SASE (Security Access Services Edge, pronounced sassy /ˈsæsi/) is a network security service architecture introduced by Gartner in 2019. Gartner defines it as “an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic security access needs of digital enterprises.” In the diagram below, you can clearly see that SASE consists of two parts.
To put it simply, SASE is a converged service of network and network security.
Background
In fact, before Gartner defined SASE, there were several services in the market that are close to the concept of SASE such as CATO Cloud of CATO network, ZIA service of Zscaler (Zscaler Internet Access) and Prisma Access of Palo Alto. They all rely on the powerful edge cloud of globally distributed PoPs to provide customers with secure, reliable and good network access to SaaS service. Zscaler’s cash cow product ZIA is mainly a Secure Web Gateway (SWG) SaaS service, which can provide unified security protection for all offices and visitors anywhere and reduce enterprise network security construction investment. These emerging services meet the needs of enterprises in the cloud computing era, especially during the pandemic, the demand for these services has grown rapidly and they have been widely used in the world.
Why have these access services developed rapidly? The driving factor behind the market is mainly the digital transformation of enterprises.
Features of digital enterprises:
- Compared with the traditional enterprise Intranet, users use more external networks to complete their work.
- Compared with workloads of datacenters, digital enterprises use more workloads running in IaaS.
- Compared with the applications in enterprise infrastructure, digital enterprises use more SaaS-based applications.
- Digital enterprises store more sensitive data in cloud services.
- More user traffic and branch traffic flow to the public cloud in digital enterprises.
The digital transformation of enterprises has changed the direction of enterprise traffic, and the change requires their network security architecture must change accordingly. The three demands under the transformation as below make the emergence of SASE inevitable.
Tremendously growing demand for applications and services on the cloud
The digital transformation of enterprises requires access to applications and services anytime and anywhere, and this pandemic has accelerated this trend. It can be predicted that enterprise data centers will exist for a long time, but its traffic ratio will gradually shrink compared with the cloud. The network and security designs that focused on data centers in the past gradually became out of date.
SASE has the inherent network advantage of connecting assets and applications on the cloud, and the features of SD-WAN enable it to have better multi-cloud and multi-data center connectivity. The security capability of SASE is more concentrated in SASE Cloud, which reduces the burden of security construction in multi-data center and multi-cloud.
Growing demand for edge computing
Enterprise demand for distributed edge computing is growing, as is the need for systems and devices with low-latency access to local storage and computing. With the advent of 5G, the need for edge computing is accelerating.
The edge feature of SASE meet the need of edge computing. Building PoPs as close as possible to the customer side to make them access a high-quality SASE network as soon as possible, which make access accelerated and at the same time make customers enjoy the full stack security capabilities on the cloud.
Growing demand for mobile office
The pandemic has caused explosive growth of mobile office. Employees, partners, and agents all have the need to access enterprise applications outside the enterprise, and traditional VPN can only meet a small part of the need. When the workforce is complex and the number of people continues to grow, VPN is no longer the optimal solution. Enterprises need secure and efficient mobile working solutions. SASE can manage enterprise mobile terminals and allow mobile workers to access SASE nearby. On the one hand, they can speed up access to applications; and on the other hand, they can enjoy a variety of security protections, such as data leakage prevention, malicious website filtering, etc.
Four Key Features of SASE
Prefer cloud to branches
The biggest feature of the SASE model is preference of the cloud to branches by moving the security and network capabilities upwards to reduce the burden of IT construction and maintenance with a unified cloud delivery. SASE Cloud provides various security capabilities such as identity authentication, deep packet detection, threat prevention and data leakage prevention. It also has network capabilities such as WAN optimization. It only needs lightweight SD-WAN CPE deployment on the ground to direct traffic to cloud security services.
Edge cloud service
As traditional SaaS services have fewer service nodes, enterprises often encounter greater business delays when applying them. SASE is an edge cloud service, with multiple nodes and global distribution as a major feature. Users can access PoPs nearby, and each PoP provides the same secure network capabilities. SASE allows enterprise traffic to have the best security protection without bypassing.
Identity-driven
The key to SASE’s security capabilities is access control. Relying on the Zero Trust Network Access (ZTNA), SASE makes intelligent routing and access permissions based on contextual information such as users, devices, applications, and access records.
Cloud native
SASE’s PoPs have cloud-native feature. The elastic expansion, global distribution, easy replication, and fast iteration of PoPs are all derived from this feature.
What Is the Relationship Between SASE and SD-WAN?
SD-WAN (Software-defined Wide Area Network) applies SDN technology to wide area network. It solves the problem of network connectivity, and at the same time has the features of choreography and efficient operation and maintenance management.
When it comes to the relationship between SASE and SD-WAN, SD-WAN should be considered as an optional infrastructure for SASE network services. The so-called security SD-WAN solution is also different from SASE. The solution is more about adding a firewall in front of on-premises SD-WAN, or adding IPS, ACL and other functions on the SD-WAN box. It still focuses on on-premises security, while SASE focuses on the cloud with the intention to hold as many security capabilities as possible on it.
Conclusion
Under the wave of digital transformation, the network security architecture around the traditional data center is no longer suitable for enterprise development. Digital enterprises need more integrated, concise and intelligent IT construction solutions that adapt to the cloud era.
SASE has changed the traditional application access and security protection mode, and can greatly improve the convenience and security of users’ access to various services in a mixed environment. It is born for the digital transformation of enterprises, and its service architecture, which focuses on the cloud rather than the local end, marginalized and decentralized, can better adapt to the IT construction needs of digital transformation enterprises. The all-in-one network security capability can solve the practical problems faced by a large number of enterprises in the cloud era.