Secure access service edge (SASE) is a network architecture that combines WAN capabilities with cloud-native security functions like secure web gateways, cloud access security brokers, firewalls, and zero-trust network access. These functions are provided as a service by the SASE vendor. Users and equipment in a network are connected to a centralized cloud-based service. The term was coined by Gartner in the 2019 Networking Hype Cycle report. There is no set industry standard for SASE yet.
SASE: Edge and Cloud Computing
SASE is foremost a cloud-based approach to securing a WAN. Instead of having the network centered around the organization's central private data center, SASE puts the cloud at the center of the network.
This is particularly significant as organizations shift to software-as-a-service (SaaS) and other cloud-native applications. The network perimeter is expanding to encompass practically anywhere a network user is located. SASE can be used to secure a single, isolated user by putting security agents on his or her device.
Once users aggregate into groups at the network edge, such as in an organization's branch locations, a CPE appliance may be needed as an onramp to the central cloud or the cloud's nearest edge data center. This onramp has enough intelligence to organize branch traffic and send it to the cloud for the heavy lifting to be done.
"In most cases, the heavy lifting of SASE is performed in the cloud," said Neil MacDonald, distinguished VP analyst at Gartner, in an interview with SDxCentral. "Some of the vendors, like Palo Alto, use AWS and Google Cloud Platform [GCP]. Other vendors like Zscaler or Netskope, [are] heavily investing in their own points of presence around the world, [and] their own data centers, not depending on what AWS, Azure, and GCP are doing."
Secure access is a key element of SASE architecture. Access privileges are enforced by policies based on user identities. Other pieces of information that inform policies include the location the user or group's traffic is coming from, the time of day, the risk/trust assessment of the user's device, and the sensitivity of the application or data being accessed.
The network security functions used in access management are secure web gateways (SWGs), cloud access security brokers (CASBs), firewalls, and zero-trust network access. These are examples of point solutions, which are dedicated to solving one problem.
SASE does not use point solutions, but rather a cloud-native software stack that performs all of these functions and more at once, running in parallel in different engines.
A SASE architecture enables end-to-end security, whether the source is a remote worker, a branch location, or a headquarters. Threat prevention capabilities inherent to SASE include encryption of all communications, firewalls, URL filtering, anti-malware, and intrusion prevention systems (IPS). These capabilities are available to all connected network edges across the globe.
Gartner describes SASE as delivering services and enforcing policies as needed no matter where the entity requesting a service is located, nor what type of connection it has to the cloud.
According to the report, "The result is the dynamic creation of a policy-based, secure access service edge, regardless of the location of the entities requesting the capabilities and regardless of the location of the networked capabilities they are requesting access to."
SASE and SD-WAN
SASE combines an SD-WAN approach and security functionalities into one cloud-based service. A WAN in a SASE service is not the same as in an SD-WAN. A SASE vendor has a globally distributed network fabric that is made up of their own points of presence (PoPs). An alternative to the vendor is to use a public cloud provider's PoPs.
SD-WAN features, like bandwidth optimization and traffic prioritization, are used by SASE. However, in an SD-WAN, virtualized devices spread throughout the WAN execute these features. In SASE, the cloud or a security agent on an end user's computer makes networking decisions, such as where to send different applications' traffic.
An element of SASE that sets it apart from SD-WAN is how it inspects traffic in an organization's network. Instead of using service-chained point solutions, as SD-WAN does, SASE runs all security functions at once in multiple policy engines that make up a cloud-native software stack.
"Let's say there's an attachment in a conversation stream," MacDonald said, "Now, you want to open up that attachment and inspect for sensitive data. That could be a point solution. But likewise, you might want to take that same content and inspect it for malware. That's another point solution. So what you start to realize is, if you're in these packets and in these attachments, why daisy chain a bunch of point solutions? It's just going to slow you down. Why go looking for patterns of goodness, and then jump to another point solution look for patterns of badness? Why don't we do both at the same time? … Only open the conversation once and do all of the things that you need to do."
In other words, the functions that used to be executed by point solutions are integrated into one cloud-native software stack. And since the engines in the software stack are all from the same vendor, the data does not have to spend the time being sent back and forth between vendor products.