The Core Components of SASE
Not all businesses understand what exactly Secure Access Service Edge (SASE) means – whether it is a set of products or services, a comprehensive system, or simply a concept and methodology. Let’s figure out the answer and dwell on how big the marketing component of the SASE hype is, what benefits such solutions and services bring to customers, and who should be responsible for their functioning.
What is SASE?
Originally introduced by IT research giant Gartner, the term SASE denotes a convergence of Network as a Service (NaaS) and Security as a Service (SaaS) paradigms. The transition to remote work and the growing popularity of cloud services have rendered the traditional security model ineffective. SASE services bring security closer to the end-user and allow almost unlimited scalability.
In plain words, SASE is a combination of network and security services. From a networking perspective, it allows you to optimize data transfer and redirect traffic in a frictionless way. From a security viewpoint, it all depends on the location of the resources the user is accessing. Edge computing services operate beyond traditional enterprise security mechanisms and safeguard users as they connect to the cloud from anywhere in the world.
SASE plays a major role in accelerating the use of cloud resources. It enlightens InfoSec and IT professionals as to the technologies that make the work with cloud services comfortable and safe.
It is worth noting that besides Gartner, other analytical agencies (e.g., Forrester) have also proposed architectures with cloud-based security features at their core. Operating in concert with improved access techniques, these services provide users with all the layers of protection they need.
Gartner coined the fancy term to delimit the direction in which the telecommunications industry has been moving for a long time. It is a synergy of three domains: networks and backbones, cloud data centers, and security services.
Experts note that SASE is not a separate product. It is a set of solutions that can be combined to fully meet a customer’s needs. An example of edge security services in action could be a situation where a company’s employee moves to another country or region. When connecting to the point of presence (PoP) at the new location, they will get high-quality routing and quick access along with all the necessary security services.
Many companies have not considered giving SASE solutions a shot yet. One of the factors inhibiting its development is the lack of customers’ confidence in cloud security technologies as such. To a big extent, this distrust stems from the following factors:
- Regulatory pressure.
- Resistance of security professionals who are afraid to transfer some of their functions to the cloud.
- The focus of many companies is on the domestic rather than the global market.
To recap, SASE is not a product or a technology, but rather a concept and a strategy largely bolstered by marketing.
Gartner lists 25 elements that may be included in such a solution. In this regard, many experts wonder whether SASE can be considered full-fledged if some of these components are missing.
Several core entities make up the SASE stack. These are SD-WAN, Secure Web Gateway, Cloud Access Security Broker (CASB) solutions, Firewall-as-a-Service (FWaaS), and a zero trust access system. A series of other tools, such as data loss prevention (DLP) mechanisms, sandboxing, web application and page isolation services in the browser, and Wi-Fi segment protection, are optional and can be purchased by the customer as needed.
Looking at SASE from the angle of customer needs, three key services should be implemented:
- Data protection, both within the cloud and in transit between services.
- Secure access based on cloud technology.
- Local points of presence (PoPs) that meet regulatory requirements.
There is no such thing as a solution that fully and unconditionally meets all SASE requirements. Some vendors are stronger in networking technologies, while others are focused on security. Therefore, it is necessary to proceed from the client’s objectives, selecting the necessary configuration of the Secure Access Service Edge for them.
A key element of SASE that sets this concept aside from other access systems is the presence of zero trust network access (ZTNA) services. They are a decent alternative to the use of a firewall and can be accessed from anywhere around the globe thanks to the cloud.
Another common question is whether a virtual private network is an inalienable part of SASE. The fact is that remote access VPN tools usually constitute unified threat management (UTM) gateways implemented in Secure Access Service Edge services.
A transition to the SASE philosophy does not imply abandoning endpoint protection systems and traditional means of securing an organization’s perimeter. What’s the point of leveraging another secure access service then?
The ratio of employees working in the office and those connecting to enterprise resources from home has changed dramatically since early 2020. Unsurprisingly, companies’ security teams have to deal with a new category of devices – home computers and laptops, which are often weaker protected and susceptible to various cyber-attacks. This is why the ideology of edge services is relevant at the moment.
Who Should Deploy and Maintain SASE?
An important factor that affects the success of SASE implementation is the distribution of roles for the operation and configuration of such a system. The management of SASE solutions is typically the responsibility of IT specialists, who also configure VPNs and firewalls in most companies.
When it comes to the benefits of harnessing this technology, economic factors come to the fore. The game-changing advantage of the concept is the ability to quickly provide new offices, stores, and other enterprise locations with secure access to cloud and corporate resources.
Companies from the retail sector or any other businesses with a large number of relatively small branches get the most mileage out of SASE. It is particularly convenient to use edge security services if the number of outlets is constantly changing, as is the case with businesses that frequently close and open stores.
The SASE concept is a little closer to information technology than to security. At the same time, experts emphasize the importance of cooperation between an organization’s IT and security departments. The former ensures network connectivity, remote connectivity, and seamless access to applications, while the latter controls access security as well as compliance with policies and corporate standards.
What is the SASE Provider Responsible for?
All solutions have service-level agreements (SLAs) that specify cloud availability parameters and compensation for failure to meet them. Providers also disclose the networking technologies and data processing rules they use. In addition, there is a logging system and the option for a third-party company to evaluate the reliability of the service. In some markets, there are contractual penalties for downtime.
Before opting for a managed SASE service, organizations should familiarize themselves with the vendor’s data disclosure policy that specifies what kind of information may be handed over to law enforcement agencies or other authorities officially vested with the right to request it. Another important question to ask is how the provider ensures the effectiveness of its security features. One more thing on the checklist is to gain insights into the advantages of using the vendor’s cloud-based secure access services over deploying similar on-premises systems.
SASE Implementation Peculiarities
Organizations that choose to take their security a step further with SASE often face a dilemma - to opt for a “turnkey” solution from a vendor or try to implement these principles on their own. Both options have their pros and cons. The former is easier, but the price tag and the possible redundancy of features discourage some customers from jumping on the hype train. The latter is more cost-efficient and can be better suited to a specific company’s digital ecosystem, but it requires a decent level of in-house tech expertise.
Assuming that your IT team has the right qualifications, let’s dwell on a tool-driven mechanism of putting the SASE model into practice. First, you’ll need to implement SD-WAN between the central office and the branches. This technology offers exceptional networking flexibility by supporting multiple WAN transport services, such as Multiprotocol Label Switching (MPLS), broadband Internet, and LTE or 5G mobile connections. Unlike classic WAN, it doesn’t backhaul web traffic from branches to the enterprise data center and thus drives the performance of cloud applications to the maximum.
Now that you have established seamless cloud-centric connectivity across your corporate infrastructure, you must bridge the security gap. To fortify all connections, you can leverage a Secure Web Gateway, a web application firewall (WAF), sandboxing, CASB, DLP, and VPN. Think of a combo that fits the context of your network the most. Implementing the zero trust policy will put the finishing touches to your SASE deployment. Perform network segmentation and accurately align the privileges of users and devices with their roles in the enterprise environment.
The traditional security model is focused on fortifying the network perimeter by means of firewalls and various antimalware tools. Essentially, this approach revolves around preventing external threats from infiltrating an organization’s digital environment. Nowadays, this security philosophy is becoming obsolete, as more users need to access their companies’ critical applications and data from different locations and devices.
On-premises data centers are no longer the pivots of network traffic as corporate applications are increasingly migrating to the cloud, and the use of conventional routers doesn’t get along with the ubiquity of cloud services very well, to put it mildly.
SASE appears to be the silver bullet in the paradigm of dissolving security perimeters. It ensures high performance of web applications and outstanding flexibility in terms of the supported connection types. Importantly, it also facilitates the implementation of security policies and new quality of service (QoS) specifications throughout a geographically distributed enterprise network to ramp up any organization’s defenses against unauthorized access.