Secure Access Service Edge is a new name for a known and growing architecture designed to strengthen security in cloud environments.
Secure access service edge, also known as SASE (pronounced “sassy”), is a term popping up more in security conversations as businesses grapple with the challenge of secure networking in the cloud.
SASE combines WAN capabilities with network security functions: secure web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access. These capabilities are primarily delivered as-a-service and aim to find sensitive data or malware, decrypt content, and monitor risk and the trust level of sessions, Gartner’s Andrew Lerner says in a blog post. Monitored entities can span groups of people, devices, applications, services, or Internet of Things systems.
Gartner first mentioned the term SASE in its 2019 networking hype cycle, but it’s not a novel practice. Rather, it’s a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.
“It’s a combination of different technologies, all of which I think people have been using in one respect or another, but are converging, and adoption of them is accelerating,” says Tom Cross, chief technology officer at OPAQ, describing SASE. “The reason is, enterprise network architectures have not kept up with the way that IT has changed.”
Modern employees use all kinds of devices to access corporate data and applications from a range of geographical locations. The rise of cloud computing and mobility have disrupted the typical technology infrastructure by swapping the physical data center for infrastructure-as-a-service (IaaS). Many IT teams interact with their network through a web console or API. Your data is everywhere, and you don’t have visibility into everything happening on the network.
Legacy enterprise networks have gone through “major upheaval” over the last couple of years, and organizations have been able to reduce cost and increase agility. SD-WAN was designed to address these needs but doesn’t connect to mobile users, explains Dave Greenfield, technology evangelist at Cato Networks. Furthermore, it’s not enough to address their many cloud security concerns.
Many constructs that make up SASE — firewalls, intrusion-prevention systems (IPS), cloud access security brokers (CASB) — are things businesses have used for years. “These can still be applicable as you move into the cloud,” says Mike Rothman, Securosis’ president and analyst. “But there’s this old adage that just because you can doesn’t mean you should.” Organizations don’t often think about how they can build a cloud-native environment that provides capabilities and flexibility they need while adding security into the network stack.
The traditional model of network security is based on inspection points: Traffic is rerouted through a place where it’s inspected to detect attacks. When you overlay existing capabilities with familiar tools, it’s the “lowest common denominator,” he continues. It drives inefficiency, adds cost, and forces traffic into a bottleneck. Organizations don’t need conventional tools scattered throughout their environments if they can segment more effectively in the cloud, which lets them add more accounts and subscriptions instead of a flat data center network.
“It doesn’t make sense to have an on-premises firewall everyone is rerouting their traffic to,” says Cross. “We need a security infrastructure that makes sense in this world and is convenient for people to use, and that they will use. … What we need is for security to be available in the Internet. Security comes to the traffic, not traffic going to security.”
The SASE Approach to Network Security
Instead of thinking about mobile access, cloud access, and site access as separate things, SASE puts it all into a single global network. With this approach, businesses no longer have separate security policies. There is one policy — one firewall for protecting against network-based threats.
“The secure access service edge converges security and networking together for any kind of endpoint,” Rothman explains. Instead of putting an agent on the device, connecting to a VPN, and rerouting to a cloud-based resource, SASE brings security to each individual device. “If I can bring the secure perimeter to the actual user, this allows me to be more efficient,” he adds.
Cloud networking is different. You don’t think about what you already have but about the kind of network a specific application or use case requires. Build what is needed, where it’s needed, Rothman explains in a report on networking in the cloud age. A network for remote employees should be different from one for interconnecting primary sites. Externally facing web applications need a different network than applications used to access sensitive data kept in a data center.
How it works: The SASE architecture is a cloud-native platform, which provides a company with the heavy security processing it requires, Greenfield explains. Each location runs an SD-WAN device to bring traffic into the SASE cloud. Traffic is sent to a local point-of-presence (POP), where networking and security processing is applied before it’s forwarded to its destination. For Cato Networks, POPs are co-located in the same physical data centers as the cloud providers.
“When you’re first starting out, you have to figure out how to get started and sometimes it can be challenging to [do] a whole reconsideration of security infrastructure,” says Cross.
The key is starting small, Rothman explains. Know the problem you’re trying to solve, select a short list of companies that can help you solve it, present the use case, and see how they can help. Over time, you can add more applications, users, and use cases to the SASE environment.
“It doesn’t have to be a big bang. … You can look at it from an application access or user constituency basis,” he continues. “Pick a use case and start somewhere. Don’t expect you’re going to replace your entire network tomorrow with one of these services.” As part of a gradual process, companies may start implementing SASE in a single office and expand from there.
(Story continues on the next page)
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio