What Is SASE? Encryption, Firewall, and More Built Into the Network

Last updated: March 31, 2024 Reading time: 5 minutes
Disclosure
Share
What Is SASE? Encryption, Firewall, and More Built Into the Network

What is SASE?

Secure Access Service Edge (SASE) is a new cloud-delivered service that combines networking, security, and vast area network (WAN) capabilities. It allows organizations to deploy networks securely to support the needs of hybrid and distributed environments.

SASE extends networking and security capabilities beyond what is ordinarily available. It gives users access to a variety of threat detection capabilities, including Firewall as a Service (FWaaS), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA). Its networking capabilities are based on software-defined WAN (SD-WAN), which allows organizations to configure networks programmatically on top of standardized network equipment.

The need for SASE

In the modern enterprise, network traffic is not confined to the on-premise data center. Many traffic and data flows occur in other locations, including cloud data centers, branch offices, internet of Things (IoT) devices, and remote workers accessing systems over public networks. Most of these remote connections occurred through virtual private networks (VPN).

However, VPN was intended to support remote access to a single data center. This means that to connect to the cloud, for example, connections need to be “back-hauled” through the data center, which is inefficient and wasteful. VPN also provides complete network control when a user is authenticated, meaning attackers can easily compromise VPN credentials and access sensitive resources. 

SASE addresses these inefficiencies by allowing organizations to directly extend networking and security capabilities to any endpoint through a cloud delivery model. SASE makes it possible to provide reliable connectivity for these endpoints with much more robust security. 

SASE components

1. SD-WAN

The software-defined vast area network (SD-WAN) is the core of the SASE networking stack. This virtualized service securely routes traffic through the WAN, providing users a reliable remote connection to an organization’s applications.

Traditional WANs filter remote traffic through a firewall located in a central data center, causing bottlenecks and damaging performance. SD-WAN addresses this issue with application-aware routing, increasing cloud and enterprise application performance and enhancing user experience.

SD-WAN separates the management process from the WAN hardware and provides it as software. Companies with an existing SD-WAN architecture can introduce the SASE security stack to their SD-WAN infrastructure. SASE makes managing SD-WAN security easier by providing a unified solution with all the relevant security features.

2. CASB

A Cloud Access Security Broker (CASB) provides tools and services that address an organization’s cloud security gaps. It helps secure increasingly complex cloud services while providing direct access. CASBs offer a centralized location for multi-cloud policy management, providing granular control and visibility over sensitive data.

Key CASB capabilities include User and Entity Behavior Analytics (UEBA), data security, cloud application discovery, malware detection, and adaptive access control. A CASB can operate on-premises or in the cloud.

3. FWaaS

Firewall as a Service (FWaaS) is a cloud service delivering firewall protection, including Next-Generation Firewall (NGFW) capabilities like advanced threat protection, intrusion detection and prevention, and web filtering. FWaaS is highly scalable and can provide advanced features like deep packet inspection to detect malware-based threats.

FWaaS leverages Machine Learning (ML) tools to identify abnormal network behavior, helping detect sophisticated zero-day and insider threats. It can detect new threats not yet registered on the databases used by traditional threat detection systems. The cloud-based nature of FWaaS means the CSP is responsible for ensuring security and maintaining the solution’s infrastructure.

FWaaS is usually on-demand customizable, allowing organizations to add and remove security features, cloud services, branch offices, and data centers. It offers full NGFW functionality without the maintenance burden, accessible via a unified control panel.

4. ZTNA

Zero Trust Network Access (ZTNA) is a technology framework based on the zero trust principle—no entity has implicit trust, and every action requires authorization. In SASE solutions, ZTNA authenticates users requesting to access applications with MFA, role-based access, and other controls.

ZTNA implementations can be client- or service-initiated. In the first model, the SDP controller authenticates information sent from an agent installed on the client. In the second model, the SDP installed alongside an application connects to the CSP and presents user authentication challenges.

5. SWG

A Secure Web Gateway (SWG) provides encryption and decryption to protect devices from web-based attacks. It enforces an organization’s policies to filter malware from online traffic. SASE solutions leveraging an SWG provide cloud protection via a unified platform to view and control web access and block malicious websites.

SASE vendors offering SWG capabilities can inspect cloud-scale encrypted traffic and bundle SWG with other security features for easier security policy management.

Best practices for SASE adoption

The following best practices will help your organization make the switch to a SASE architecture:

  1. Determine your requirements—SASE is not a single tool but a framework for integrating and hardening an existing security stack. To successfully adopt it, you must first understand your security and compliance requirements and existing traffic flows.
  2. Understand users and applications—identify how your user base interacts with the network and use this to design SASE architecture. It is critical to understand the IT environment to protect it. SASE includes ZTNA, where you must define access controls based on existing applications’ structure and use cases.
  3. Trial SASE with specific user groups—start your SASE adoption by testing it with specific groups within your organization, gather feedback and use it to fine-tune the rest of your deployment.
  4. Make SASE an integral part of cloud migration. If your organization is moving workloads to the cloud, make SASE an integral part of the strategy to ensure you have consistent networking and security across on-premise and cloud deployments.

Conclusion

In this article, I explained the basics of SASE and described the capabilities it provides for next-generation networks:

  • SD-WAN – software-configurable networking that can be deployed to any edge location.
  • CASB – lightweight firewall for cloud resources.
  • FWaaS – next-generation firewall (NGFW) provided as a managed service.
  • ZTNA – zero-trust access control that only accepts connections if users are authenticated and making a legitimate connection request.
  • SWG – provides encryption and data routing for user traffic.

I hope this will be useful as you plan your future network security strategy.

Share this article

About the Author

Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in: Computer.org, Nordic APIs, Infosecinstitute.com, Tripwire.com, and VentureBeat.

More from Iam Waqas

Related Posts