Secure access service edge, also known as SASE (pronounced "sassy"), is a term popping up more in security conversations as businesses grapple with the challenge of secure networking in the cloud.
SASE combines WAN capabilities with network security functions: secure web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access. These capabilities are primarily delivered as-a-service and aim to find sensitive data or malware, decrypt content, and monitor risk and the trust level of sessions, Gartner's Andrew Lerner says in a blog post. Monitored entities can span groups of people, devices, applications, services, or Internet of Things systems.
Gartner first mentioned the term SASE in its 2019 networking hype cycle, but it's not a novel practice. Rather, it's a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.
"It's a combination of different technologies, all of which I think people have been using in one respect or another, but are converging, and adoption of them is accelerating," says Tom Cross, chief technology officer at OPAQ, describing SASE. "The reason is, enterprise network architectures have not kept up with the way that IT has changed."
Modern employees use all kinds of devices to access corporate data and applications from a range of geographical locations. The rise of cloud computing and mobility have disrupted the typical technology infrastructure by swapping the physical data center for infrastructure-as-a-service (IaaS). Many IT teams interact with their network through a web console or API. Your data is everywhere, and you don't have visibility into everything happening on the network.
Legacy enterprise networks have gone through "major upheaval" over the last couple of years, and organizations have been able to reduce cost and increase agility. SD-WAN was designed to address these needs but doesn't connect to mobile users, explains Dave Greenfield, technology evangelist at Cato Networks. Furthermore, it's not enough to address their many cloud security concerns.
Many constructs that make up SASE — firewalls, intrusion-prevention systems (IPS), cloud access security brokers (CASB) — are things businesses have used for years. "These can still be applicable as you move into the cloud," says Mike Rothman, Securosis' president and analyst. "But there's this old adage that just because you can doesn't mean you should." Organizations don't often think about how they can build a cloud-native environment that provides capabilities and flexibility they need while adding security into the network stack.
The traditional model of network security is based on inspection points: Traffic is rerouted through a place where it's inspected to detect attacks. When you overlay existing capabilities with familiar tools, it's the "lowest common denominator," he continues. It drives inefficiency, adds cost, and forces traffic into a bottleneck. Organizations don't need conventional tools scattered throughout their environments if they can segment more effectively in the cloud, which lets them add more accounts and subscriptions instead of a flat data center network.
"It doesn't make sense to have an on-premises firewall everyone is rerouting their traffic to," says Cross. "We need a security infrastructure that makes sense in this world and is convenient for people to use, and that they will use. … What we need is for security to be available in the Internet. Security comes to the traffic, not traffic going to security."
The SASE Approach to Network Security
Instead of thinking about mobile access, cloud access, and site access as separate things, SASE puts it all into a single global network. With this approach, businesses no longer have separate security policies. There is one policy — one firewall for protecting against network-based threats.
"The secure access service edge converges security and networking together for any kind of endpoint," Rothman explains. Instead of putting an agent on the device, connecting to a VPN, and rerouting to a cloud-based resource, SASE brings security to each individual device. "If I can bring the secure perimeter to the actual user, this allows me to be more efficient," he adds.
Cloud networking is different. You don't think about what you already have but about the kind of network a specific application or use case requires. Build what is needed, where it's needed, Rothman explains in a report on networking in the cloud age. A network for remote employees should be different from one for interconnecting primary sites. Externally facing web applications need a different network than applications used to access sensitive data kept in a data center.
How it works: The SASE architecture is a cloud-native platform, which provides a company with the heavy security processing it requires, Greenfield explains. Each location runs an SD-WAN device to bring traffic into the SASE cloud. Traffic is sent to a local point-of-presence (POP), where networking and security processing is applied before it's forwarded to its destination. For Cato Networks, POPs are co-located in the same physical data centers as the cloud providers.
"When you're first starting out, you have to figure out how to get started and sometimes it can be challenging to [do] a whole reconsideration of security infrastructure," says Cross.
The key is starting small, Rothman explains. Know the problem you're trying to solve, select a short list of companies that can help you solve it, present the use case, and see how they can help. Over time, you can add more applications, users, and use cases to the SASE environment.
"It doesn't have to be a big bang. … You can look at it from an application access or user constituency basis," he continues. "Pick a use case and start somewhere. Don't expect you're going to replace your entire network tomorrow with one of these services." As part of a gradual process, companies may start implementing SASE in a single office and expand from there.
(Story continues on the next page)
Implementing SASE: One Company's Story
This is what Andrew Thomson, vice president of innovation and technology at BioIVT, was looking for when he was revamping network security two years ago. He wasn't specifically seeking SASE but wanted to find a more secure way to manage the network in the cloud. At the time, BioIVT was running on a network with several Cisco point-to-point connections, which connected sites together into a WAN. There were multiple points of entry through various Internet provider connections, and he wasn't sure how to support its growth.
"We were kind of at a crossroads," Thomson says. "How do we manage this growing network and how do we manage our security game?" The search turned to SD-WAN providers, which were focused on this type of service.
He found disparate tools but wasn't enthusiastic about working with several partners. "I didn't want to have to go find different vendors … didn't want a network monitoring vendor, and a new firewall vendor. Being able to select a SASE model, [we have] one vendor handling all that for us."
BioIVT needed to maintain connectivity throughout the implementation process and was able to structure the integration as it ran in parallel alongside its existing network. Since then, he's noticed some unexpected benefits to the new approach. The company has been able to stick with the same vendor (Cato Networks) without additional monitoring or staffing, a perk because it hasn't required a learning curve for security employees. Since its implementation, BioIVT has grown from eight locations to 17, and a preconfigured device can be shipped to each new site.
To SASE or Not to SASE?
There are several reasons why an organization might adopt a SASE model and many reasons why they might hold back. Companies that choose SASE are driven by a set of factors: They don't want to run their own hardware anymore; they don't want traffic backhauled to the data center before it goes to the Internet; they don't want end users unsecured when not on a VPN.
If your firewall is about to expire, for example, you might consider a SASE-based approach rather than investing in new hardware, Cross notes. Perhaps you're opening a new office and it would be easier to connect using a service-based security model. Or maybe you're in the M&A process and need stronger control over a new company's security processes and infrastructure. Distributed workforces, branch offices, and retail stores are also scenarios where SASE fits in.
When Cato Networks started, only the smallest businesses were looking for a SASE model, says Greenfield. Mid- to low-end enterprise users often didn't have the staff to manage a lot of complex infrastructure. Now, even the largest enterprises are adding SASE to 50–70 sites. Security has grown so complicated that most organizations don't have the resources to manage it.
"It doesn't matter how big you are but how old you are and how your IT works," Cross says. Businesses born in the cloud will have an easier time adopting SASE, but the reality is that most are not starting from scratch. And there are some industries that will always need on-premises IT infrastructure: manufacturing facilities, hospitals, and retail sites all need hardware on-site.
The Future of Cloud Security?
There has been a "significant uptick" in interest in solving this problem over recent months, says Cross, and as a result, multiple vendors are tackling the issue from different directions. Vendors like Cato Networks, Zscaler, Forcepoint, OPAQ, and Symantec for a while had a managed WAN or proxy type of service they're starting to extend, says Rothman. Meta Networks, another, was acquired by Proofpoint — an early sign of consolidation in the space.
While adoption has grown, it's unclear if or when SASE will reach the widespread popularity of cloud storage and apps. Some organizations remain hesitant, a common mentality when cloud computing started to emerge. "When IaaS began, a lot of people were like, 'We're not going to move our workloads to the cloud — we're not going to trust cloud providers,'" says Cross.
Consider the millions of workloads in platforms like Amazon Web Services and Microsoft Azure, he continues, and think about how much weaker their security would be if each organization had handled their security on their own. It's the same situation with security-as-a-service: Outsource to people who can securely manage the infrastructure — they will be more successful.
"This will be proven out over time, just as with the cloud," Cross says.