Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/22/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

All About SASE: What It Is, Why It's Here, How to Use It

Secure Access Service Edge is a new name for a known and growing architecture designed to strengthen security in cloud environments.

Secure access service edge, also known as SASE (pronounced "sassy"), is a term popping up more in security conversations as businesses grapple with the challenge of secure networking in the cloud.

SASE combines WAN capabilities with network security functions: secure web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access. These capabilities are primarily delivered as-a-service and aim to find sensitive data or malware, decrypt content, and monitor risk and the trust level of sessions, Gartner's Andrew Lerner says in a blog post. Monitored entities can span groups of people, devices, applications, services, or Internet of Things systems.

Gartner first mentioned the term SASE in its 2019 networking hype cycle, but it's not a novel practice. Rather, it's a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.

"It's a combination of different technologies, all of which I think people have been using in one respect or another, but are converging, and adoption of them is accelerating," says Tom Cross, chief technology officer at OPAQ, describing SASE. "The reason is, enterprise network architectures have not kept up with the way that IT has changed."

Modern employees use all kinds of devices to access corporate data and applications from a range of geographical locations. The rise of cloud computing and mobility have disrupted the typical technology infrastructure by swapping the physical data center for infrastructure-as-a-service (IaaS). Many IT teams interact with their network through a web console or API. Your data is everywhere, and you don't have visibility into everything happening on the network.

Legacy enterprise networks have gone through "major upheaval" over the last couple of years, and organizations have been able to reduce cost and increase agility. SD-WAN was designed to address these needs but doesn't connect to mobile users, explains Dave Greenfield, technology evangelist at Cato Networks. Furthermore, it's not enough to address their many cloud security concerns.

Many constructs that make up SASE — firewalls, intrusion-prevention systems (IPS), cloud access security brokers (CASB) — are things businesses have used for years. "These can still be applicable as you move into the cloud," says Mike Rothman, Securosis' president and analyst. "But there's this old adage that just because you can doesn't mean you should." Organizations don't often think about how they can build a cloud-native environment that provides capabilities and flexibility they need while adding security into the network stack.

The traditional model of network security is based on inspection points: Traffic is rerouted through a place where it's inspected to detect attacks. When you overlay existing capabilities with familiar tools, it's the "lowest common denominator," he continues. It drives inefficiency, adds cost, and forces traffic into a bottleneck. Organizations don't need conventional tools scattered throughout their environments if they can segment more effectively in the cloud, which lets them add more accounts and subscriptions instead of a flat data center network.

"It doesn't make sense to have an on-premises firewall everyone is rerouting their traffic to," says Cross. "We need a security infrastructure that makes sense in this world and is convenient for people to use, and that they will use. … What we need is for security to be available in the Internet. Security comes to the traffic, not traffic going to security."

The SASE Approach to Network Security
Instead of thinking about mobile access, cloud access, and site access as separate things, SASE puts it all into a single global network. With this approach, businesses no longer have separate security policies. There is one policy — one firewall for protecting against network-based threats.

"The secure access service edge converges security and networking together for any kind of endpoint," Rothman explains. Instead of putting an agent on the device, connecting to a VPN, and rerouting to a cloud-based resource, SASE brings security to each individual device. "If I can bring the secure perimeter to the actual user, this allows me to be more efficient," he adds.

Cloud networking is different. You don't think about what you already have but about the kind of network a specific application or use case requires. Build what is needed, where it's needed, Rothman explains in a report on networking in the cloud age. A network for remote employees should be different from one for interconnecting primary sites. Externally facing web applications need a different network than applications used to access sensitive data kept in a data center.

How it works: The SASE architecture is a cloud-native platform, which provides a company with the heavy security processing it requires, Greenfield explains. Each location runs an SD-WAN device to bring traffic into the SASE cloud. Traffic is sent to a local point-of-presence (POP), where networking and security processing is applied before it's forwarded to its destination. For Cato Networks, POPs are co-located in the same physical data centers as the cloud providers.

"When you're first starting out, you have to figure out how to get started and sometimes it can be challenging to [do] a whole reconsideration of security infrastructure," says Cross.

The key is starting small, Rothman explains. Know the problem you're trying to solve, select a short list of companies that can help you solve it, present the use case, and see how they can help. Over time, you can add more applications, users, and use cases to the SASE environment.

"It doesn't have to be a big bang. … You can look at it from an application access or user constituency basis," he continues. "Pick a use case and start somewhere. Don't expect you're going to replace your entire network tomorrow with one of these services." As part of a gradual process, companies may start implementing SASE in a single office and expand from there.

(Story continues on the next page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johncarterr
50%
50%
johncarterr,
User Rank: Apprentice
3/5/2020 | 3:50:01 AM
thanks
the term SASE in its 2019 networking hype cycle, but it's not a novel practice. Rather, it's a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1990
PUBLISHED: 2020-04-08
A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions be...
CVE-2020-1991
PUBLISHED: 2020-04-08
An insecure temporary file vulnerability in Palo Alto Networks Traps allows a local authenticated Windows user to escalate privileges or overwrite system files. This issue affects Palo Alto Networks Traps 5.0 versions before 5.0.8; 6.1 versions before 6.1.4 on Windows. This issue does not affect Cor...
CVE-2020-1992
PUBLISHED: 2020-04-08
A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9...
CVE-2020-10978
PUBLISHED: 2020-04-08
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
CVE-2020-10979
PUBLISHED: 2020-04-08
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.