Our security landscape has changed for good over the past decade. This awareness is the best starting point in deciphering the whats and whys behind the secure access service edge (SASE) model. In short, it is a novel way to tackle age-old security challenges at a time when old security models are faltering in the face of increasingly advanced threats. This is why SASE is best understood as a new approach, a model, and even “philosophy” that asks you to forget all you know about protecting your precious assets behind the perimeter in which the security controls play the role of virtual moats.
Read on to find out what SASE actually is and how it can give you a much-needed helping hand if you are looking to update your security model for 21st-century challenges.
What is SASE?
In short, SASE (pronounced “sassy”) will combine networking and security services under a single umbrella. Despite this, you should not see SASE as a collection of services or components, but rather as a holistic model.
What links all of the parts of this clockwork mechanism is the central idea that security and networking in the modern era are inseparable and that this should be followed by their concrete integration.
- The term itself was coined in the 2019 report by Gartner in which SASE is described as the much-needed step away from the sole reliance on data center architecture. It is to be replaced by the exclusive focus on the identity of both users and devices existing as the parts of networking and security ecosystems.
- SASE is built around the idea of flexibility and easy scalability paired with the simplification of the tasks that had been performed by individual security and networks teams. Yes, SASE is a model in which the security features across the devices and systems are managed as part of the same single-pane framework that is used for managing network communications.
So, SASE invites you to try to imagine networks and security beyond the concept of a secure perimeter.
Back in the day (or even now), servers were kept at organizations’ HQs, with an army of dedicated teams who had access to them from a central desktop. They exerted their power over a network that linked separate sites.
Firewalls, for example, stood guard at the border of the security perimeter, with remote locations being managed by routing all traffic from these sites to the HQ. This was done with the help of multiprotocol label switching architecture and the practice of rerouting was called backhauling.
What was the problem with this highly centralized approach to network management and security? It simply became too costly and bulky to handle, because routing traffic in this manner comes with a price tag in terms of both higher costs and tangible performance hits.
This is why the remote sites (such as branch offices) tried to circumvent this by deploying direct internet access, which, in turn, created new problems. This is where SASE comes is, as a network architecture that unifies VPN and SD-WAN functionalities with cloud-native and regular security features that include:
- Zero-trust network access
- Secure web gateways
- Intrusion detection and intrusion prevention
- Firewall as a service
- Malware protection
- Data loss prevention
- Software as a service
- Cloud access security brokers
More on these below.
Types of SASE
Despite its common purpose, SASE comes in various flavors and this refers both to its components and the general architecture.
- Native or “pure” SASE represents the convergence of security and network services as part of a unified platform. This usually comes together with a single policy that is managed at the organizational level. Taken together, all of these services operate as part of the universal customer-premises equipment that, optionally, may rely on cloud services as a final piece of the puzzle.
- SASE overlay is a framework that is merged with a software-defined wide-area network (SD-WAN). In this manner, the existing SD-WAN network is boosted with security features that do not stand in the way of achieving the optimal routing performance, particularly with hybrid systems. This type of SASE deployment works well for security departments and networks with a higher degree of siloification.
- SASE as an All-in-One solution is offered by the providers that integrate both the security and SD-WAN segments in a single seamless system. It comes with a single portal that allows the customers to modify their policies regarding SD-WAN, firewalls, and other components of the SASE framework.
- SASE as a hybrid solution. In this case, security and SD-WAN platforms are simply merged and marketed as a SASE solution.
- SASE Edge encompasses computing and storage devices that deliver both security and networking features. They come in three types: data center, service provider, and subscriber edge. With the latter, the security functions can be combined with additional networking features, including those used for traffic management.
- SASE Security Cloud includes various computing and storage features that provide security for applications before they are allowed access to endpoints. It features two main types – the data center cloud and the service provider cloud. Unlike the edge, the cloud only hosts security features i.e. there are no those relating to networking.
Which technologies make up SASE?
As explained, SASE is bent on unifying security and networking as part of a single-service framework that works with the cloud as its native platform. As such, it does not involve a single technology, but rather a collection of them. Security is made available network-wide with the aim of protecting each user that needs to get access to a resource or an application.
To achieve this, SASE systems pack several key components.
- Zero Trust Network Access. This one is as simple as it is effective and it runs on a motto of “never trust, always verify”. With this cloud-based approach, all user identities need to be verified and established as trustworthy before being given access to applications, assets, and resources. With ZTNA, there is no access “privilege” or security taken for granted - whoever asks for access is treated as a potential threat, yet at no cost of the system’s accessibility. This multi-factor authentication approach helps organizations minimize security breaches, unauthorized access, and the mobility of an attacker if they manage to gain access to a network.
- Software-defined wide area network. A software-defined wide area network (SD-WAN) operates as a virtual wide area network (WAN) that makes it possible for organizations to use various traffic services to establish a secure link with a network for the benefit of a user. This includes broadband, 5G, Cellular Long-Term Evolution (LTE), multiprotocol label switching (MPLS), and more. Among these, you can choose the optimal option while making the overall management generally simpler.
- Domain name system layer security. First, the domain name system (DNS) gets verified whenever a user requests access to an online service or a website. This means that with SASE security gets handled at the level of DNS and IP which now become the initial obstacles for a threat actor that seeks to compromise your system.
- Secure web gateway. A cloud-based web proxy or secure web gateway (SWG) provides security functions such as malware detection, file sandboxing and dynamic threat intelligence, Secure Sockets Layer (SSL) decryption, app, and content filtering, and data loss prevention (DLP).
- Firewall as a service. Firewall as a service (FWaaS) refers to the cloud-based provision of firewall services for securing traffic. This encompasses the control of Layer 3 and Layer 4 (as parts of the OSI model), together with IP anonymization and the rules for Layer 7.
- Cloud access security broker. Cloud access security brokers (CASBs) are in charge of managing and securing access to software-as-a-service (SaaS). With them, an organization can easily manage its security policies and compliance with the regulations. These brokers offer valuable insights into the manner in which cloud-based applications are used across the platforms. Based on its automatic discovery functionality, the unauthorized use of cloud applications can be detected in a timely manner with supported mapping of their weakest points.
- Finally, there is also a data loss protection feature that is combined with the alert system in case an anomaly is detected.