Secure Access Service Edge (SASE)
Sandeep Sagwal
On a journey of Network’s Transformation- From Legacy to SDN | 5G | cloud Native | AI Ready Network
What is SASE?
SASE (pronounced “sassy”) is the combination of security and networking elements offered in a single package. SASE combines comprehensive SD-WAN capabilities with complete network security functions such as SWG, CASB, FWaaS, and ZTNA. These elements support the dynamic, growing, distributed security needs of companies everywhere.
The?SASE?solution leverages the?Cloud, so there’s no need to purchase new hardware. Plus, it’s managed by your vendor. This means that there’s no need to hire specialized security or IT staff to manage it. SASE is a networking package that includes connectivity (“SA” or the “secure access”) and security (“SE” or the “service edge”). The diagram below presents our model.
This is complex stuff.
Secure Access Service Edge or SASE hangs on the Cloud and is customized to secure your highly distributed environment.
How does SASE work?
Let’s dive into the specific components of SASE (Secure Access Service Edge) to better understand how it works.
The “SSE” part of SASE is the Secure Service Edge.?This is the core package of security components that will protect your data, your applications, and your users.
The four key elements of security service edge (SSE) are Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), and Secure Web Gateway (SWG). These elements are presented in greater detail below.
While any of these security services can be purchased separately, they work more efficiently as part of an integrated SASE solution.
Firewall-as-a-Service (FWaaS)
The explosion of applications and users everywhere can mean that you’re managing hundreds or thousands of firewalls to ensure security. If you’re routing all user traffic through a centralized point (such as a data center) because that’s where your firewall is located, user performance and security suffer.
Firewall-as-a-Service, also known as cloud firewall, places the management burden on your vendor. FWaaS delivers firewall functionality as a cloud-based service.
Good FWaaS offerings provide the same features as a next-generation firewall. SASE offers FWaaS as part of a unified, cloud-based security model. This way, you can easily manage deployment from a single platform.
Zero Trust Network Access (ZTNA)
ZTNA, another component of your SASE solution, is an ideal security approach for your distributed environment. When ZTNA is employed outside of the SASE environment, users must first authenticate through a gateway to gain access to an application.
This authentication occurs no matter where the user is located, no matter the device or network access they’re using. ZTNA focuses on policy, identity and content. The policies follow the identity of each user wherever they are, and the control is yours. ZTNA is zero trust – meaning that it adopts a “least privilege” strategy. No access is permitted until you say it is. Security administrators identify users and create policies to restrict or allow access, minimize data loss, and quickly mitigate potential threats. ZTNA inspects and logs all traffic, and strictly enforces access control.
When ZTNA is offered as part of a unified SASE package, SASE applies the security principles across other services within the SASE solution. By accurately identifying users, devices, and applications, no matter where they are connecting from, you have simplified policy creation, policy management, and rules enforcement.
Connecting through a gateway adds complexity to the security solution. ZTNA through SASE removes the complexity of the gateway connection. It does this by incorporating required networking and security services into a single cloud framework.
Cloud Access Security Broker (CASB)
CASB is another essential security component of SASE. It secures traffic between an enterprise and its cloud providers. CASB comprises data security, threat protection, data loss prevention, and application control. And, crucially, it includes pre-configured government compliance for financial and healthcare organizations.
CASB creates a single platform for administrators to manage security controls for all application types. When CASB is integrated into a SASE solution, it works much better than CASB alone. With a unified SASE solution, CASB provides the visibility that helps you understand which software apps are being used and where sensitive data is going, no matter where users are located.
Secure Web Gateway (SWG)
If your organization already runs web filtering to prevent access to certain inappropriate web destinations, you have an incomplete solution. Because web filtering runs on a separate appliance, it results in inconsistent policy enforcement when your employees are working remotely. Further, web filtering only looks at web-based traffic and ignores non-web applications and data traffic. This can leave your company exposed.
SWG with SASE fixes this. SWG includes a comprehensive web security solution. This includes SSL Proxy, URL Filtering, Intrusion Detection and Prevention (IDS/IPS), NextGen Anit-Virus (NG-AV), Data Loss Prevention, and Advanced Threat Protection.
领英推荐
With SWG as part of your SASE security package, you have complete visibility and control over traffic, regardless of employee locations. As you grow, your SWG automatically scales to continue supporting you.
While these four security services form the minimal base package of SASE, your SASE vendor may offer more. This could include DNS security, browser isolation, and others. The key is that this base package is cloud-based and managed by your vendor.
You enjoy overall control of your policies and visibility into their enforcement. Still, you need not hire an army of IT and security experts to start to take advantage of SASE. The service is already tailored to your highly distributed environment.
SD-WAN vs. SASE
The “A” part of SASE is the network access?– your WAN connection to the security services presented above. As your corporate perimeter dissolves when applications move to multiple clouds to be accessed from anywhere, you must offer end users seamless connectivity and security. An?SD-WAN?“overlay” to your public Internet or private WAN network optimizes your WAN, unifies security across users, and saves money.
The?network?access includes the following elements:
The many benefits of?SD-WAN?are widely documented, and summarized again here:
SD-WAN improves digital experiences.
SD-WAN provides application-aware routing, no matter the origination or destination of the traffic. This means that the network is always available for your critical applications, as defined by you, even for your most remote users and locations. If the site has connectivity, even just an Internet connection, it can be integrated into your corporate SD-WAN.
SD-WAN saves money
All you need is an inexpensive broadband Internet link. With the SD-WAN overlay, you have well-performing, secure connections from your locations to the Cloud. The equivalent MPLS links would be more expensive.
SD-WAN is easy to adopt and integrate
Deployment is pre-configured, automated, and centrally provisioned. This allows for faster installations and eliminates the need for dedicated project managers at your remote sites.
SD-WAN really performs
SD-WAN includes AIOps data correlation. This automates root cause analysis leading to faster diagnoses. Further, automated workflows learn the network to deliver proactive remediation, improving uptime. If your organization already has the SD-WAN network connection, then the “SSE” portion of SASE is all you need. If your organization already has a WAN, consider an SD-WAN overlay. SD-WAN allows you to redirect some traffic to your broadband Internet links without disrupting or modifying your WAN.
This saves your WAN for applications that require private connections for compliance and accelerates the performance of all of your traffic. This improves your observability, visibility, and control.
The?global SASE POPs?are locations of interconnection between your sites and the SASE service. They are the initial point of security and processing for your end-users’ traffic. You’ll hear SASE providers brag about the number of POPs they offer globally and how widely distributed those POPs are.
And for good reason. The more numerous, widely distributed, and optimally placed the POPs are, the closer users are to the SASE solution and to the cloud services being accessed. This proximity lowers latency and provides better overall performance of the service.
Why do I need SASE?
We’ve discussed the benefits of SASE throughout this article. However, put simply: SASE provides an unmistakable return on investment (ROI).
SASE architecture boosts the performance of your inexpensive broadband connections and eliminates costly hardware and operational investments. What’s more, it ensures the security of every remote, hybrid, and office worker. It also gives you a full understanding of how your network and applications are performing.
SASE also learns using AI-based operations. This allows it to proactively and preemptively remediate network issues before they become outages. Plus, it’s managed in the Cloud by your vendor which frees your IT staff up to focus on business-critical objectives.
Usually, cost savings are achieved by cutting corners and compromising on things like network performance. With SASE, the value that results from improved performance turns into an overall lower total cost of ownership (TCO). Summarized, SASE accomplishes long-term ROI by: