What is Secure Access Service Edge (SASE)?
Businesses in this day and age are increasingly migrating workloads and services to the Cloud to create new business models. With users working from virtually anywhere now days, it is vital to optimize resources and ensure business continuity models with the increased performance and security demands this model generates. Traditional WANs with bolt-on security solutions are ill-equipped to support the increased network complexity and cyber-risk exposure.
By now, most IT folks know are comfortable with and know all about SD-WAN. However, as in all things technology, blink and you will miss the next evolution in software def
ined networking. So, back in December of 2019 Gartner quietly introduced the concept of SASE (Secure Access Service Edge) to the world with little fanfare and any CISO worth his or her salt will be paying attention to this shift.
So, what exactly is SASE, and why should I care? Well, SASE (pronounced Sassy) is the concept of combining network security functions such as secure web gateways, zero trust network access, FWaaS with WAN capabilities (I.E. SD-WAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS and are based up on the identity of the entity, real time context and security/compliance policies.
Essentially, SASE is a new package of technologies including SD-WAN, SWG, CASB, ZTNA, and FWaaS as core capabilities, with the ability to identify sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels.
As vendors merge products and technologies over the next year we expect more product announcements as they try to compete in this emerging market. Because Gartner has explicitly said that SASE is actually an amalgamation of services, the products in the market tend to vary in terms of what they offer. Consequently, coming up with a list of SASE providers has proven difficult at this early stage, however they did compile a list of vendors that already offer something like, or are expected to offer a SASE solution:
- Cato Networks
- Open Systems
- Palo Alto Networks
Although Gartner has defined that a SASE solution will typically have these technologies as part of the overall solution, some providers will differ in terms of how they bundle their product offerings. However, most go to market SASE solutions should bundle the following in their solutions: SD-WAN, FWaaS, CASB, SWG, and ZTNA.
Normally, the WAN is built from stand-alone infrastructure, and many times involves heavy up-front investments in hardware. The good news is that the SASE version of SD-WAN is all cloud-based, software defined/managed, and has distributed PoPs typically located near enterprise data centers, branches, devices, and employees.
Through this service, customers can monitor the health of their networks, define traffic policies to meet their specific data requirements.
Due to the fact that internet traffic will first traverse the SASE provider’s network, these providers can detect dangerous traffic and intervene before it reaches the enterprise network. So that DDoS attack that will invariable happen? Your SASE provider will detect those before you even realize it and save your network from a flood of malicious traffic.
Firewall as a Service
As networks become more and more distributed, users and computing resources are moving further toward the edge. This presents security challenges and adds a myriad of threat vectors for potential attackers looking to exploit sensitive data and network resources. Flexible, cloud-based firewall can protect these edges. FWaaS solutions will become more and more important as the trend of edge computing continues to grow and IoT devices continue to get smarter and consume more data.
By delivering FWaaS as part of the SASE solution, enterprises will have a much easier time managing the security of these networks. A good FWaaS platform provides tools to quickly make changes, spot anomalies, and set uniform security policies for enterprise networks.
Cloud-access security broker
More and more, business are turning to SaaS solutions to deliver dynamic application experiences at affordable costs. Many organizations however fail to understand the complexities involved in securing these applications. Simply relying on the SaaS provider or Cloud computing platforms to secure these applications is a fatal assumption. Authentication and access are becoming increasingly important.
CASBs are used by enterprises to ensure security policies are consistently applied, even when the services themselves are outside of their sphere of control.
With SASE, the same portal employees use to get to their corporate systems is also a portal to all of the Cloud applications they have access to, including CASB. In this model, the traffic doesn’t have to be routed to an outside CASB provider, it stays within the network reducing threat vectors.
Secure Web Gateway
In today's enterprise networks, traffic is rarely limited to a pre-defined perimeter. Many cloud-enabled workloads will typically require access to outside resources, but in most cases there may be compliance reasons to deny employees access to certain sites. Further complicating matters, companies might want to restrict access to phishing sites and botnets containing command-and-control servers. Even innocuous websites may be used maliciously in some cases by inside attackers seeking to exfiltrate sensitive corporate data.
A Secure Web Gateway (SWG) can protect companies from these threats. SASE providers that offer this capability are able to inspect encrypted traffic at cloud scale. Bundling a SWG solution with other network security services improves manageability and allows for a more uniform set of security policies.
Zero-trust Network Access
Zero trust is security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters, and instead must verify anything and everything trying to connect to its systems before granting access.
A Zero-trust Network Access (ZTNA) solution allows enterprises with granular visibility and control of users and systems accessing corporate applications and services.
A core element of zero trust is that security is based on identity, rather than, say, the IP address. This makes it more adaptable for a mobile workforce, but requires additional levels of authentication, such as multi-factor authentication and behavioral analytics.
Organizations will most likely begin with a hybrid approach first, utilizing traditional network and security systems to handle existing connections between data centers and offices. SASE will then be used to route traffic from new connections, devices, users, and locations.
SASE isn't a cure for network and security issues, nor will it prevent future disruptions, but it will allow companies to respond faster to disruptions or crises and so minimize their impact on the enterprise. In addition, SASE will allow companies to be better positioned to take advantage of new technologies, such as edge computing, 5G and mobile AI.