What is SASE?
A comprehensive overview for modern network security.
SASE explained
SASE is a cloud-based framework that seamlessly integrates software-defined wide area networking (SD-WAN) and Zero Trust security solutions, a next iteration of network security that mitigates security concerns associated with local breakouts and numerous network access points by de-centralising network security.
Here’s what you need to know:
1. Identity-driven access
- SASE grants access based on user and device identities. Authentication and authrorisation play a central role
- Users and endpoints are securely connected to apps and resources, regardless of their physical location
2. Cloud-native approach
- Both infrastructure and security solutions are delivered via the cloud
- This flexibility allows for scalability, agility and efficient resource utilisation
3. Protecting all edges
- SASE safeguards every edge, including physical, digital and logical boundaries
- Whether its a remote worker, branch office or IoT device, SASE ensures consistent security
4. Global distribution
- Users are secured anywhere they work, whether in the office, at home, or on the go
- SASE eliminates the need for backhauling traffic to traditional data centres for security inspections
Key components of SASE
Traditional CPE’s consist of specialized hardware devices to perform dedicated functions. These hardware-based functionalities are known as Physical Network Functions. These consist of provider-owned, specialized hardware devices, such as a device for Firewall from Palo Alto, a router from Cisco and a switch from Juniper, which are then deployed to a customer premise, or a data centre.
In the past, this would mean that businesses would need multiple devices on site, helping them move data from one end to the other safely and correctly.
Having to comply with these kind of hardware devices and this model of working can be a challenge for a business. For example, opening a new office, or simply adding a new network function, would involve:
1. Software-defined Wide Area Networks (SD WAN)
SD-WAN creates virtual connections between endpoints (both physical and logical), optimising user traffic by providing near unlimited paths, enhancing user experience.
2. Firewall as a Service (FWaaS)
FWaaS moves firewall protection to the cloud, extending security beyond the organisation’s geographic footprint. Remote and mobile workers connect securely to the corporate network while adhering to consistent security policies.
3. Secure Web Gateway (SWG)
Secure Web Gateway filters unauthorised web traffic before it reaches the network perimeter. Technologies like malicious code detection, malware elimination and URL filtering enhance security.
4. Zero Trust Network Access
Zero Trust Network Access ensures trust is never implicit. Access is granted on a need-to-know basis. All users, devices, and applications undergo continuous validation before accessing private resources.
How does SASE compare to traditional network security solutions?
1. The location of the security perimeter
- Traditional security relies upon protecting a defined boundary. It often employs various on-premises security hardware and software solutions, such as VPNs, firewalls and SD-WANs
- SASE adopts a decentralised approach to network edge security. It integrates networking and security capabilities into a single cloud service
2. Network architecture
- Traditional security requires distant users to connect the business network via VPN tunnels or proxies. Centralised security enforcement can become a bottleneck
- SASE inspects traffic at the nearest point of presence (PoP). This cloud-native approach ensures consistent data protection across all edge locations
3. Security services
- Traditional security often involves backhauling traffic through data centres. It relies on a mix of separate solutions for different security and networking demands
- SASE leverages the power of the cloud to provide secure access to applications from any location. It integrates identity-centric security, continuous monitoring and a suite of network security services
4. Authentication
- Traditional security may use various authentication methods but lacks the holistic approach of SASE
- Prioritises user and device identities for access. Authentication is a fundemental component
5. Flexibility
- Traditional security can be rigid and less responsive to evolving needs
- SASE offers agility by adapting to changing network requirements. It accommodates remote work, mobile devices and dynamic access scenarios
6. Scalability
- With traditional security, scaling often involves complex adjustments to on-premises hardware
- SASE is completely scalable, allowing organisations to grow without major infrastructure changes
7. Cost model
- Traditional security may involve higher upfront costs and ongoing maintenance expenses
- SASE reduces costs by eliminating the need for extensive on-premises security infrastructure
In summary, SASE provides a more adaptive, cloud-based and holistic approach to network security. It assists enterprises in staying ahead of new threats while simplifying their security landscape. However, the choice between SASE and traditional security depends on specific organisational needs and priorities.
The History of SASE
The term itself it still fairly new. It was coined by Neil MacDonald and Joe Skorupa at the analyst firm Gartner in 2019.
They initially explained that it represents an integration of multiple existing functions (like SD WAN and Security) into one system, which also involves exporting some or all of that functionality to a cloud-based SaaS (Software as a Service) model.
This turned private networking into an overlay function that was deployed independently of the underlying network layer, which threw the market open to a wider spectrum of players. The security industry has seen this consolidation before – ‘Next-Generation’ firewall and Unified Threat Management (UTM) trends saw what was once a range of separate security devices and functions merged into one platform.
When you weigh up all the evidence then, it seems that SASE is more of an evolution than a revolution. It does though still represent change – it’s a coming-together of many different strands, together with the potential for much greater flexibility in security deployment within one’s network.