Secure Access Service Edge (SASE) – defined by Gartner – is a security framework that delivers converged network and security as a service capabilities, including SD-WAN, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Network Firewall (NGFW), and Zero Trust Network Access (ZTNA). SASE supports branch office, remote worker, and on-premises secure access use cases. It is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.
As organizations seek to accelerate growth through use of the cloud, more data, users, devices, applications, and services are used outside the traditional enterprise premises, which means the enterprise perimeter is no longer a location. Despite this shift outside the perimeter, network architectures are still designed such that everything must pass through a network perimeter and then back out. Users, regardless of where they are, must still channel back to the corporate network often using expensive and inefficient technologies only to go back to the outside world again more often, than not. This creates significant challenges in terms of service availability, user performance, and productivity. As we’ll explain, these challenges are addressed through a SASE framework.
Because network architectures are still stuck in this mode, it changes the way organizations must approach security and risk management. Environmental coverage, including visibility and control, can be easily lost when users, devices, and data are created and stored virtually everywhere.
Gartner’s SASE model is a comprehensive framework for enabling secure and fast cloud transformation based on a suite of dynamic edge security and connectivity capabilities delivered when needed as a service from the cloud.
The SASE framework provides for the dynamic creation of policy-based, secure-access service edge, regardless of the location of the entities requesting the capabilities, and regardless of the location of the networked capabilities to which they are requesting access. On the security side, SASE prescribes the converged offering of delivering unified threat and data protection capabilities. This converged service is based upon a low-latency, ubiquitous footprint that is very close to the user location regardless of where they are.
How SASE works
Secure Access Service Edge (SASE) merges network traffic and security priorities, ubiquitous threat and data protection, and ultra-fast, direct network-to-cloud connectivity. While SASE used to be a matter of sacrificing speed vs. control, improved technology now offers businesses speed AND control. The SASE framework is designed to allow enterprise security professionals to apply identity and context in order to specify the exact level of performance, reliability, security, and cost desired for every network session. Organizations using the SASE framework can realize increased speed and achieve greater scale in the cloud while addressing new security challenges inherent in these cloud environments.
An example: A sales force needs greater efficiency and efficacy through mobility. The use of the Internet through public Wi-Fi can become a security risk. Therefore, accessing corporate business applications and data in a timely, secure manner is a challenge. A SASE framework provides the construct to maintain higher access speed and performance, while also enabling more stringent control of users, data, and devices traversing networks – regardless of when, where, and how they’re doing it.
Benefits of SASE
Meeting the challenge of implementing a SASE architecture would benefit enterprises by providing:
- Lower costs and complexity – Network Security as a Service should come from a single vendor. Consolidating vendors and technology stacks should reduce cost and complexity.
- Agility – Enable new digital business scenarios (apps, services, APIs), and data shareable to partners and contractors with less risk exposure.
- Better performance/latency – latency-optimized routing.
- Ease of use/transparency – Fewer agents per device; less agent and app bloat; consistent applicate experience anywhere, any device. Less operational overhead by updating for new threats and policies without new HW or SW; quicker adoption of new capabilities.
- Enable ZTNA – Network access based on identity of user, device, application – not IP address or physical location for seamless protection on and off the network; end-to-end encryption. Extended to endpoint with public Wi-Fi protection by tunneling to the nearest Point of Presence (POP).
- More effective network and network security staff – Shift to strategic projects like mapping business, regulatory, and application access requirements to SASE capabilities.
- Centralized policy with local enforcement – Cloud-based centralized management with distributed enforcement and decision making.
SASE represents the best way to achieve a direct-to cloud architecture that doesn’t compromise on security visibility and control, performance, complexity, or cost. Speed without compromising security.
What’s the difference between SSE and SASE?
Security Service Edge (SSE) adds value to a comprehensive Secure Access Service Edge (SASE) strategy by providing security service edge essentials web, cloud services, and private applications. SASE delivers networking and security as a cloud service to the connection rather than the data center. SSE teams with SD-WAN maintain the path through a complete SASE platform that includes cloud-delivered network security services.