Secure Access Service Edge (SASE) is a network architecture that combines security with Software-Defined Wide Area Networking (SD-WAN) to create a single cloud service. It offers simplified WAN deployment, improved security, efficiency, and executes appropriate bandwidth per application. Because it’s a cloud service, SASE is scalable and billed based on customer usage, making it a welcome option during these rapidly changing times.
Although vendors can offer hardware devices to connect at-home employees and corporate data centres to their SASE networks, most deploy SASE software clients or virtual appliances. Before we go that far, let’s cover the basics of SASE (pronounced “sassy”) and how it can benefit your business.
What Is SASE?
SASE is a network architecture that combines SD-WAN capabilities with enhanced security features, delivered as a single service. Custom security policies are created for each users session based on the entity’s identity and the ‘context’ of that connection.
This ‘context’ includes the behaviour of the device in use and the sensitivity of the data being accessed. Next, it applies the organisation’s security and compliance policies while conducting an ongoing assessment of the risks present during each session.
The WAN side of SASE hinges on the suite of features and capabilities supplied by SD-WAN. For example, the Securus Secure SD-WAN Service effectively becomes the WAN underlay service for SASE to apply its additional security overlay-simply, seamlessly and effectively.
Finally, the security component is dependent upon cloud-access security brokers, zero-trust network access, cloud secure web gateways, web-API-protection-as-a-service, DNS, firewall-as-a-service, and remote browser isolation. We will discuss these components in further detail.
Why Do Business Need SASE?
User’s work with resources outside the enterprise network, which means they may access sensitive data via IaaS and SaaS services. The recent increase in work-from-home users and satellite branch offices has accelerated this trend. More and more users are accessing data through cloud services.
In simple terms, companies must secure their data everywhere, as cloud services and remote work centres distribute data beyond a centralised local data centre. Enterprises today have more users, devices, services, applications, and data in multiple cloud services. Now, data exists across the entire network and requires security at each endpoint.
When using a SASE converged network, businesses can maintain a proper security model that provides the needed security, privacy, and compliance requirements. Furthermore, because SASE is a cloud-based security service, it can be applied and managed centrally from anywhere.
SASE Architecture Overview
SASE pairs network security functions with enhanced WAN capabilities like SD-WAN to support today’s organisations’ dynamic access needs. SASE delivers this primarily through SaaS, and that delivery is based on the identity of each network entity, in real-time, in accordance with company security and compliance policies.
SASE is a combined package of technologies such as SD-WAN, SWG, CASB, ZTNA, and FWaaS. Thus, it can identify sensitive data and malware and has the ability to decrypt content at line speed. Through all of this, it continuously monitors sessions and assesses risk and trust levels.
Next are some short descriptions of the main components of SASE and how they work.
SASE Edge, or the edge computing component of SASE, is most often delivered through PoPs or vendor data centres close to the endpoints, wherever they are located. Endpoints refer to the data centres, users, and devices within the network.
In some cases, the SASE the vendor owns the PoPs. Other times, the vendor contracts with a third-party or relies on the customer to provide its own connectivity.
The traditional WAN is comprised of dedicated hardware, which often requires a hefty financial investment. A SASE network is cloud-based, managed by software, and has distributed PoPs that, whenever possible, are located near enterprise data centres, branches, devices, and employees. Local PoPs ensure that as much traffic as possible accesses the SASE network locally, thus avoiding internet latency and security issues.
Through the SD-WAN service, IT support teams can monitor the health of its network and set policies for specific traffic requirements. Because internet traffic goes through the provider’s network first, SASE can detect and block dangerous traffic before it reaches the enterprise network.
Cloud Access Security Broker (CASB)
As more corporate systems migrate to SaaS applications, authentication and access processes become essential. Enterprises use CASBs to ensure their security policies are applied consistently. These policies apply even when the services they employ are outside their sphere of control.
With SASE, employees use the same portal to access their corporate systems as well as all their cloud applications, including CASB. Meaning, traffic doesn’t have to be routed to a separate CASB service outside of the primary network.
Secure Web Gateway (SWG)
Currently, any business’s network traffic is rarely limited to a pre-defined perimeter. Modern work environments require access to outside resources. However, there are often compliance restrictions that deny employees access to specific sites. Furthermore, companies must block access to dangerous phishing sites and botnets command-and-control servers. People may try to use typically innocuous websites maliciously to steal sensitive corporate data.
Secure web gateways (SGW) protect networks from these threats. SASE vendors that offer this capability should inspect encrypted traffic at a cloud-scale. Bundling SWG with other network security services creates a more uniform set of security policies, making for more robust security and easier management.
Firewall as a Service (FWaaS)
As today’s environment becomes more distributed, end users, as well as computing resources, are located at the edge of the network. Employing a flexible, cloud-based firewall, delivered as-a-service, protects these edges. As edge computing grows and the Internet of Things (IoT) devices become smarter and stronger, this functionality will become all the more essential.
Delivering FWaaS as part of the SASE platform makes it easier for enterprises to manage their network security, spot irregularities, set uniform policies, and make changes quickly.
Zero Trust Network Access (ZTNA)
A relatively new approach, Zero-trust network access enables granular visibility and fine control of systems and users accessing corporate services and applications. Moving to a SASE platform allows companies to get and utilise these new zero-trust capabilities.
A core element of zero-trust is that security is based on identity rather than an IP address. This makes it easily adaptable for a mobile workforce. However, it also requires added levels of authentication like multi-factor authentication and behavioural analytics, for example.
5 Benefits of SASE
The following is a brief overview discussing five benefits of employing a SASE network architecture. You may find our related article 10 Benefits of SASE a useful resource.
1. Cost Reduction
With SASE, organisations can do away with the piecemeal model of physical and virtual appliances. Instead, they can leverage a single cloud-native solution. This eliminates the cost of those miscellaneous appliances and also reduces the cost associated with unneeded network complexity. SASE also removes the need for ongoing upgrades, patches, and network maintenance on these physical devices.
2. WAN Scalability
SASE can enable hyper-scalability and elasticity to WAN infrastructure. Traditional point solutions require excess time and resources to scale up and down, whereas a cloud-based SASE solution minimises the IT load and streamlines provisioning times. With SASE, IT can get a site online in minutes or hours rather than weeks. Also, less physical hardware means less maintenance downtime.
3. Ease of Management
One of the main SASE benefits is the ease of management. Cost and complexity do not grow at the same rate as with legacy WAN solutions. Because SASE management is a single cloud-based management application, it provides control over the entire service. IT doesn’t have to tend to maintenance tasks like software patches or hardware replacements.
4. Edge to Edge Security
By its very design, SASE solves the problem of securing and connecting the enterprise WAN in a simple, holistic way that increases performance. Network and security functions converge into a single multitenant cloud platform that strengthens security while improving performance.
5. Simplified Security Model
With legacy WAN solutions, including native SD-WAN, an enterprise must deploy additional security point solutions, which negates the possibility of holistic security and visibility. Often, even some cloud platforms require separate security solutions, which reduce needed network visibility.
SASE eliminates this problem by building security features like URL filtering, IPS, anti-malware, and firewalling right into the underlying network infrastructure. All edges, from physical sites, mobile sites, and on into the cloud, receive the same protection.
In summary, the SASE network architecture effectively combines SD-WAN and enhanced security into a single, easy to manage cloud service. With simplified WAN deployment and robust security, SASE is a powerful solution during this time of emerging technologies and rapid network expansion.
Secure SD-WAN With SASE
The Securus Secure SD-WAN solution can combine SASE with industry-leading performance, increased security and consistent SLAs. We provide SD-WAN services in a number of specific sectors; including finance, accountancy, retail and manufacturing.
We even offer a completely FREE demo.