What Is Secure Access Service Edge (SASE) and Why Is It the Future of Remote Access?
Gilad David Maayan
Share this on:
What Is SASE?
Secure Access Service Edge (SASE) is a network architecture framework that combines a Wide Area Network (WAN) with various cloud native security techniques. These include Firewall as a Service (FWaaS), Security Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA).
This joint security approach allows organizations to keep their systems secure while allowing their users and endpoints to connect remotely to their services and applications. SASE capabilities are available as a cloud service to support modern agile development operations, enabling administrators to manage them from a central platform.
SASE is an entire framework rather than a specific technology. Gartner defines this framework as a cloud-based security solution offering holistic WAN and network security capabilities, allowing businesses to meet their dynamic access and security requirements. SASE is not the same as Security Service Edge (SSE), which is a subset of SASE focusing on the security services provided by SASE platforms.
How Has the COVID-19 Pandemic Affected SASE Adoption?
The onset of the coronavirus pandemic in the early 2020s saw businesses scrambling to shift their network security to an outside-to-outside approach that supports the needs of a remote workforce. This approach contrasts with the traditional inside-to-inside networking strategy that only addresses internal resources and users.
A new approach was needed because the traditional remote work mechanism—VPN—is often prohibitively expensive at scale. SASE connects users to points of presence (PoPs) close to their location rather than routing them to a central data center. This mechanism makes SASE useful as an outside-to-outside networking strategy because it can handle critical security and network functions like authentication and authorization.
Gartner expects that close to half of all businesses will adopt a SASE-based approach in the coming years. Companies are unlikely to return to their pre-pandemic business strategies, and the number of employees working from home will likely remain high. Investing in SASE is, therefore, a long-term consideration for most enterprises.
How Does a SASE Architecture Work?
A SASE platform offers a bundle of multiple network and security elements. It combines SD-WAN with a set of security services like SaaS, FaaS, SWG, CASBs, ZTNA, and endpoint security, creating a multi-regional, multi-tenant security platform. This platform operates independently of the data center, on-premise offices, cloud services, and employees, so their physical location is unimportant.
SASE does not depend on data center-based inspection engines—rather, SASE brings the inspection engines to the point of presence (PoP) near the user or endpoint. SASE clients include mobile devices with a SASE agent, IoT devices, mobile devices with clientless access, and office devices. These clients send traffic to the nearest PoP, which inspects and forwards it across a central SASE infrastructure or the Internet.
The following are the defining elements of a SASE service:
Global SD-WAN—SASE relies on SD-WAN services with a private backbone. This architecture helps prevent Internet latency, directly connecting the PoPs that process security and networking functions. The traffic does not pass through the public Internet except when connecting to the SASE system’s global backbone.
Distributed inspection—in addition to connecting devices, SASE ensures protection by inspecting them and enforcing security policies. SASE provides security by encrypting and decrypting inline traffic. A SASE platform should inspect traffic using multiple inspection engines operating simultaneously (i.e., sandboxing and malware scanning tools). It should also provide additional services like DDoS and DNS-based protection. The SASE security and routing policies should support the enforcement of regulations like GDPR.
Cloud architecture—SASE platforms utilize cloud infrastructure and resources to enable services without specific hardware needs. They should not chain services but use multi-tenant software, ideally with flexible prices to support rapid scaling.
Identity-based access—a SASE service should access resources based on the user’s identity marker (i.e., the user’s specific device or location).
Why SASE Is the Future of Remote Access
The applications and data reside in a central data center in traditional networking models. Users, workstations, and applications must connect to this data center to access the company’s resources, usually from a local private network or secondary network connected to the primary network via a VPN or other secure line.
However, this approach has proven inadequate for handling the complexity of a cloud-forward system that relies on a distributed workforce and SaaS services. Today, it is impractical to direct all network traffic via a corporate data center when the data and applications are hosted in a distributed cloud environment.
On the other hand, SASE implements network controls at the cloud edge rather than a unified data center. It streamlines security and network services to secure the network edge instead of creating a layered stack of cloud services with independent management and configuration requirements.
Organizations can implement identity-based zero trust access policies at the network edge to expand the network’s security perimeter to encompass remote users, offices, devices, and applications.
Major SASE benefits include:
Minimizing complexity—the cloud-based security model and single-vendor WAN functions reduce complexity compared to a multi-vendor approach with different security appliances across different locations. The single-pass traffic inspection architecture also helps simplify the system by decrypting traffic streams and inspecting them once using different policy engines instead of combining different inspection services.
Facilitating access—SASE architectures offer consistent, secure, and fast access to all resources from entities at any physical location, unlike data center-based access models.
Optimizing costs—the cloud model is cost-efficient, allowing organizations to spread their costs across monthly fees rather than an upfront capital investment. It also allows businesses to consolidate their vendors and reduce the number of virtual and physical appliances and their associated purchasing and maintenance costs. Delegating the upgrade and maintenance responsibilities to a SASE provider also reduces costs.
Improving performance—service and application performance benefits from a routing mechanism that optimizes latency and directs traffic through a high-performance SASE backbone. Better performance is especially important for latency-sensitive applications, such as video and VoIP.
Enhancing usability—SASE often helps reduce the number of agents and applications that a device requires, replacing them with a single user-friendly application and ensuring a consistent user experience regardless of the user’s location or the resource being accessed.
I hope this will be useful as you evaluate next-generation remote access solutions for your organization.