services are all merged into one cloud-based SASE service. User and administrator experience become consistent across the platform. The central console provides a detailed and broad view of the system, making modifications and upgrades easier and fail-safe. This frees the organization to look into more strategic requirements for improving business.
2. Optimized network
Network traffic is routed across various PoPs and edge servers closest to the user. This cuts down on latency. Intelligent routing is often an integral part of the network stack, as are many traffic management tools and algorithms.
3. Improved user experience
Since there is no backhauling to the central system for security checks, response time is faster for user requests. SASE significantly improves the remote working experience, especially when compared to solely using VPN tunnels.
4. Reduced costs
One SASE solution addresses a host of requirements that generally require multiple vendors. Apart from implementing these varied solutions, organizations must also invest in what is necessary to integrate them to work optimally together. SASE effectively does away with the deployment and management costs for these services.
5. Enhanced productivity
The SASE network improves network performance. It unifies security policy management, making the deployment of new resources easier. It provides a unified interface for users looking to connect to any application within the system. All these features free up a lot of time for employees to focus on the business at hand instead of trying to remember complex passwords.
6. Improved scalability and high availability
The SASE architecture is designed to allow high scalability. The requirement for a fleet of firewalls does not require manual acquisition and deployment activities with SASE. The edge architecture also ensures high availability, with users simply switching to the next nearest edge or PoP when the closest fails.
See More: What Is a Cloud Access Security Broker? Definition, Pillars, Architecture, and Uses
Takeaway
In its first report detailing the SASE architecture, Gartner said that SASE would redefine and reshape the landscape of enterprise network and security architecture. The overhauling of existing hybrid architecture to a SASE infrastructure is undoubtedly a large undertaking. But a robust SASE implementation ensures that an organization is always future-ready in a constantly evolving landscape. This could be the factor that enables a company to thrive in competition.
Did this article help you understand SASE in detail? Tell us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
MORE ON NETWORKING
- What Is Network Topology? Definition, Types With Diagrams, and Selection Best Practices for 2022
- Running Edge-Heavy Networks? Here’s How Smart Management Tools Can Help
- What Is Wifi 6? Meaning, Speed, Features, and Benefits
- How to Get Started With Zero Trust Network Architecture in a Perimeter-less World
- SD WAN vs. SASE: Five Tips to Choose the Right Networking Tech for Your Organization
