What does SASE Mean? A No-Frills Guide to Cloud Network Security
Secure Access Service Edge, or SASE, is a cloud-based vision for enterprise network security. A term that has only been in existence for the past two years, SASE has become the latest IT industry buzzword. But what is SASE and is there substance behind the hype? Our no-frills guide will:
- Explain this new concept in cloud network security.
- Identify the trends pushing the industry towards SASE.
- Describe the security and network management benefits SASE offers.
Of course, such a young concept is still a moving target. We will help you understand why companies have not all jumped on the SASE bandwagon, and we will show you a way to get the immediate benefits of SASE’s Zero Trust Network Access capabilities.
Secure Access Service Edge is a framework that describes the future convergence of enterprise networking and security. This framework envisions a stack of security technologies implemented at the network’s edge as a SASE vendor’s unified cloud service. This approach to network access and security replaces the traditional model of building a corporate network inside a fixed, secure perimeter - a model which has become increasingly fragmented, brittle, and expensive due to the increasing prevalence of remote work, BYO devices, and use of cloud-based services.
As defined, SASE will be a cloud-first solution that can better handle remote workforces, hybrid workforces, and the growing role of cloud architectures in modern networking.
The five components of a complete SASE solution include:
- Software-Defined Wide Area Networking (SD-WAN)
- Firewall-as-a-Service (FWaaS)
- Secure Web Gateway (SWG)
- Cloud Access Security Broker (CASB)
- Zero Trust Network Access (ZTNA)
However, no vendor offers a complete, integrated SASE solution today. SASE is a technology forecast created in 2019 by analysts at the research and consulting firm Gartner. These analysts also coined the term Secure Access Service Edge and the “sassy” pronunciation of its acronym.
Put simply, the way we have always protected networks is failing. The concepts and technologies developed to protect centralized information assets have become too brittle, too expensive, and too difficult to manage. Modern network architectures must meet the challenges of such trends as:
Remote workforces: In the wake of the coronavirus pandemic, businesses must adjust to a new normal. Executives, outside salespeople, and field engineers are not the only ones who need remote access. On any given day, a significant number of users could be connecting from a hotel, coffee shop, or a home network.
Hybrid workforces: Increasingly, the users accessing company networks are not employees but also on-demand gig workers, consultants, and contractors. To one degree or another, they all need secure access to company resources.
Unmanaged devices: Closely related to the previous trends is the adoption of bring-your-own-device (BYOD) policies. Users are connecting to company resources with devices over which network administrators have less control.
Cloud migration: Moving enterprise applications to the cloud improves accessibility, reliability, and performance. Yet, the cloud also makes administration more difficult. Each cloud hosting platform and X-as-a-Service provider has its own access control and security systems.
Threat environment: Cybercriminals are getting more sophisticated both in terms of technology and social engineering. Security professionals know that it is not a question of “if” you will be hacked — or even “when” you will be hacked — but whether cybercriminals are already on your network.
These trends will push companies to search for better solutions. At the same time, they will be pulled towards SASE’s promised benefits:
- Protect resources whether on-premises or in the cloud.
- Apply consistent, role-based access policies across all users.
- Simplify security management within a single system.
- Simplify network architectures while improving performance.
- Protect resources from outside attacks.
- Mitigate the damage from successful breaches.
Gartner believes this push and pull will lead nearly two-thirds of enterprises to have formal SASE strategies by 2025, up from only 10% last year.
The five capabilities that Gartner assigned to its SASE framework will let an organization push security enforcement and network management to the network’s edge.
SD-WAN technology provides a cheaper alternative to network hardware and carrier MPLS service. SASE vendors will maintain their own SD-WAN infrastructure and point of presence (PoP) networks. A company’s users, branch offices, corporate offices, and cloud resources will connect to their nearest PoP. All traffic then travels directly between PoPs on the SASE vendor’s backbone network or through encrypted internet tunnels.
Firewall-as-a-Service provides cloud-based access control, intrusion prevention, packet inspection, and other security features at the network edge. This virtual FWaaS approach makes it easier to protect both cloud-based and on-premises resources within the same system.
Users need access to the Web to get their jobs done. But users’ web traffic can be a vector for malicious code. Secure Web Gateways inspect all user traffic and block malware. The SWG can also enforce company security policies by, for example, implementing URL allowlists and denylists. Unlike hardware appliances, a SASE solution’s cloud-based SWG will work wherever the user connects to the internet.
Cloud service providers that offer security features make you use their system and administrative consoles. These security features may not align with your own and, in many cases, will not integrate with your security stack. Cloud Security Brokers sit between your users and cloud service providers, allowing you to enforce uniform access control policies.
The traditional secure perimeter paradigm assumes that authenticated users can be trusted. VPN Gateways, for example, publish their presence on the internet and grant users full access to the networks they protect. RDP servers are also often visible on the internet and are notorious for attracting attackers seeking an entry point into a corporate network.
Zero Trust Network Access, on the other hand, assumes everything is a threat. All resources are hidden from both public and private networks. A deny-first philosophy assumes every connection attempt is an attack until proven otherwise. ZTNA only grants users access based on risk assessments that include user identification, role-based authorization, device-posture analysis, and context assessment.
While Gartner’s analysts believe most enterprises will be migrating to SASE in a few years, their own research shows that only 10% of large firms are looking at it now. The reason is that SASE is very much a work in progress. As a result, companies must overcome barriers such as:
Industry fragmentation: Each of the five SASE components by itself is an emerging capability offered by different vendors. Those vendors betting on Gartner’s vision are either developing or acquiring the technologies they need, but none of them offer a full SASE stack built from the ground up.
Skills gaps: Few network professionals have experience with all five SASE components which will make overseeing SASE migrations challenging. This is especially true for companies that do not want to be locked into a single-vendor solution.
Strategic priorities: Gartner unveiled its SASE vision months before a global pandemic. While the concept has generated industry buzz, executives have had more urgent priorities to address. At the same time, awareness and understanding of SASE among IT and security professionals is still low.
Uncertainty may be the biggest obstacle to SASE’s widespread adoption. Perhaps unsurprisingly, analysts at Gartner’s competitors have expressed skepticism about the concept. And companies considering SASE have many questions to answer:
- Will Gartner’s five components fully address the future of networking?
- When will vendors have fully-integrated SASE solutions?
- What will the final technologies look like and how will they interoperate?
Even Gartner itself has said that SASE is the “most-hyped term in networking.” When unveiling SASE, Gartner’s analysts advised companies to avoid long-term contracts due to “inconsistent services, poor manageability and high latency.”
So, should your company wait until the dust settles? Only if you have a complete handle on remote working, role-based access control, BYOD, and the other trends making networks so hard to secure. But last year’s rush to the remote workforce proved that the old ways of focusing on securing a fixed perimeter are failing fast.
Gartner’s SASE roadmap recommends that companies implement the elements of SASE that can have the most immediate impact.
- Start planning the transition from on-premises security appliances to cloud-based security services.
- Migrate branch offices from expensive carrier MPLS to cloud-based SD-WAN services.
But the first step Gartner advises is to replace VPN and other insecure access control technologies with Zero Trust Network Access. Requiring all users — regardless of their location — to go through ZTNA will immediately strengthen your organization’s threat posture. A phased implementation can focus first on your company’s most critical on-premises and cloud-based resources before rolling out to less sensitive systems.
While Gartner, the media, and the IT industry have made SASE the buzzword of the day, the underlying concept and lofty vision is sound. The old approach to securing corporate networks is failing as business networking becomes more decentralized. The future of network security may not match Gartner’s vision, but it will include:
- Software-defined perimeters that protect resources on-premises and in the cloud.
- Role-based, Zero Trust policies that give users least-privilege access to resources.
- Secure, performant connections to any device from any location.
Whether SASE is part of your company’s future or not, Twingate’s modern approach to securing remote work opens a fast, affordable path to implementing Zero Trust Network Access. Contact us to learn more.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.