Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly

All About SASE: What It Is, Why It's Here, How to Use It

Secure Access Service Edge is a new name for a known and growing architecture designed to strengthen security in cloud environments.

Secure access service edge, also known as SASE (pronounced "sassy"), is a term popping up more in security conversations as businesses grapple with the challenge of secure networking in the cloud.

SASE combines WAN capabilities with network security functions: secure web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access. These capabilities are primarily delivered as-a-service and aim to find sensitive data or malware, decrypt content, and monitor risk and the trust level of sessions, Gartner's Andrew Lerner says in a blog post. Monitored entities can span groups of people, devices, applications, services, or Internet of Things systems.

Gartner first mentioned the term SASE in its 2019 networking hype cycle, but it's not a novel practice. Rather, it's a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.

"It's a combination of different technologies, all of which I think people have been using in one respect or another, but are converging, and adoption of them is accelerating," says Tom Cross, chief technology officer at OPAQ, describing SASE. "The reason is, enterprise network architectures have not kept up with the way that IT has changed."

Modern employees use all kinds of devices to access corporate data and applications from a range of geographical locations. The rise of cloud computing and mobility have disrupted the typical technology infrastructure by swapping the physical data center for infrastructure-as-a-service (IaaS). Many IT teams interact with their network through a web console or API. Your data is everywhere, and you don't have visibility into everything happening on the network.

Legacy enterprise networks have gone through "major upheaval" over the last couple of years, and organizations have been able to reduce cost and increase agility. SD-WAN was designed to address these needs but doesn't connect to mobile users, explains Dave Greenfield, technology evangelist at Cato Networks. Furthermore, it's not enough to address their many cloud security concerns.

Many constructs that make up SASE — firewalls, intrusion-prevention systems (IPS), cloud access security brokers (CASB) — are things businesses have used for years. "These can still be applicable as you move into the cloud," says Mike Rothman, Securosis' president and analyst. "But there's this old adage that just because you can doesn't mean you should." Organizations don't often think about how they can build a cloud-native environment that provides capabilities and flexibility they need while adding security into the network stack.

The traditional model of network security is based on inspection points: Traffic is rerouted through a place where it's inspected to detect attacks. When you overlay existing capabilities with familiar tools, it's the "lowest common denominator," he continues. It drives inefficiency, adds cost, and forces traffic into a bottleneck. Organizations don't need conventional tools scattered throughout their environments if they can segment more effectively in the cloud, which lets them add more accounts and subscriptions instead of a flat data center network.

"It doesn't make sense to have an on-premises firewall everyone is rerouting their traffic to," says Cross. "We need a security infrastructure that makes sense in this world and is convenient for people to use, and that they will use. … What we need is for security to be available in the Internet. Security comes to the traffic, not traffic going to security."

The SASE Approach to Network Security
Instead of thinking about mobile access, cloud access, and site access as separate things, SASE puts it all into a single global network. With this approach, businesses no longer have separate security policies. There is one policy — one firewall for protecting against network-based threats.

"The secure access service edge converges security and networking together for any kind of endpoint," Rothman explains. Instead of putting an agent on the device, connecting to a VPN, and rerouting to a cloud-based resource, SASE brings security to each individual device. "If I can bring the secure perimeter to the actual user, this allows me to be more efficient," he adds.

Cloud networking is different. You don't think about what you already have but about the kind of network a specific application or use case requires. Build what is needed, where it's needed, Rothman explains in a report on networking in the cloud age. A network for remote employees should be different from one for interconnecting primary sites. Externally facing web applications need a different network than applications used to access sensitive data kept in a data center.

How it works: The SASE architecture is a cloud-native platform, which provides a company with the heavy security processing it requires, Greenfield explains. Each location runs an SD-WAN device to bring traffic into the SASE cloud. Traffic is sent to a local point-of-presence (POP), where networking and security processing is applied before it's forwarded to its destination. For Cato Networks, POPs are co-located in the same physical data centers as the cloud providers.

"When you're first starting out, you have to figure out how to get started and sometimes it can be challenging to [do] a whole reconsideration of security infrastructure," says Cross.

The key is starting small, Rothman explains. Know the problem you're trying to solve, select a short list of companies that can help you solve it, present the use case, and see how they can help. Over time, you can add more applications, users, and use cases to the SASE environment.

"It doesn't have to be a big bang. … You can look at it from an application access or user constituency basis," he continues. "Pick a use case and start somewhere. Don't expect you're going to replace your entire network tomorrow with one of these services." As part of a gradual process, companies may start implementing SASE in a single office and expand from there.

(Story continues on the next page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/5/2020 | 3:50:01 AM
the term SASE in its 2019 networking hype cycle, but it's not a novel practice. Rather, it's a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.