What Is SASE?
Secure Access Service Edge (SASE) is a new type of cloud-delivered service that combines networking, security, and wide area network (WAN) capabilities. It allows organizations to deploy networks securely to support the needs of hybrid and distributed environments.
SASE extends networking and security capabilities beyond what is normally available. It gives users access to a variety of threat detection capabilities, including Firewall as a Service (FWaaS), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA). Its networking capabilities are based on software-defined WAN (SD-WAN), which allows organizations to configure networks programmatically on top of standardized network equipment.
The Need for SASE
In the modern enterprise, network traffic is not confined to the on-premise data center. Many traffic and data flow occur in other locations, including cloud data centers, branch offices, internet of things (IoT) devices, and remote workers accessing systems over public networks. Most of these remote connections occurred through virtual private networks (VPN).
However, VPN was intended to support remote access to a single data center. This means that to connect to the cloud, for example, connections need to be “back-hauled” through the data center, which is inefficient and wasteful. VPN also provides full control to a network when a user is authenticated, meaning that attackers can easily compromise VPN credentials and gain access to sensitive resources.
SASE is designed to address these inefficiencies by allowing organizations to directly extend networking and security capabilities to any endpoint, through a cloud delivery model. SASE makes it possible to provide reliable connectivity for these endpoints with much stronger security.
The software-defined wide area network (SD-WAN) is the core of the SASE networking stack. This virtualized service securely routes traffic through the WAN, providing users with a reliable remote connection to an organization’s applications.
Traditional WANs filter remote traffic through a firewall located in a central data center, causing bottlenecks and damaging performance. SD-WAN addresses this issue with application-aware routing, increasing cloud and enterprise application performance, and enhancing user experience.
SD-WAN separates the management process from the WAN hardware and provides it as software. Companies with an existing SD-WAN architecture can introduce the SASE security stack to their SD-WAN infrastructure. SASE makes managing SD-WAN security easier by providing a unified solution with all the relevant security features.
A Cloud Access Security Broker (CASB) provides tools and services that address an organization’s cloud security gaps. It helps secure increasingly complex cloud services while providing direct access. CASBs offer a centralized location for multi-cloud policy management, providing granular control and visibility over sensitive data.
Key CASB capabilities include User and Entity Behavior Analytics (UEBA), data security, cloud application discovery, malware detection, and adaptive access control. A CASB can operate on-premises or in the cloud.
Firewall as a Service (FWaaS) is a cloud service delivering firewall protection, including Next-Generation Firewall (NGFW) capabilities like advanced threat protection, intrusion detection and prevention, and web filtering. FWaaS is highly scalable and can provide advanced features like deep packet inspection to detect malware-based threats.
FWaaS leverages Machine Learning (ML) tools to identify abnormal network behavior, helping detect sophisticated zero-day and insider threats. It can detect new threats not yet registered on the databases used by traditional threat detection systems. The cloud-based nature of FWaaS means the CSP is responsible for ensuring security and maintaining the solution’s infrastructure.
FWaaS is usually on-demand customizable, allowing organizations to add and remove security features, cloud services, branch offices, and data centers. It offers full NGFW functionality without the maintenance burden, accessible via a unified control panel.
Zero Trust Network Access (ZTNA) is a technology framework based on the zero trust principle—no entity has implicit trust, and every action requires authorization. In SASE solutions, ZTNA authenticates users requesting to access applications with MFA, role-based access, and other controls.
ZTNA implementations can be client- or service-initiated. In the first model, the SDP controller authenticates information sent from an agent installed on the client. In the second model, the SDP installed alongside an application connects to the CSP and presents user authentication challenges.
A Secure Web Gateway (SWG) provides encryption and decryption to protect devices from web-based attacks. It enforces an organization’s policies to filter malware from online traffic. SASE solutions leveraging an SWG provide cloud protection via a unified platform to view and control web access and block malicious websites.
SASE vendors offering SWG capabilities can inspect cloud-scale encrypted traffic and bundle SWG with other security features for easier security policy management.
Best Practices for SASE Adoption
The following best practices will help your organization make the switch to a SASE architecture:
- Determine your requirements—SASE is not a single tool but a framework for integrating and hardening an existing security stack. To successfully adopt it, you must first understand your security and compliance requirements and existing traffic flows.
- Understand users and applications—identify how your user base interacts with the network and use this to design SASE architecture. It is critical to understand the IT environment to protect it. SASE includes ZTNA, where you need to define access controls based on the structure and use cases of existing applications.
- Trial SASE with specific user groups—start your SASE adoption by testing it with specific groups within your organization, gather feedback and use it to fine-tune the rest of your deployment.
- Make SASE an integral part of cloud migration—if your organization is moving workloads to the cloud, make SASE an integral part of the strategy to ensure you have consistent networking and security across on-premise and cloud deployments.
In this article, I explained the basics of SASE and described the capabilities it provides for next-generation networks:
- SD-WAN – software-configurable networking that can be deployed to any edge location.
- CASB – lightweight firewall for cloud resources.
- FWaaS – next-generation firewall (NGFW) provided as a managed service.
- ZTNA – zero-trust access control that only accepts connections if users are authenticated and making a legitimate connection request.
- SWG – provides encryption and data routing for user traffic.
I hope this will be useful as you plan your future network security strategy.