SASE explained: Definition, importance, and main benefits

Secure access service edge (SASE) is a cloud-based network architecture that merges a converged wide area network (WAN) with security-as-a-service technologies and delivers them in a single cloud service. The idea behind SASE is to provide users with smoother access to various applications regardless of their location or devices, all the while securing their connection with built-in security technology. SASE’s security features typically include a secure web gateway (SWG), zero-trust network access (ZTNA), cloud access security broker (CASB), and firewall-as-a-service (FWaaS).

The global research and consulting company Gartner introduced the concept of SASE in 2019, representing a new category in networking technology. SASE’s main competitive advantage is that both networking and security tools are delivered in a single platform. It helps streamline network access to users and boost system and application performance by reducing the number of outsourced IT services and support needed.

SASE works by bringing the edge closer to the user. In the context of a network, the edge is where the data or its traffic originates or is used. Traditionally, network traffic is routed through specific data centers operated by a company. However, the SASE model employs a number of globally distributed data centers called points of presence (PoPs). Having multiple data centers all over the globe lets users access the applications and resources they need regardless of where they are located. PoPs ensure low latency when processing data traffic and smooth access to resources because it implements the company’s IT policies at a location closest to the user. Thanks to using PoPs, SASE can support all types of edges: branch offices, remote workers, mobile users, and IoT devices.

Security technology is native to SASE’s cloud network, bringing the security edge closer to users and their devices. Thanks to the zero-trust architecture, SASE’s cloud network provides access to its resources based on user identity and continuous evaluation of the risks during their real-time connection. It means that when the user’s behavior, location, or IoT devices used to connect seem suspicious, the system can ask for re-authentication or limit the user’s access to the resources.

As a cloud service, SASE has combined multiple network and security features to provide effortless connection to businesses’ resources. However, keep in mind that SASE models built by different IT companies may differ in their built-in components. Let’s look into the most common features native to various SASE versions.

1. Software-defined wide area network (SD-WAN)

SD-WAN is a virtual (overlay) network built on the physical (underlay) network. It determines the best path to route internet traffic and to connect IT services with data centers and their remote branches. Thanks to SD-WAN’s architecture, it can launch apps and services with minimized latency and improve cloud connectivity.

2. Secure web gateway (SWG)

SWG helps to protect employees and businesses from cyber threats by scanning user-initiated internet traffic and preventing malicious websites and malware from entering the internal network. At the same time, SWG enforces the company’s security policies by blocking unauthorized user behavior and unsecure internet traffic.

3. Cloud access security broker (CASB)

CASB is a tool businesses use to ensure that after adopting cloud services, the company’s security and compliances remain intact and are not compromised. To fulfill this purpose, CASB detects and prevents malware infections, data leaks, and intrusions of shadow IT.

4. Firewall-as-a-service (FWaaS)

FWaaS is a cloud-based firewall that can replace or add another layer of security to on-premises hardware firewalls. FWaaS protects network traffic moving to and from cloud environments. Similarly to a physical firewall, FWaaS controls access to the network by filtering URLs and using intrusion prevention systems (IPS), as well as securing domain name systems (DNS).

5. Zero-trust network access (ZTNA)

ZTNA is a feature that separates internal resources from external networks and blocks unauthorized access. Built on a zero-trust model, it requires verification for every person and device trying to access a company’s resources on the network, even when an access request comes from within the network. With ZTNA, remote users can connect to the resources they need without being placed on the network, leaving the broader network inaccessible to potential threats.

6. Centralized management

SASE unifies the above-mentioned networking and security capabilities into one integrated cloud platform, helping organizations streamline their resource management and policies. Using this approach, businesses can achieve better visibility over their network and solve various issues in a more direct way.

Although networks have advanced enough to connect remote endpoints and run a smooth workflow, security and network traffic monitoring tools still need to adapt to the new models of cloud-based networking. What makes SASE a ground-breaking tool is that it brings security services closer to the users and the data they access, even when the users or data sources are remote. With SASE, all network endpoints are secured and managed in the same way as if they were part of an on-premise infrastructure. It’s a crucial improvement that helps organizations not to lose their competitive edge by moving towards a cloud-based working environment.

Using cloud services, SASE builds a secure network edge, allowing businesses to scale out their internal network and physical branches abroad efficiently and cost-effectively. This way, a seamless workflow is guaranteed for both on-premises and remote workers.

The major competitive advantage of SASE is allowing all its endpoints to be managed within the same security and networking frame in the cloud network. Because many industries are moving steadily towards hosting their applications and data in the cloud, centralized data centers lose their appeal and utility.

Let’s look into the benefits SASE can bring as a tool combining network and security functions.

• Reduced complexity and increased centralization. SASE unifies security and networking services into one cloud-native platform, reducing the number of individual IT solutions businesses typically need to utilize if they rely on physical data centers.
• Seamless access for users. Using SASE, companies can ensure their employees have secure access to company resources regardless of whether they’re working on company premises or remotely.
• Secure remote access. Security services play a crucial role in SASE’s architecture, bringing multiple security tools closer to the user. Solutions like SWG, CASB, and FWaaS efficiently protect a network running through PoPs.
• Zero-trust architecture. SASE verifies users’ identity even when they are trying to reach a company’s resources from inside the company’s network. The zero-trust security model considers factors such as user location, the time they try to connect, and the company’s security policy.
• Scalability and flexibility. SASE enables businesses to increase their demands for the network and its security according to the needs of the growing enterprise. Because SASE runs in a cloud, the network infrastructure can easily keep pace with the changing demands without sacrificing security or performance.

SASE is a fairly recently developed structure for businesses to use, which can become an obstacle to its practical implementation. The main purpose of SASE is to provide top-level security together with networking services. However, providers currently developing SASE come from either networking or security sectors and might lack expertise in the respective fields. As a result, some features may not be developed to their full potential or lack efficiency.

Though SASE can reduce the complexity of running a secure network, it’s itself a complex architecture to develop. As SASE is still in its early stages of development, the providers may fail to integrate its features seamlessly so that they wouldn’t work as a cluster of unrelated services.

Providers offering SASE’s services should also have an expansive global network to be able to connect far-away endpoints through the cloud edge. However, if providers fail to expand their network, SASE’s performance can be patchy and slow at locations far from the nearest Pop.

While SASE is a cloud architecture that integrates security and networking services, security service edge (SSE) is part of its architecture that focuses only on network security functions, namely FWAAS, SWG, ZTNA, and CASB. SSE is created to protect SASE’s network from cyber threats, apply necessary user verification procedures, and enforce company policies when accessing its resources.

In the modern business scene, when the workload shifts from physical data centers towards cloud services, more companies choose to house their sensitive data in the cloud rather than the businesses’ network. Merging SD-WAN with a number of security features in the same platform, SASE enables companies to offer secure and seamless access to its resources for employees regardless of their physical location. Using SASE, organizations can have better control over their internal resources and access to them. Cloud-based networks also allow for a smoother scaling of businesses, allowing them to increase their demands without risking impaired performance or security.