Network Security
SASE — Secure Access
Service Edge.
Secure Access Service Edge (SASE, pronounced “sassy”) — defined by Gartner — is a security framework for enabling secure and fast cloud adoption, and helping ensure both users and devices have secure cloud access to applications, data and services anywhere, any time.

Digital business transformation flips network and security service design scheme, switching the focus point to identity of the user and/or device and not to Data Center, as it used to be.

Today’s perimeter is no longer easily defined. The data center was once your network’s primary point of entry and exit, with more users, devices, applications, services and data located outside of an enterprise than inside. The picture below shows how traditional perimeter and edge has moved — today it’s basically a “Dynamic Edge”.

Dynamic Edge

84% of enterprises have a multi cloud strategy and 81% of them point to security as a major cloud challenge. Migration of applications and workloads to the cloud and profusion of endpoints across multiple environments led to expanding attack surface. From 2017 to 2019, there was a 73% increase in the number of organizations experiencing data breaches due to unsecured IoT devices or apps.

Alerts are only generated for 9% of all attacks

Network and network security architectures were designed for an era that is waning. Digital Enterprises are characterized by:

  • More user work performed off the enterprise network than on it
  • More workloads running in IaaS than in the enterprise data center
  • More applications consumed via SaaS than from enterprise infrastructure
  • More sensitive data located outside of the enterprise data center in cloud services than inside
  • More user traffic destined for public cloud services than to the enterprise data center
  • More traffic from branch offices heading to public clouds than to the enterprise data center

Digital business transformation requires anywhere, anytime access to applications and services — many of which are now located in the cloud. This brings CIOs, CISOs and risk managers into a need for converged cloud-native SASE solutions to address this shift.

A SASE solution provides mobile users, branch offices, and retail locations with secure connectivity and consistent security wherever they are in the world. SASE converges the functions of network (SD-WAN, Carrier, CDN) and security services (SWG, CASB, FWaaS, ZTNA) into a unified, global cloud-native service.

SASE — Network and Security convergence

Solving emerging business challenges with point solutions leads to technical silos that are complex and costly to own and manage. SASE changes this paradigm through a new networking and security platform that is identity-driven, cloud-native, globally distributed, and securely connects all edges (WAN, cloud, mobile, and IoT).

SASE Convergence

A SASE architecture enables end-to-end security, whether the source is a remote worker, a branch location, or a headquarters. Threat prevention capabilities include encryption, firewalls, URL filtering, anti-malware, and IPS.

Gartner describes SASE as delivering services and enforcing policies as needed no matter where the entity is located — the result is the dynamic creation of a policy-based, secure access service edge.

SD-WAN and SASE

A Software-defined Wide Area Network (SD-WAN) is a virtual WAN architecture that allows enterprises to leverage any combination of transport services — including MPLS, LTE and broadband — to securely connect users to applications. The SD-WAN solution can intelligently identify applications and determine the best path to maximize functionality.

SD-WAN architecture

SASE combines an SD-WAN approach and security functionalities into one cloud-based service. An element of SASE that sets it apart from SD-WAN is how it inspects traffic — instead of using service-chained point solutions, SASE runs all security functions at once in multiple policy engines that make up a cloud-native software stack.

SASE Architecture

In a digital business, secure access decisions must be centered on the identity of the entity at the source of the connection. Other relevant sources include location, time of day, risk/trust assessment of the device, and the sensitivity of the application or data being accessed.

Instead of the security perimeter being entombed in a box at the data center edge, the perimeter is now everywhere an enterprise needs it to be — a dynamically created policy-based secure access service edge.

SASE centric architecture
Benefits of SASE

There are many benefits of SASE, but the most impactful is that it allows users to immediately gain secure access to a company’s network, wherever they are and whatever device they use.

Reduction in complexity and costs
SASE consolidates network and security services, lowering the total number of vendors, appliances, agents and maintenance contracts — dramatically reducing both capital and operational costs.
Enabling new digital services
SASE enables enterprises to make applications, services, APIs and data securely accessible to partners and contractors, without the risk exposure of legacy VPN and DMZ architectures.
Increased performance
Leading SASE vendors provide latency-optimized routing across worldwide PoPs. Based on policy, users can be routed through the provider’s high-bandwidth backbones.
Ease of use
SASE reduces the number of agents required on a device to a single agent and automatically applies access policy without requiring user interaction.
Less overhead
SASE vendors run and maintain the security engines, freeing IT from updating, patching and scaling appliances.
Centralized policy with local enforcement
Cloud-based centralized management with distributed enforcement and decision making across the entire network.
SASE vs. Traditional Network Security
Traditional Networking
SASE Model
Remote Access
Relies on VPN technology through SSL/TLS browser access or a dedicated endpoint client.
SASE acts as a VPN replacement. Users connect to access on-premises resources and cloud services via the SASE console.
Cloud Resources
On-premises access using traditional firewalls, proxies and routing controls.
SASE provides optimized, cloud-aware network access for SaaS, PaaS and IaaS via API integration.
Access Controls
Relies on switching, routing, firewalls and proxies for access control.
SASE aggregates network security and access controls — including firewalls as a service — into one unified fabric.
SD-WAN & Bandwidth
Requires several vendors and products, which may lack integration.
A SASE service integrates SD-WAN access and traffic optimization into a single brokering service for all access types.
Web App Security
WAFs are separate appliances or achieved through brokering to a CDN or in-cloud service.
SASE platforms integrate WAF policies and services into the same brokered approach.
Threat Detection
Accomplished using NGFWs, malware detection sandboxes or CASB brokering.
SASE combines numerous network threat detection capabilities into one service fabric.