Emerging Concept: Secure Access Server Edge

Key Takeaways

  • SASE is an emerging cloud security architecture that combines numerous networking and security functions into a single integrated cloud service

  • Increased load on networks and distributed remote workforces are increasing demand for SASE solutions

  • SASE can lower the cost and complexity of networking while improving the performance/latency of the network

What is SASE?

Today’s most common cloud architecture is the “hub and spoke'' model that connects users in multiple locations (spokes) to applications and data hosted in centralized datacenters (hubs). Accessing those resources either requires a localized private network or a secondary network connecting to the primary network via secure leased line or VPN. 

Some major trends we’re seeing today are increasing the burden on network links and introducing overwhelming latency to the ‘hub and spoke’ model. These trends include workloads moving to the cloud, an escalating number of devices accessing applications and data, and the more distributed nature of the workforce; all of these trends have only been accelerated by last year’s global health events.

Essentially, secure access to services needs to be everywhere, not just at the datacenter. This is where Secure Access Service Edge comes in. 

Secure access service edge, or SASE (pronounced “sassy”), is an emerging cybersecurity concept that Gartner first described in the August 2019 report The Future of Network Security in the Cloud. SASE is a security framework prescribing the conversions of security and network connectivity technologies into a single cloud-delivered platform to enable secure and fast cloud transformation. The SASE model consolidates numerous networking and security functions that are traditionally delivered in siloed point solutions into a single, integrated cloud service.

A SASE architecture identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data. This approach allows organizations to apply secure access no matter where their users, applications or devices are located. SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.

Old hub and spoke architectures can be replaced with SASE models

Old hub and spoke architectures can be replaced with SASE models

Gartner has predicted that “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.” The reality is that SASE adoption has accelerated significantly in the last 18 months in part due to the pandemic forcing businesses to transform to a primarily remote workforce. 

What are the components of SASE?

SASE is really the convergence of several existing services into a single, cloud-delivered service model. It is important to understand that SASE architecture isn’t tied to any vendor or solution, and aims to provide the most flexible security infrastructure possible. The following security and network components make up the SASE architecture.

  • Secure Web Gateway (SWG) protects users from web-based threats in addition to applying and enforcing corporate acceptable use policies.

  • Firewall as a Service (FWaaS) for next-generation firewall (NGWF) capabilities to protect the network against a wide range of modern threats. Not only does NGFW defend assets, such as servers hosted in the data center, but also users that work on-site or connect via VPN.

  • Cloud Access Security Broker (CASB) for an additional layer of support to ensure network traffic between on-premises devices and cloud providers comply with an organization's security policies

  • Zero Trust Network Access (ZTNA) solutions for seamless and secure connectivity to applications without placing users on the network or exposing applications to the internet or relying on legacy solutions.

  • SD-WAN allows organizations to see and manage the data flows across all internet circuits and provides the ability to prioritize bandwidth to business-critical applications.



What is driving demand for SASE?

First, an example use case: A sales force needs greater efficiency and efficacy through mobility. The use of the Internet through public Wi-Fi can become a security risk. Therefore, accessing corporate business applications and data in a timely, secure manner is a challenge. A SASE framework provides the construct to maintain higher access speed and performance, while also enabling more stringent control of users, data, and devices traversing networks – regardless of when, where, and how they’re doing it.

As organizations seek to accelerate growth through use of the cloud, more data, users, devices, applications, and services are used outside the traditional enterprise premises, which means the enterprise perimeter is no longer a location. Despite this shift outside the perimeter, today’s network architectures are still designed such that everything must pass through a network perimeter and then back out. Users, regardless of where they are, must still channel back to the corporate network often using expensive and inefficient technologies only to go back to the outside world again, more often than not. This creates significant challenges in terms of service availability, user performance, and productivity

There is also a trend of security moving to the cloud. This is driving a need for converged services to reduce complexity, improve speed and agility, and enable multicloud networking.

What are the benefits of SASE?

According to Gartner, implementing a SASE architecture would benefit enterprises by providing:

  • Lower costs and complexity – Network Security as a Service should come from a single vendor. Consolidating vendors and technology stacks should reduce cost and complexity.

  • Agility – Enable new digital business scenarios (apps, services, APIs), and data shareable to partners and contractors with less risk exposure.

  • Better performance/latency – latency-optimized routing.

  • Enable ZTNA – Network access based on identity of user, device, application – not IP address or physical location for seamless protection on and off the network.

  • More effective network and network security staff – Shift to strategic projects like mapping business, regulatory, and application access requirements to SASE capabilities.

  • Centralized policy with local enforcement – Cloud-based centralized management with distributed enforcement and decision making.

What is the state of the SASE market?

Gartner considers SASE to be a vision of a future secure networking model for enterprises to strive for—it’s not currently a reality from any vendor. Today, SASE is best represented by the convergence of cloud-managed SD-WAN and cloud-delivered security. McAfee and Cisco for example are all offering integrations of existing services to provide something close to SASE. 

In general, the market is extremely young (the term was only introduced in 2019). Given the fact that SASE is largely the combination of existing services, this will be a major area of investment and development for the large incumbents of the cloud security industry, and we will see if any innovation can come from emerging startups in the future.