What is SASE and why is it critical for the modern workplace?
Secure access service edge (SASE) is a framework for network architecture that brings cloud native security technologies – SWG, CASB, ZTNA and FWaaS in particular, together with wide area network (WAN) capabilities to securely connect users, systems, and endpoints to applications and services anywhere. To support today’s agile operations, these are delivered as a service from the cloud and can be managed centrally.
What does SASE mean?
SASE (pronounced “sassy”) refers to the whole framework, not a specific technology. In its “The Future of Network Security is in the Cloud” report, Gartner defined the SASE framework as a cloud-based cybersecurity solution that offers “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises”.
SASE is distinct from security service edge (SSE), which Gartner defines as a subset of SASE that only focuses on the security services from a SASE platform.
How does SASE work?
A SASE architecture combines a software-defined wide area network (SD-WAN) or other WAN with multiple security capabilities (e.g. cloud access security brokers, anti-malware) securing your network traffic as the sum of those functions.
Legacy approaches to inspection and verification, such as forwarding traffic through a multiprotocol label switching (MPLS) service to firewalls in your data centre, are effective if that’s where your users are.
Today, though, with so many users in remote locations, home offices, and so on, this “hair-pinning” forwarding remote user traffic to your data centre, inspecting it, and then sending it back again – tends to reduce productivity and hurt the end-user experience.
What makes SASE stand out from point solutions and other secure networking strategies is that it’s both secure and direct. Rather than relying on your data centre security, traffic from your user’s devices is inspected at a nearby point of presence (the enforcement point) and sent to its destination from there. This means more efficient access to applications and data, making it the far better option for protecting distributed workforces and data in the cloud.
- Is SASE just a buzzword?
Whilst SASE has garnered a lot of attention from service providers and media focused on networking and security, what’s most compelling is the main principle behind the SASE framework – the notion that data centre focused security and network architecture have become ineffective. This notion isn’t just a marketing catchphrase; the industry has broadly accepted it.
So, what does a SASE solution offer that makes it so valuable compared to traditional enterprise network security that connects offices via private networks and routes traffic through security web gateways and firewalls.
As Gartner points out, traditional models in which connectivity and security focus on the data centre should focus on the identity of users and devices instead. According to the report, “in a modern cloud-centric digital business, users, devices and the applications they require secure access to are everywhere”.
In other words, today’s workflows, traffic patterns, and use cases are much different today than when hub-and-spoke networks were conceived. That’s because:
- More user traffic is heading to cloud services than data centres
- More work is performed off the network than on it
- More workloads are running in cloud services than data centres
- More SaaS applications are in use than those hosted locally
- More sensitive data is housed in cloud services than inside the enterprise network
Instead of the security perimeter being entombed in a box at the data centre edge, the perimeter is now everywhere an enterprise needs it to be – a dynamically created policy-based secure access service edge.
Components of a SASE model
SASE can be broken down into six essential elements in terms of its capabilities and technologies:
- SD-WAN – SD-WAN is an overlay architecture that reduces complexity and optimises the user experience by selecting the best route for traffic to the internet, cloud apps, and the data centre. It also enables rapid deployment of new apps and services and helps you manage policies across many locations.
- SWG – Secure Web Gateways prevent unsecured internet traffic from entering your internal network. It shields your employees and users from accessing and being infected by malicious web traffic, vulnerable websites, internet-borne viruses, malware and other cyberthreats.
- Cloud access security broker (CASB) – CASBs prevent data leaks, malware infection, regulatory non-compliance, and lack of visibility by ensuring safe use of cloud apps and services. They secure cloud apps hosted in public clouds (IaaS), private clouds, or delivered as software-as-a-service.
- FWaaS – FWaaS helps you replace physical firewall appliances with cloud firewalls that deliver advanced Layer 7/ next-generation firewall (NGFW) capabilities, including access controls, such as URL filtering, advanced threat protection, intrusion prevention systems (IPS) and DNS security.
- Zero trust network access – ZTNA products and services give remote users access to internal apps. With a zero trust model, trust is never assumed, and least privileged access granted based on granular policies. It gives remote users secure connectivity without placing them on your network, or exposing your apps to the internet.
- Centralised management – managing all of the above from a single console lets you eliminate many of the challenges of change control, patch management, co-ordinating outage windows and policy management whilst delivering consistent policies across your organisation, wherever users connect from.
How SASE helps
SASE’s cloud-delivered architecture combines a host of different networking and security services into one platform, including DNS security, SWG, zero trust network access (ZTNA), and data loss/data leak prevention (DLP).
Additionally, SASE pairs well with an SD-WAN and works for a variety of use cases:
- Reducing IT cost and complexity: an effective SASE solution is easy to deploy and manage as an automated cloud service, enabling digital transformation without the technical debt brought on by legacy architecture.
- Delivering a great user experience: SASE brings security policies closed to the user to eliminate unnecessary backhauling, provide optimal bandwidth, and ensure low latency.
- Lowering risk: with SASE, all connections are inspected and secured in real time, no matter which user they are coming from, which app is being accessed, or which encryption method is being used.
Benefits of SASE
How can an enterprise enforce access controls and security whilst facing these common realities? That’s where a SASE platform of WAN capabilities (SD-WAN) and comprehensive security services come in. Cloud-based SASE offers significant benefits to organisations that put aside traditional on-premises enterprise network infrastructure and security to take advantage of cloud services, mobility, and other aspects of digital transformation.
1. Reduced IT costs and complexity
As they work to enable secure access to cloud services, protect remote users and devices, and close gaps in their security, organisations have been forced to adopt a range of security solutions, adding significant costs and management overhead. Even so, the on-premises network security model is simply not effective in a digital world.
Instead of trying to use a legacy concept to solve a modern problem, SASE flips the security model. Rather than focusing on a secure perimeter, SASE focuses on entities such as users.
Based on the concept of edge computing, processing of information close to the people and systems that need it – SASE services push security and access close to users. Using an organisation’s security policies, SASE dynamically allows or denies connections to applications and services.
2. Fast, seamless user experience
When users were on the network, and IT owned and managed the apps and infrastructure, it was easy to control and predict the user experience. Today, even with distributed multi-cloud environments, many enterprises still use VPNs to connect users to their networks for security.
However, VPNs deliver a poor user experience, and they broaden an organisation’s attack surface by exposing IP addresses. Instead of this degradation, SASE provides optimisation. It calls for security to be enforced close to what needs securing – instead of sending the user to the security, it sends security to the user. SASE is cloud secure, intelligently managing connections at internet exchanges in real-time, as well as optimising connections to cloud applications and services to ensure low latency.
3. Reduced risk
As a cloud native solution, SASE is designed to address the unique challenges of risk in the new reality of distributed users and applications. By defining security, including threat protection and data loss prevention (DLP) as a core part of the connectivity model, it ensures all connections are inspected and secured, regardless of location, app or encryption.
A key component of the SASE framework is zero trust network access (ZTNA), which provides mobile users, remote workers, and branch offices with secure application access whilst eliminating the attack surface and the risk of lateral movement on the network.
Why is SASE necessary?
Digital business transformation demands greater agility and scalability, coupled with reduced complexity and improved security. What’s more, modern enterprises need to ensure their users are getting the best experiences from anywhere.
These circumstances have moved SASE from the category of “nice to have”, to “necessity”. Here are four reasons why:
SASE scales with your business. As your enterprise grows, both your network and your security need to be able to handle the resulting increase in demand. SASE lets your business, network, and security scale together through its cloud-delivered model.
SASE makes work from anywhere, work. Legacy hub-and-spoke architectures cannot tolerate the bandwidth requried to give your remote employees the flexibility they need to stay productive. SASE can, and it does so whilst maintaining enterprise-level security for all users and devices at any location.
SASE stands up to cyberthreat evolution. Security teams are on constant alert, defending from the latest threats. SASE helps them by providing superior security and ease of management, giving these teams the power to handle advanced threats, wherever they come from.
SASE gives you a base for IoT adoption. The internet of things is creating utility for businesses worldwide, but to effectively adopt IoT technology and capabilities, you need a strong platform to build an IoT ecosystem on. SASE lets you meet your IoT goals with unprecedented connectivity and security.
All this has driven networking and security vendors to glue together their own versions of a SASE architecture. Many of these vendors claim to engineer a cloud-delivered product, but the truth is a great number of them are just a “cloud platform” built on legacy hardware.
How can SysGroup help?
The Zscaler Zero Trust Exchange is our SASE solution of choice, offering you a fast, flexible, simple and secure model for connecting users and devices. Our platform is easy to deploy and manage as an automated, cloud-delivered service, and because it’s globally distributed, your users are always just a short hop from their applications.
Here’s what makes our SASE unique:
- A native, multitenant cloud architecture that scales dynamically with demand
- Proxy-based architecture for full inspection of encrypted traffic at scale
- Security and policy brought close to users to eliminate unnecessary backhauling
- ZTNA that restricts access to provide native application segmentation
- Zero attack surface, preventing targeted attacks because your source networks and identities aren’t exposed to the internet
- Through peering with hundreds of partners in major internet exchanges around the world, the Zero Trust Exchange offers optimal performance and reliability for your users