What is SASE?

Features
By Sead Fadilpašić
published

SASE invites you to try to imagine networks and security beyond the concept of a secure perimeter

Scammers
(Image credit: Pixabay)

Our security landscape has changed for good over the past decade. This awareness is the best starting point in deciphering the whats and whys behind the secure access service edge (SASE) model. In short, it is a novel way to tackle age-old security challenges at a time when old security models are faltering in the face of increasingly advanced threats. This is why SASE is best understood as a new approach, a model, and even “philosophy” that asks you to forget all you know about protecting your precious assets behind the perimeter in which the security controls play the role of virtual moats.

Read on to find out what SASE actually is and how it can give you a much-needed helping hand if you are looking to update your security model for 21st-century challenges. 

What is SASE?

In short, SASE (pronounced “sassy”) will combine networking and security services under a single umbrella. Despite this, you should not see SASE as a collection of services or components, but rather as a holistic model.

What links all of the parts of this clockwork mechanism is the central idea that security and networking in the modern era are inseparable and that this should be followed by their concrete integration.

  • The term itself was coined in the 2019 report by Gartner in which SASE is described as the much-needed step away from the sole reliance on data center architecture. It is to be replaced by the exclusive focus on the identity of both users and devices existing as the parts of networking and security ecosystems.
  • SASE is built around the idea of flexibility and easy scalability paired with the simplification of the tasks that had been performed by individual security and networks teams. Yes, SASE is a model in which the security features across the devices and systems are managed as part of the same single-pane framework that is used for managing network communications.

So, SASE invites you to try to imagine networks and security beyond the concept of a secure perimeter.

Back in the day (or even now), servers were kept at organizations’ HQs, with an army of dedicated teams who had access to them from a central desktop. They exerted their power over a network that linked separate sites.

Firewalls, for example, stood guard at the border of the security perimeter, with remote locations being managed by routing all traffic from these sites to the HQ. This was done with the help of multiprotocol label switching architecture and the practice of rerouting was called backhauling.

What was the problem with this highly centralized approach to network management and security? It simply became too costly and bulky to handle, because routing traffic in this manner comes with a price tag in terms of both higher costs and tangible performance hits.

This is why the remote sites (such as branch offices) tried to circumvent this by deploying direct internet access, which, in turn, created new problems. This is where SASE comes is, as a network architecture that unifies VPN and SD-WAN functionalities with cloud-native and regular security features that include:

  • Zero-trust network access
  • Secure web gateways
  • Intrusion detection and intrusion prevention
  • Firewall as a service
  • Malware protection
  • Data loss prevention
  • Software as a service
  • Cloud access security brokers

More on these below.

Types of SASE

Despite its common purpose, SASE comes in various flavors and this refers both to its components and the general architecture.

  • Native or “pure” SASE represents the convergence of security and network services as part of a unified platform. This usually comes together with a single policy that is managed at the organizational level. Taken together, all of these services operate as part of the universal customer-premises equipment that, optionally, may rely on cloud services as a final piece of the puzzle.
  • SASE overlay is a framework that is merged with a software-defined wide-area network (SD-WAN). In this manner, the existing SD-WAN network is boosted with security features that do not stand in the way of achieving the optimal routing performance, particularly with hybrid systems. This type of SASE deployment works well for security departments and networks with a higher degree of siloification.   
  • SASE as an All-in-One solution is offered by the providers that integrate both the security and SD-WAN segments in a single seamless system. It comes with a single portal that allows the customers to modify their policies regarding SD-WAN, firewalls, and other components of the SASE framework.
  • SASE as a hybrid solution. In this case, security and SD-WAN platforms are simply merged and marketed as a SASE solution.
  • SASE Edge encompasses computing and storage devices that deliver both security and networking features. They come in three types: data center, service provider, and subscriber edge. With the latter, the security functions can be combined with additional networking features, including those used for traffic management.
  • SASE Security Cloud includes various computing and storage features that provide security for applications before they are allowed access to endpoints. It features two main types – the data center cloud and the service provider cloud. Unlike the edge, the cloud only hosts security features i.e. there are no those relating to networking.

<a href="https://www.perimeter81.com/pricing?a_aid=2380&a_bid=8eeb4ac9&chan=code1" data-link-merchant="perimeter81.com"">Perimeter 81 is Techradar's best business VPN Save 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar's choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.

Which technologies make up SASE?

As explained, SASE is bent on unifying security and networking as part of a single-service framework that works with the cloud as its native platform. As such, it does not involve a single technology, but rather a collection of them. Security is made available network-wide with the aim of protecting each user that needs to get access to a resource or an application.

To achieve this, SASE systems pack several key components.

  • Zero Trust Network Access. This one is as simple as it is effective and it runs on a motto of “never trust, always verify”. With this cloud-based approach, all user identities need to be verified and established as trustworthy before being given access to applications, assets, and resources. With ZTNA, there is no access “privilege” or security taken for granted - whoever asks for access is treated as a potential threat, yet at no cost of the system’s accessibility. This multi-factor authentication approach helps organizations minimize security breaches, unauthorized access, and the mobility of an attacker if they manage to gain access to a network.   
  • Software-defined wide area network. A software-defined wide area network (SD-WAN) operates as a virtual wide area network (WAN) that makes it possible for organizations to use various traffic services to establish a secure link with a network for the benefit of a user. This includes broadband, 5G, Cellular Long-Term Evolution (LTE), multiprotocol label switching (MPLS), and more. Among these, you can choose the optimal option while making the overall management generally simpler.
  • Domain name system layer security. First, the domain name system (DNS) gets verified whenever a user requests access to an online service or a website. This means that with SASE security gets handled at the level of DNS and IP which now become the initial obstacles for a threat actor that seeks to compromise your system.
  • Secure web gateway. A cloud-based web proxy or secure web gateway (SWG) provides security functions such as malware detection, file sandboxing and dynamic threat intelligence, Secure Sockets Layer (SSL) decryption, app, and content filtering, and data loss prevention (DLP).
  • Firewall as a service. Firewall as a service (FWaaS) refers to the cloud-based provision of firewall services for securing traffic. This encompasses the control of Layer 3 and Layer 4 (as parts of the OSI model), together with IP anonymization and the rules for Layer 7.
  • Cloud access security broker.  Cloud access security brokers (CASBs) are in charge of managing and securing access to software-as-a-service (SaaS). With them, an organization can easily manage its security policies and compliance with the regulations. These brokers offer valuable insights into the manner in which cloud-based applications are used across the platforms. Based on its automatic discovery functionality, the unauthorized use of cloud applications can be detected in a timely manner with supported mapping of their weakest points.  
  • Finally, there is also a data loss protection feature that is combined with the alert system in case an anomaly is detected.

When it comes to SASE, yet another notion that must be taken into account is that of tenancy, particularly if we are to understand the concept of multi-tenant systems. Here, the Tenant simply means your own dedicated workspace, together with the elements that make it up. They usually include the use application, authentication interface, and management portal.

Israeli cybersecurity giant Perimeter 81, for instance, allows the managed service providers to develop a service around its multi-tenant solution. This easy-to-integrate interface supports the fast deployment of a security service aimed at a client following the opening of a tenant. At the same time, tenant holders or administrators are not allowed access to any tenant other than their own. Multi-tenant solutions such as this one are fast, accessible, and beneficial for creating and maintaining multiple revenue streams.  

Who should deploy SASE?

What type of organization should use SASE? Well, there is no “ideal” profile for this particular use case, simply because every organization can benefit from implementing this model. Yet, depending on their core activity, some organizations can extract different types of benefits and for various reasons. Let’s see how it works for some of the more popular types.

  • Small and Medium Enterprise (SMEs). With its cost-cutting benefits that go beyond minimizing backhauling (see above), SASE is an ideal framework for SMEs that are always on the lookout to spare a buck or two (and most of them are). First of all, they get the opportunity to rid themselves of the money sink that managing a dedicated IT team can be. Next, they can minimize their device procurement costs since the staff can bring their own phones, tablets, and laptops. Finally, with the help of SaaS, they can finally say goodbye to servers, patches, and upgrades, and poor performance due to lack of the ability to scale.
  • Startups. This category shares much of their motivation for deploying SASE with the SMEs, but with an important additional factor: SASE makes it easier for everyone to launch their business and provide for its networking and security aspects at a single cost. The ubiquity of quality internet connection and the devices that can run it competently works well for relying on SASE’s cloud-based features for these tasks. The increasingly popular Work-from-Anywhere work culture has unintentionally opened doors for various threat actors, making it imperative for startups to secure their assets with the help of an easily accessible model such as SASE.
  • Corporations. This category is actually “guilty” of promoting the image of SASE as a supposedly fancy and expensive security/networking solution. The reason for this is the fact that Google was an early promoter of this model, all for a good reason. Remote work security and networking vulnerabilities were only highlighted by the recent pandemic, leaving the majority of large enterprises in the search for a solution to their long-term problems. SASE and its focus on identity as key security leverage and secure access across BYOD and similar approaches make this framework an attractive proposition.   
  • Government institutions. Similar to corporations, these institutions are in dire need of a solution to increasingly complex security challenges. In addition to this, these entities are often lagging behind other stakeholders when it comes to using state-of-the-art security and networking systems. SASE promises to modernize both fast enough and at a pocket-friendly price.

Pros and cons/Benefits of SASE

Is SASE a cure-all for all of your security-networking problems? Not exactly, but it is a viable and even attractive option for managing remote connectivity from a single place. Your perception of its pros and cons may vary according to how they appear from where you are standing, but here’s the general outline of these.

SASE Pros

  • SASE is a great alternative to virtual private networks. Its SD-WAN component can be configured more efficiently and without the assistance of additional resources such as dedicated software. If you are relying on remote work, SASE is a cheaper and more elegant solution to providing a secure link to it.
  • This focus on streamlining existing practices extends to other aspects of SASE as well. SASE allows for simpler oversight and control of firewalls, security, and WAN traffic, all from a single interface. It is also a modular and highly scalable solution in which you get to choose how many of its components (see above) you actually need to achieve peace of mind. 
  • As cloud connectivity is an important component of SASE, you can bet on it being future-proof when it comes to introducing the Internet of Things to your organization. Why? Well, the future will surely bring more reliance on IoT and online traffic, which SASE is perfectly fit to support with its streamlined management of security, associated policies, and the integration across countless distributed devices, all under a single roof.

SASE Cons 

  • SASE is not a skeleton key that opens a door to finding a solution to each and every security and networking issue you may encounter. In time, these problems will be eventually ironed out, but other issues may emerge with it as well. A clear awareness of SASE’s limitations is much-needed at this stage of its adoption.
  • Legacy devices will need to be gradually phased out if one is to enjoy the full benefits of SASE. Yet, this gradual migration may be too fast or demanding for some beneficiaries.
  • Configuring networks in line with the demands of SASE still requires solid expertise. Until this process is streamlined, SASE systems are bound to sporadically suffer from the lack of efficiency, duplication of efforts, etc.

Challenges in realizing SASE

Considering that SASE is a model/approach, and not a breakthrough product or a service, getting the most out of it comes with a set of endemic challenges. Actually, its implementation will profit from the readiness of the SASE user to fully change the paradigm in which they imagine security in the 21st century. 

  • How do you choose the right SASE platform for you? This one follows from the challenges mentioned above and has to do with the fact that each organization has an individual use case for its SASE deployment. So, despite the general benefits of SASE (single pane window management and convergence of security and networking), you are still left with an option to either pick out the best components from various vendors or entrust the implementation to a single provider. The difference between the two is not clear to many, making the selection of the best SASE solution a challenge.
  • You have to align many processes to make them run smoothly alongside SASE. Yes, it’s not simply a matter of buying a SASE as an off-the-shelf system and making it operational out of the box. Actually, be prepared to harmonize its operational benefits with both your organizational goals and the degree to which you are ready to either splash out on a full-on SASE deployment or a gradual one. Also, make sure that you are ready to teach your networking and security teams to work under the aegis of a single SASE system.  
  • On-premise security and networking may be preferred over SASE by some. There are some organizations that make heavy use of locally hosted applications and security. This, for example, includes running on-premise firewalls at a lower cost compared with their cloud-based counterparts.  For these operators, SASE may be a less cost-effective solution, leaving them with an option to wait for price drops or go for a hybrid solution.

The SASE market is maturing, as evidenced by the increasing number of SASE vendors that offer competent solutions. While this list may change in time, it’s still a valuable reference point for those who want to explore this model.   

1. Perimeter 81

Perimeter 81 wants to help you protect your key assets and data with SASE. Its solution encompasses a broad array of security products and services, including ZTNA, VPN as a Service (VPNaaS) or a cloud VPN alternative, FWaaS, cloud sandboxing, DNS security, endpoint security, and compliance, SaaS security, and more.

2. Cisco

Cisco is one of the tech leaders when it comes to SASE. Its cloud-delivered SASE solution is marked by flexibility and accessibility, paired with operational excellence when it comes to cloud-native security, secure web gateways, ZTNA, CASB, and firewalls.

3. Fortinet

Fortinet offers FortiSASE as a fully integrated SASE solution that prides itself on real-time and consistent cloud-native security across the networks. The features supported include an Intrusion Prevention system, ZTNA, cloud-delivered next-generation firewall (NGFW), SWG, data loss prevention (DLP), sandboxing, office VPN, DNS.

4. Zscaler

Zscaler goes for a cloud-delivered SASE solution taking the forms of IaaS and SaaS for all of your network security worries.  In addition to wide global coverage, the company will offer you a range of expected features such as Secure Web Gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and zero-trust network access (ZTNA).

5. VMware

VMware’s SASE combines VeloCloud SD-WAN infrastructure with ZTNA, SWG, NSX-based NGFW, DLP, remote browser isolation (RBI), FWaaS, and CASB functions. It is marketed as a highly scalable SASE solution.

What are the best deployment and management practices for SASE? 

Choosing a vendor may seem like a harder part of the SASE implementation, but the following practices should be taken just as seriously as any part of this process. Otherwise, you risk turning your SASE journey into a sequence of misunderstandings, inflated expectations, and costly endeavors.

1. Make a list of the goals you hope to achieve. This may seem like a no-brainer, but deploying SASE can easily take you out of your comfort zone, no matter how experienced you are with adopting new technologies. As we explained above, SASE is not a magic wand, so having a clear picture of the specific goals your organization needs to achieve with it is a must. For example, running a SASE deployment for your retail business may require some tweaking compared to doing the same for a hospital, despite seemingly similar overall goals.

2. Take inventory of your assets and vulnerabilities. Yes, you need to know what is not working with your existing security-networking system in order to have a vision of what your future SASE implementation needs to deliver.  Check your available technology framework (such as end systems) and remote locations for potential flaws and weak spots and do not forget to include the assessment of available human resources as part of this calculation.

3. Be strategic about SASE implementation milestones. Implementing SASE is not a decision to be taken lightly, and to make it work its magic for you you’ll have to come up with a set of milestones. They are best defined with the help of your vendor. The more detailed you are with this process, the less headache you can expect as the implementation unfolds. Things to consider include the dynamics of the upgrade of your network and its transformation into a powerful SD-WAN, the implementation of Zero Trust Network Access (ZTNA), secure web gateway (SWG), and a cloud access security broker (CASB), the introduction of new security policies, etc.

4. Do your homework on SASE budgeting and metrics. Get a cost breakdown relating to SASE in order to plan for the length of your ROI interval. Do not forget to include the costs of deploying physical infrastructure and managing the staff that will implement and administer SASE, the provision of inbound and outbound connectivity services, data sources, logging features, etc.

You need to come up with a list of relevant metrics pertaining to SASE that should include cost optimization, scalability, upgrade potential, efficacy, and performance as key parameters. Also, be prepared for any trouble that will inevitably come your way. This is best handled proactively by focusing on quality education and the running of a successful and dedicated SASE team.

Conclusion

SASE is here to stay. Its longevity will be secured to a lesser degree by its revolutionary approach to tackling security, but rather by the permanently changed environment in which SASE is implemented today. Fluid workforce, hybrid remote work models, increasing cloud adoption, higher network, and data traffic, and ubiquitous decentralization are making competing security models obsolete. Considering that SASE is a way of thinking and imagining security, getting a clear picture of how it works ahead of its implementation is an all-important first step. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.