Feeling SASE? A Complete Guide to Secure Access Service Edge

Secure Access Service Edge (SASE or “sassy”) is a network architecture capable of safeguarding data even when it (or your workers) are off network.

Charles O'Hay

June 15, 2023

12 Min Read
Image of SASE text written in the clouds.
Alexey Krukovski / Alamy Stock Photo

In the digital world, galaxies of data reside in the cloud and users connect to subnetworks and apps on a range of devices around the globe. With so much data traveling off network, maintaining network security becomes more difficult.

In 2019, a new system heralded as the future of network security began to capture the attention of digital businesses. Secure Access Service Edge (SASE or “sassy”) is a network architecture capable of safeguarding data even when it (or your workers) are off network.

Gartner analysts, who introduced the concept, predicted that SASE would “create a significant opportunity for security and risk professionals to securely enable the dynamic access requirements of digital transformation, providing secure access capabilities to a variety of distributed users, locations, and cloud-based services."

So how does SASE deliver security, and is it right for your business? Let’s dive a little deeper.

Origins of SASE Architecture

If we look back a decade, most of a company’s data resided in its data center. It was the hub, it was onsite, and while remote users (such as salespeople) could connect through virtual private networks (VPNs), the data center remained supreme.

Then the world changed. The rapid growth of the remote workforce, the COVID-19 pandemic, the increased use of apps, and other factors soon made it clear that traditional network security approaches were inadequate. For example, the software-as-a-service (SaaS) model allows users to access apps that live on the internet rather than on your server or computer. With so many people using multiple apps, vulnerabilities can quickly mount, leaving your network at risk for a breach.

Related:SD-WAN and SASE: Collaboration and Standards are Essential

SASE addresses this concern by creating a broad canopy, allowing the same level of security of a single data center but covering a company’s entire workforce, no matter where they’re located, or what sort of device they’re using.  

Core Elements of SASE

SASE combines the advantages of software-defined wide area networking (SD-WAN) and zero-trust network security in a cloud-native network that securely connects users, systems, and endpoints with apps and other resources.

Let’s explore the 5 core elements of SASE.

Cloud Access Security Brokers (CASB)

CASB is an intermediary between end users and the cloud services they need and use daily. When a user interacts with a cloud-based app, CASB serves as a checkpoint, identifying the cloud service being used, checking that the data being sent meet company security protocols, preventing unauthorized use or data transfer, and red-flagging potential malware.

Related:SASE Model Proving Value Beyond Remote Work Scenarios

How it helps: think of CASB as a security checkpoint where your bags are inspected. Here software inspects data packets, rather than luggage, to detect any problems.

Firewall as a Service (FWaaS)

FWaaS moves network protections from your network perimeter to the cloud, allowing your mobile workforce to connect securely to the company’s network from any location or device.

How it helps: FWaaS allows you to extend your network (and its security policies) well beyond the traditional footprint. So wherever your people go, your network security protocols have them covered.

Intrusion Prevention Systems (IPS)

IPS continually monitors traffic on your network for malicious activity—reporting, blocking, and dropping connections where intrusions are suspected or likely.

How it helps: Today’s cybercriminals are sophisticated; IPS simply adds an extra layer of protection, blocking untrusted connections and red-flagging malware.

Secure Web Gateways (SWG)

With users logging on from various locations and devices, your network may be vulnerable to attack. A secure web gateway employs tools such as URL filtering, malicious code detection, and malware elimination to identify and neutralize potential threats before they near your network perimeter.

How it helps: With so many employees working remotely and from different device types, comprehensive online security can be challenging. SWGs detects and blocks threats before your people interact with them.

Zero Trust Network Access (ZTNA)

Embracing several cloud-native technologies, zero trust network access operates on the assumption that trust is never implicit. Zero trust systems grant network access only on a need-to-know, least-privileged basis.

How it helps: ZTNAs minimize the risk for unauthorized access to your data.

Taken together, these technologies form a shield that safeguards sensitive information while in transit, while extending your company’s security protocols to all workers, regardless of location or device.

Benefits of SASE

SASE offers some clear benefits for digital businesses looking to improve edge security for a mobile workforce. Let’s break down some of the top advantages of SASE.

Apps can reside anywhere

SASE doesn’t care where an app lives—on your company’s data center, in the public or a private cloud, or as a SaaS offering. Because of SASE’s architecture, it performs its security functions near the end user while preserving connectivity to the selected apps.

Centralized role-based control

Designed to accommodate the roving endpoints created by today’s mobile workforce, SASE allows you to extend network protections and company security protocols to users and devices regardless of location.

Fully integrated security in one system

SASE combines an array of technologies to provide broad-scale, blanket security. These include DNS security, RBI authentication, and malware detection as well as the aforementioned intrusion detection, FaaS, zero trust, and secure network gateway protocols. These tools help detect suspicious or malicious activity, and block it before it can damage your network.

Cost savings from reduced WAN reliance

Because SASE’s protections supplant those of SD-WAN, it’s not unusual for businesses to see reduced SD-WAN costs after adopting SASE, particularly in the area of multiprotocol label switching (MLPS).

Unique network architecture

With SASE ’s centralized control, you can see your full network at a glance, including endpoints and users. Endpoints and branches can connect to a cloud instance that performs security functions and maintains optimal information flow. Cloud systems are also more resistant to denial of service attacks compared with data centers.

Together, these features provide a superstructure that offers centralized control of security for multiple roving endpoints, extending your security protocols to where your people work.

SASE Challenges

While SASE has an impressive array of elements in a single toolkit, the system does have its critics. Where does SASE fall short, and what improvements are suggested for the future.

  • Some critics feel SASE doesn’t go far enough, given the number of workers engaged in remote or hybrid work, and cite persisting vulnerabilities in endpoint security, comprehensive cloud security, 24x7 threat detection and response, and AI-based analytics.

  • All-in-one isn’t always best. Critics point to SASE’s “one brand, one box” toolkit and wonder whether it can deliver the best performance across all five of its core elements.

  • Seamless integration remains a challenge. Integrating a broad array of tools from a range of manufacturers isn’t easy, so it pays to understand a little about the network architecture. For example, where does integration occur? How many daisy-chains are needed to link all the elements? And how many vendors are involved? Knowing the answers to these questions can help you make more informed choices about whether SASE is right for your business.

  • Greater collaboration between security and networking teams is required in hybrid cloud environments, where you may encounter different staff dedicated to on-premises and cloud operations.

SASE is still evolving, and it will likely see changes to address some of these concerns. We hope that by considering these factors you get a clearer picture of SASE as a whole—its limitations as well as capabilities.

SASE Alternatives

Is SASE the only solution? No. Businesses successfully use other systems to connect users. Let’s see how two popular alternatives stack up against SASE.

SASE vs. SD-WAN

When comparing SASE with SD-WAN, the first difference you’ll likely notice is one of scale. While SD-WAN connects endpoints and users on a company’s network, SASE goes farther, letting your company’s security protocols extend beyond your network to endpoints and users anywhere in the world.

Second, SASE lives in the cloud, whereas SD-WAN resides within your company’s data center. And because SASE’s security protocols are positioned near the end user, there’s a vastly reduced risk for intrusion or interception. Plus, devices can connect through any public cloud provider.

Packet inspection is also far less thorough with SD-WAN compared with SASE. SD-WAN protocols inspect a packet only insofar as to determine its destination and how best to route it. SASE however, does a deep packet inspection to detect potential problems such as malware, spyware, etc.

SD-WAN is a great security solution if your company’s workers are rarely off network. But if you want to expand its capabilities, you’d need to engage third-party vendors, which can get complicated and erode performance. SASE combines these elements into a single-vendor solution that allows routing and security policies to work in concert.

SASE vs. SSE

Security Service Edge (SSE) facilitates cybersecurity without requiring that a user be tied to a network. SSE governs the main security elements of SASE (CASB, FWaaS, IPS, and zero trust network access), but lacks the WAN edge protections that form the networking aspect of SASE.

So while SSE offers a broad array of security protections, it does not offer many of the networking capabilities that help ensure a seamless user experience. 

Why choose SSE over SASE? Some businesses opt for an SSE solution as part of a single-vendor SASE platform, leaving the path open for future network upgrades, architectural integration, and increased agility.

Cisco: A SASE Case Study

A 2021 Cisco case study examined the effectiveness of SASE in addressing real security challenges. A UX team at CISCO conducted the study to demonstrate how SASE affects user experience, provides effective network security, and delivers cost savings over traditional SD-WAN systems.  

Methods

Phase one of the project involved the design and deployment deploying a customer-managed global backbone to interconnect the collocation neural facility (CNFs). Phase two delivered design and implementation of an SD-WAN virtual headend service group hosted in the regional Cloud on Ramp to Colocation (CoRC) cluster. The CX team also deployed and integrated “Cisco Umbrella” with customer on-premises security hosted solutions. Umbrella provides core SASE service functions including CASB, FWaaS, IPS, SWG, and ZTNA.

Cisco’s solution considered the use of MPLS Segment Routing, as this technology provides complete control over the forwarding paths by combining simple network instructions. Segment routing is a method of forwarding packets on the network based on the source routing paradigm. The source chooses a path and encodes it in the packet header as an ordered list of segments.

Findings

Overall, CISCO’s system performed well. By positioning controls close to the user, the CX team found:

  • An improved user experience, including reduced latency times. Both capital and marketing expenses were reduced.

  • Because Cisco’s system regionalizes the internet, it is able to leverage colocation cross-connections to achieve reduced connection costs.

  • The system also minimized risk by leveraging existing automation via centralized configuration to create templates. These templates can be used, for example. to automatically launch VPNs.

Should Your Organization Adopt SASE?

Now that we’ve explored SASE’s core elements and capabilities, you may be asking whether SASE is the right network security solution for your business. Want to be sure? Maybe this checklist will help.

  • How much of your workforce is remote? Companies with large segments of their staff working remotely can benefit from the networking and security features of SASE.

  • Do your workers routinely connect to third party providers (like apps) or cloud dwelling programs? If yes, SASE can help you maintain network security while providing your workers with the flexibility and seamless performance that today’s competitive business environment demands.

  • Are you looking for a cloud-based solution to replace traditional data center security? SASE frees you from reliance on an on-premises data center, and places security protocols near the end user—no more hairpinning back to the data center, which can cost time and money.

  • Are you looking for a network security solution that’s scalable to accommodate growth? If yes, you’ll want to check out SASE. SASE offers cloud-based networking and security solutions that cover the globe. So no matter where your people are, their connection is as secure as your own home network.

How to Choose a SASE Provider

As SASE has grown in popularity as a next-gen networking and security solution, consumers are left to shop around for the best SASE service provider. So what should you look for in a SASE service provider? Here are a few tips to help you get started.

  • Ask around. Some of your business contacts and colleagues are likely using SASE in their day-to-day operations. How is it performing for them? Have they experienced fewer breaches? And can you envision applying SASE solutions in your business?

  • Engage multiple vendors to deliver the best of breed functionality. This option offers increased flexibility than single-pass solutions.

  • Anticipate transition issues. Determine how easily SASE can be integrated within your existing IT environment. Will it require rip-and-replace solutions? And is it easily scalable?

  • Ask about certifications and testimonials. It’s never a bad idea to get some background on a potential SASE service provider. By determining whether the provider has a solid track record, you can make a more informed choice. 

  • Choose a reputable provider and read the fine print. When choosing a provider, take a moment to review the service contract. Is the provider willing to provide extended service and troubleshooting 24/7/365? Do they offer a single platform to manage your solutions? 

We hope these questions help you locate the best SASE provider for your business and your budget.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like