Secure Access Service Edge (SASE) merges network and security services into a single cloud-delivered service. Coined by Gartner in 2019, SASE simplifies and secures the process of connecting users to their applications, regardless of where the user or the application is located.

Before SASE, globally dispersed organizations needed employees to connect through a central data center. They would manage each office's security and networking needs separately, which caused latency and many bottlenecks.

The SASE cloud convergence provides direct-to-cloud access, which removes the need for multiple hardware devices, boosts performance, and simplifies management. It offers a comprehensive solution that adapts to modern networking challenges.

SASE vs. traditional networking and security models 

Location of the security perimeter.

Legacy security models rely on a defined boundary, typically protected by firewalls and other security appliances. If you're working remotely, you'd need to use a VPN to access company resources securely.

SASE handles this differently by adopting a decentralized model integrating networking and security capabilities into a single cloud service. 

Network architecture.

Traditional security requires remote users to connect to the corporate network via VPN tunnels or proxies, often leading to latency issues. On the other hand, SASE inspects traffic at the nearest points of presence (PoP). 

These PoPs are local nodes, possibly single servers running multiple functions like switches, routers, and firewalls. This localization minimizes latency and improves performance.

Security services.

Traditional models require multiple solutions for various needs, such as firewalls, VPNs, and SD-WAN. This often means dealing with several vendors and integrating different tools.

In contrast, SASE merges these functionalities into a single cloud-based service, streamlining your IT operations. Think of one dashboard that controls everything, from secure web gateways to zero-trust network access.

Authentication.

Traditional security methods often depend on rigid rules that don't consider the context of users or devices. For example, they might use IP addresses to grant or deny access, which can be inflexible. 

SASE improves this by enforcing access restrictions using identity and context-based policies. This ensures that only authorized users and devices can access the network and applications, enhancing security without complicating access.

Flexibility.

Traditional network security often involves on-premise hardware, which can be a hassle to manage. SASE simplifies this by using a cloud-native approach, so you can scale your security services up or down as needed without worrying about physical space or hardware constraints.

Scalability.

With traditional models, scaling up usually means buying more hardware and dealing with complex configurations. SASE is built to scale effortlessly with your organization’s needs. 

You can adjust your security services as your company grows or scale back without the headaches typically associated with traditional methods.

Cost.

Traditional networking and security approaches require substantial investment in hardware and ongoing maintenance. SASE reduces these costs by eliminating the need for multiple hardware layers. 

Instead of spending on expensive network and security infrastructure, you get a single stack as a service. This transforms your capital expenses into operating expenses and simplifies your budget planning.

Components of SASE

SD-WAN (Software-Defined Wide Area Networking)

SD-WAN stands for Software-Defined Wide Area Networking. At its core, it simplifies the management and operation of a WAN by decoupling the networking hardware from its control mechanism. This separation allows you to direct traffic along the most efficient routes.

Traditionally, connecting a branch office to a cloud service like AWS would require complex configurations on routers and switches. With SD-WAN, we can manage this via software, providing central control to steer traffic dynamically. 

By tying SD-WAN into SASE, we robustly secure our architecture, ensuring flexible, policy-driven networking with integrated security functions like encryption, threat detection, and access control.

Secure Web Gateway (SWG)

A Secure Web Gateway (SWG) acts as a barrier between users and the internet, providing granular control over web traffic to enforce security policies, block threats, and prevent data leakage. This is crucial in an increasingly cloud-centric world.

Imagine you are managing a network where users need to access cloud applications like Salesforce and Office 365. Without an SWG, enforcing web security policies becomes a nightmare. An SWG inspects web traffic in real-time, ensuring that malware and malicious sites are blocked before they can cause harm.

Cloud Access Security Broker (CASB)

CASBs act as intermediaries between users and cloud service providers, enforcing an organization's security policies. They provide visibility, compliance, data security, and threat protection for cloud services.

Suppose you manage an organization with employees accessing various cloud applications, such as Office 365, Google Workspace, and Salesforce. 

Without a CASB, ensuring secure access and data protection across these platforms is challenging. CASBs solve this by providing detailed visibility into cloud usage and enforcing security policies directly. 

For example, when an employee tries to upload a sensitive document to an unauthorized cloud service, the CASB can block this action in real-time.

Another key feature provided by CASBs is user behavior analytics. For instance, if an employee suddenly downloads a large amount of sensitive data at odd hours, the CASB can flag this as suspicious and trigger an alert. This proactive monitoring helps identify potential insider threats and prevent data breaches.

Zero Trust Network Access (ZTNA)

The premise of ZTNA is simple: trust no one, verify everyone. Instead of relying on traditional perimeter-based security, ZTNA focuses on strict identity verification. Every user and device must prove their identity before accessing any resources.

ZTNA evaluates each access request on multiple factors, including user identity, device health, and the context of the request. For example, if an employee tries to access sensitive company data from an unrecognized device, ZTNA will block the request or prompt additional verification.

ZTNA integrates seamlessly with SASE by embedding security directly into the network fabric. When a user initiates a connection, SASE routes the traffic through various security checks. These include firewalls, threat detection systems, and secure web gateways.

Firewall as a Service (FWaaS).

FWaaS delivers firewall capabilities as a cloud service, eliminating the need for physical appliances. Imagine you have a remote team spread across different regions. 

Traditional on-premises firewalls would struggle to secure such a distributed network. FWaaS provides centralized management and consistent security policies, regardless of the user's location.

The beauty of FWaaS is that it scales effortlessly by handling everything in the cloud. It also simplifies policy management. You can define your security policies once and deploy them globally. 

Updating these policies is just as straightforward. There's no need to touch each firewall device individually.

How to implement SASE.

1. Identify the areas to improve.

The first essential step in implementing SASE is identifying the key areas that need improvement.

If, for example, you have a traditional VPN that struggles with scale and performance, replacing it with a more robust, cloud-based SASE solution would help. This solution would leverage the global points of presence (PoPs) to provide better performance and lower latency for remote users.

2. Integrate your existing security controls with the SASE platform.

Suppose you have a web security gateway and a firewall appliance. Consolidating these two into a single cloud-based SASE solution will simplify management and enhance security by providing centralized policy management across all your network traffic.

3. Prioritize application use cases. 

Identify which applications are critical for your business and evaluate their performance requirements. For example, a cloud-based CRM application like Salesforce may require optimized connectivity for your sales team. 

Using SASE, you can provide secure, high-performance access to this application regardless of whether users are in the office or working remotely.

4. Phase out legacy systems.

SASE allows you to retire outdated perimeter security systems like traditional firewalls or MPLS networks. For example, migrating from an MPLS to a software-defined wide area network (SD-WAN) integrated within the SASE solution can offer more flexibility and cost efficiency.

5. Ensure continuous monitoring and management.

SASE platforms offer comprehensive insights into your network and security posture. Among other tools, they have built-in dashboards you can use to monitor traffic patterns, detect anomalies, and enforce compliance. 

You should leverage these tools to gain visibility and control over your entire network. This proactive approach can significantly mitigate risks and enhance the overall security framework.