Gartner introduced Secure Access Service Edge (SASE) to the market in 2019. Since then, it has been a frequent topic of conversation within the networking and security community. But despite frequent references and marketing resources, there’s still much confusion about what SASE means, as well as its purpose and how seriously security pros should focus on it.
Think of SASE as an architecture model, although sometimes it’s referred to as a concept or framework. It combines software-defined wide area networking (SD-WAN) with comprehensive security capabilities to support today's cloud-based computing environments and the realities of a mobile workforce.
Applications are moving from the data center to the cloud, more employees are working remotely than ever before, and users access data by a wide variety of company and personally-owned devices. These circumstances can create challenges for network and security administrations trying to understand who accesses company applications and data, as well as their usage. After all, security pros can’t manage or lock down what they don’t see. Here are four basic principles of SASE security pros need to understand:
- Data centers are no longer the concentration point of the network. Organizations that continue to route all of their network traffic through the data center with legacy hub-and-spoke infrastructure, will find that their networks will become a business inhibitor. Backhauling remote users’ traffic to the data center that’s destined for the cloud produces latency and negatively affects productivity.
- Identity should determine data access, not the user’s location. The old approach to security was that everyone on the network was trusted and traffic originating from outside the network was scrutinized. In today’s workplace with employees working remotely and conducting business off the network, this method doesn’t work. It’s also reckless to offer open access to anyone on the network because it doesn’t take into account the possibility of insider threats.
- Businesses should seek out technologies that offer worldwide points of presence and peering relationships. This has become increasingly important as users and applications are more distributed. Creating a point-of- presence geographically near a user facilitates a shorter logical path between them and the resource they are trying to access. This makes employees more productive and lets them accomplish their job duties or tend to customers, as opposed to waiting for applications or web pages to load.
- Consolidating the number of vendors can reduce management complexity. This becomes especially true when network and security technologies are integrated to share data to offer contextual intelligence and automation or when they are managed through one pane-of-glass.
Although businesses have been very receptive to Gartner’s recommendations on how to approach networking and security in the future, these digital transformation trends and efforts by vendors to diversify their portfolio of products began well before the term SASE was developed. And despite all of the hype around SASE, there’s currently no off-the-shelf product available on the market, mainly because there’s no standard definition of the combination of technologies needed for a SASE deployment.
However, Gartner does base SASE's architecture on the following five core technologies:
- Software-Defined Wide Area Network (SD-WAN): Today’s modern businesses need more bandwidth and increased network performance to support VoIP, videoconferencing, and cloud-based applications. Many organizations are transforming their network to connect branch offices directly to the internet with low-cost circuits such as broadband and LTE, while retaining MPLS lines for traffic routed to the data center or between sites that require higher levels or reliability and performance. SD-WAN offers centralized visibility of all circuits across locations and facilitates a way to manage data flows. Some benefits of SD-WAN include faster networks, improved resiliency, the ability to prioritize bandwidth to critical applications, and potential cost savings.
- Firewall-as-a-Service (FWaaS): Since 2007, next-generation firewalls (NGFWs) have been a staple in network security. They protect users and assets located on-premises or connected via VPN against a wide range of modern-day threats. Companies deploy them as a dedicated appliance at either the data center or branch office, a virtual appliance (on-site or hosted in a public cloud), or in the vendor’s/MSSP’s cloud.
- Zero-Trust Network Access (ZTNA): Coined by Forrester in 2010, Zero Trust runs on the principle of least privilege and specifies that security teams should inspect all traffic, regardless of its origin. Legacy access technologies, such as a VPN, usually gives users access to everything within a network segment. These segments often contain more information than users need and raise the possibility of exposing sensitive information. ZTNA lets administrators grant access to specific applications, by role or user, oftentimes without having to connect to the network.
- Secure Web Gateway (SWG): Employees browse websites to conduct research and interact with vendors or customers, but also for reasons completely unrelated to their jobs. The protection of a secure web gateway follows users virtually everywhere they are located to help provide that websites employees visit are both safe and appropriate for the workplace.
- Cloud-Access Security Broker (CASB): CASBs first appeared on the market in 2013. Shadow IT has become a constant concern for security administrators since unsecured applications greatly increase the probability of malware or sensitive data loss. CASB delivers visibility to which SaaS or cloud-based applications are being accessed by users, so appropriate security controls can get applied. Some CASB tools also offer analysis of identified vulnerabilities for particular applications.
Factors to consider when implementing SASE
SASE is in the early stages of its hype cycle as defined by Gartner, with mass adoption expected to occur over the next several years. However, there are many ways to interpret the SASE architecture and thus, many ways to approach it. Organizations should look beyond the sales pitch to understand a vendor’s full suite of offerings, their points of presence, and how they interoperate. The road to SASE may become similar to compliance with industry regulations or frameworks. There isn’t one security solution, once deployed, that will check off every box to demonstrate compliance. It may take multiple security products, policies, and procedures, and there are many different ways of accomplishing the end goal.
Overall, there are many options to consider. Some businesses may choose to stack security onto their existing network infrastructure, or source SD-WAN from their security vendor. Organizations lacking cybersecurity resources internally can outsource the management to an MSSP. Building a roadmap of upcoming network and security transformation initiatives and starting a proof-of-concept process to qualify SASE solutions early can help set up businesses for increased productivity, fewer risks, and simplified management.
Mary Blackowiak, lead product marketing manager, AT&T Cybersecurity