Skip to main content

Secure Access Service Edge (SASE)

Secure Access Service Edge, also known as SASE -- pronounced "sassy" -- is a cloud architecture model that bundles network and security-as-a-service functions together, delivering them as a unified cloud service.

SASE allows organizations to unify their network and security tools in a single management console. This provides a simple security and networking tool that is independent of where employees and resources are located. SASE requires little to no hardware, using the widespread connectivity of cloud technology to combine SD-WAN with network security functions, including:

  • firewall as a service (FaaS)
  • software as a service (SaaS)
  • secure web gateways
  • cloud access security brokers (CASBs)
  • zero-trust network access

With the number of remote workers increasing, and organizations increasingly using cloud services to run applications, SASE offers a convenient, agile, cost-effective and scalable SaaS product for networking and security.

Organizations looking for a more advanced and user-centric network for their company network management needs would benefit from learning about SASE architectures. Due to the adoption of cloud services, mobile workforces and edge networks, the digital and cloud transformation is changing the way organizations are consuming network security. In the past, organizations would consume their security through legacy hardware networks and an outdated security architecture mindset.

How does a SASE architecture work?

SASE platforms work by bundling multiple elements -- combining SD-WAN with network security services like FaaS, SaaS, secure web gateways, cloud access security brokers, endpoint security and zero-trust network access. The result is a multi-tenant and multi-regional platform for security that is unaffected by locations of employees, data centers, cloud services or on-premises offices.

SASE does not rely on inspection engines in data centers. Instead, SASE inspection engines are brought to a nearby point of presence (PoP). An SASE client (such as a mobile device with a SASE agent, an IoT device, a mobile device with clientless access, or branch office equipment) will send traffic to the PoP for inspection and forwarding -- to the internet, or across the central SASE architecture.

SASE services have four defining traits:

  • Global SD-WAN service. SASE uses an SD-WAN service with a private backbone, which avoids latency issues from the global internet and connects the individual PoPs used for security and networking software. Traffic rarely touches the internet, and only does so to connect with the global SASE backbone.
  • Distributed inspection and policy enforcement. SASE services don't just connect devices; they protect them. Inline traffic encryption and decryption are table stakes. SASE services should inspect traffic with multiple engines that operate in parallel. Inspection engines include malware scanning and sandboxing. SASE should provide other services as well, such as DNS-based protection and distributed denial-of-service (DDoS) protection. Local regulations, such as General Data Protection Regulation (GDPR), should be enforceable in the SASE's routing and security policies.
  • Cloud architecture. SASE services should use cloud resources and architectures with no specific hardware requirements, and should not include service chaining. Software should be multi-tenant for price friendliness and able to instantiate for rapid expansion.
  • Identity driven. SASE services have access based on user identity markers such as specific user device and location, as opposed to the site.

Advantages of using a SASE architecture

Ease of use. There is one management platform that controls and enforces an entire organization's security policies, offering operational simplification. This is a major improvement for IT teams, enabling them to move away from site-centric security to user-centric security.

Overall simplicity of the network. There is no need for complex and expensive Multiprotocol Label Switching (MPLS) lines or network infrastructure. The entire network infrastructure is adapted to make it simple, maintainable and easy to consume -- regardless of where employees, data centers or cloud environments are located.

Offers enhanced network security. Effective implementation of SASE services can protect sensitive data and help mitigate a variety of attacks, such as man-in-the-middle interceptions, spoofing and malicious traffic. Leading SASE services also provide secure encryption for all remote devices, and apply more rigorous inspection policies for public access networks (such as public Wi-Fi). Privacy controls can also usually be better enforced-- by routing traffic to PoPs in specific regions. 

Backbone and edge unification. SASE lets a single backbone be combined with edge services -- like content delivery networks (CDNs), cloud access security brokers (CASBs), VPN replacement and edge networking. SASE lets a provider offer cloud, internet access, data center services, networking and security functions all through a single service -- as a joint effort across networking, security, mobile, app development and systems administration teams.

Disadvantages of using a SASE architecture

As the term SASE describes an emerging technology with variable approaches, drawbacks are nonspecific. Generally speaking, the most significant potential drawbacks are that IT teams forfeit certain benefits of multisourcing -- such as ensuring that various elements are sourced from the best possible providers for individual functions, and diversifying risk in vendor operations. With SASE architecture, users risk massive single point of failure (SPOF) or exposure -- as SASE delivers all networking and security functions together as a single service, technical issues on the provider side can potentially result in entire system shutdowns for end users.

Importance of SASE

As organizations increasingly adopt cloud services, many are quickly learning that network security isn't so simple. Traditional network security was built on the idea that organizations should send traffic to corporate static networks where the necessary security services were located. This was the accepted model as the majority of employees worked from site-centric offices.

The concept of user-centric networks has changed the traditional network we once knew. Over the past decade, we have seen an increase in the amount of people working remotely from home around the world. As a result, the standard, hardware-based security appliances we've depended on are no longer adequate in securing remote network access.

SASE allows companies to consider security services without being dictated by the whereabouts of company resources, with consolidated and unified policy management based on user identities.

This shifts the question from "What is the security policy for my site or my office in New York?" to "What is the security policy of the user?" This change creates a major shift in the way we consume network security, allowing companies to replace seven to 10 different security vendors with a single platform.

Comments

Post a Comment

Popular posts from this blog

Black swan

A  black swan event  is an incident that occurs randomly and unexpectedly and has wide-spread ramifications. The event is usually followed with reflection and a flawed rationalization that it was inevitable. The phrase illustrates the frailty of inductive reasoning and the danger of making sweeping generalizations from limited observations. The term came from the idea that if a man saw a thousand swans and they were all white, he might logically conclude that all swans are white. The flaw in his logic is that even when the premises are true, the conclusion can still be false. In other words, just because the man has never seen a black swan, it does not mean they do not exist. As Dutch explorers discovered in 1697, black swans are simply outliers -- rare birds, unknown to Europeans until Willem de Vlamingh and his crew visited Australia. Statistician Nassim Nicholas Taleb uses the phrase black swan as a metaphor for how humans deal with unpredictable events in his 2007...
Post a Comment
Read more

A Graphics Processing Unit (GPU)

A graphics processing unit (GPU) is a computer chip that performs rapid mathematical calculations, primarily for the purpose of rendering images. A GPU may be found integrated with a central processing unit (CPU) on the same circuit, on a graphics card or in the motherboard of a personal computer or server. In the early days of computing, the CPU performed these calculations. As more graphics-intensive applications such as AutoCAD were developed; however, their demands put strain on the CPU and degraded performance. GPUs came about as a way to offload those tasks from CPUs, freeing up their processing power. NVIDIA, AMD, Intel and ARM are some of the major players in the GPU market. GPU vs. CPU A graphics processing unit is able to render images more quickly than a central processing unit because of its parallel processing architecture, which allows it to perform multiple calculations at the same time. A single CPU does not have this capability, although multi...
Post a Comment
Read more

6G (sixth-generation wireless)

6G (sixth-generation wireless) is the successor to 5G cellular technology. 6G networks will be able to use higher frequencies than 5G networks and provide substantially higher capacity and much lower latency. One of the goals of the 6G Internet will be to support one micro-second latency communications, representing 1,000 times faster -- or 1/1000th the latency -- than one millisecond throughput. The 6G technology market is expected to facilitate large improvements in the areas of imaging, presence technology and location awareness. Working in conjunction with AI, the computational infrastructure of 6G will be able to autonomously determine the best location for computing to occur; this includes decisions about data storage, processing and sharing.  Advantages of 6G over 5G 6G is expected to support 1 terabyte per second (Tbps) speeds. This level of capacity and latency will be unprecedented and wi...
Post a Comment
Read more