Technologies and buzzwords come and go, but, in technology terms, some often make the cut and go into the big league. Think of cloud computing 20 years ago, or zero trust around 5 years ago. Today everyone is just gushing over it and calling it the next battleground and the tool for the growth and transformation of their business. Just like them, there is a new buzzword out there, that is claiming to change security like anything. (Pronounced SASSY) SASE is the latest fad to get viral status, with multiple tech forums calling 2023 the year when it finally takes off. So what is SASE all about? This blog post will help to unravel this for you.

What is SASE?

This was first described by Gartner in the August 2019 report The Future of Network Security in the Cloud and expanded upon in their 2021 Strategic Roadmap for SASE Convergence.

Gartner defines SASE as

“The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises”

Simply put, SASE is a combination of network and security.

You can also check out this white paper to understand SASE in detail.

The MEF white paper describes SASE as:

“A service connecting users (machine or human) with their applications in the cloud while providing connectivity performance and security assurance determined by policies set by the Subscriber.”

Why do we need such SASSY products?

Consider the traditional mode of working, employees were given a corporate device and they could connect only from the office. Few employees were given a laptop where they could connect from home and for that purpose, they used to dial into the corporate network and authenticate themselves. This central authority who validated the remote employees validated the employee credentials and allowed access to the corporate network. So far, so good. Enter the cloud and covid and everyone wants to work from home and access from every possible device you can imagine. Imagine the load on the central authority to validate all such employees and ensure that security is taken care of from that same laptop that was used to access a malicious website around 2 minutes back!

Existing technologies can’t simply handle the load. Employees had reported slowness issues in accessing the VDI environment, and VPNs and CISOs literally had sleepless nights over production environments being accessed from personal devices.

While a new approach to handling work from anywhere in a secure manner was being discussed way back in 2016, it was Covid, that finally made the CEO of the companies discuss it. There was an overnight acceleration in ensuring secure work from home.

With an increase in remote users and software-as-a-service (SaaS) applications, data moving from the data center to cloud services, and more traffic going to public cloud services and branch offices than back to the data center, the need for a new approach for network security had risen.

Enter SASE.

SASE is the convergence of wide area networking or WAN, and network security services like CASB, FWaaS, and Zero Trust, into a single, cloud-delivered service model. According to Gartner, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies, and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems, or edge computing locations.”

I just love when there is a combination of so many fancy terms that simply bounce over my head. ( If you feel the same, give a shout-out).

Let’s Untangle this

Let’s look at the problem that SASE is trying to solve. Hopefully, you will understand and appreciate this analogy. Do you watch Netflix ( or say any OTT)? ( Hopefully, you said yes). When you log in to your account from any device, you are redirected to the nearest AWS server or Open connect. Imagine if every video was streamed from a central location and every user had to be first authenticated to connect to their network.

As enterprises move towards digital transformation and the cloud, more and more applications are being hosted on the cloud, does it really make sense to have a central authority to allow authentication? Hold on, I know, what are you thinking? All those security measures, how would they work?

Some would call SD-WAN to the rescue.

(What the heck is SD-WAN now?)

SD-WAN provides seamless connectivity between customer sites using both MPLS and the internet. It does so by creating an overlay network over the underlay network ( MPLS or internet).

As more and more applications move to the cloud, it makes no sense to route all traffic to the central authority for validation. SD-WAN puts intelligence in the WAN by identifying applications and becoming application-aware. By doing so, it routes internet traffic from the traditional MPLS and helps reduce latency, and provides the best experience to the users.

However, SD-WAN basically shifts the security checks from the central authority to local branch offices. It knows how to route traffic intelligently, however, security is missing. Configuring security at every branch office is not a feasible solution.

It’s time to be SASE !!

SASE is a network architecture that combines VPN and SD-WAN capabilities with cloud-native functions. Those functions, secure web gateway, cloud access security broker (CASB), firewall, and zero-trust network access, are provided by the SASE vendor as a single, integrated offer that is delivered from the cloud.

Simply put, SASE combines security with intelligent routing via the cloud for the cloud ( not always though).

How does it achieve that? Here comes PoPs.

Going back to the Netflix analogy, SASE brings in distributed Points of presence that run network security at the edge.

These PoPs have two components.

Global Network Mesh – SASE solutions leverage a software-defined WAN (SD-WAN) to build its own private network of PoPs. Once established, traffic is intelligently routed through this network mesh, minimizing the latency and loss problems associated with public internet traffic. The benefits of the global network are most noticeable to users whose traffic spans multiple regions.

Distributed Inspection and Policy Enforcement – Serving users and applications in a variety of locations means security inspection and policy enforcement must also be distributed. Secure services such as secure web gateways (SWG) and data loss protection (DLP) can become expensive at centralized bottlenecks in the cloud, while functions like remote browser isolation benefit from vertical scaling to accommodate unpredictable demand. To improve user experience and minimize cloud costs, inspection and enforcement are moved to the edge (the PoPs) and operated on a platform that combines SD-WAN with edge compute capabilities.

In simple terms, let’s summarise what we have learned till now.

A service [SASE] connecting users (machine or human) with their applications in the cloud while providing connectivity performance [ SD-WAN] and security assurance [PoPs] determined by policies set by the Subscriber.

How does SASE architecture work?

SASE combines SD-WAN with network security services like FaaS, SaaS, secure web gateways, cloud access security brokers, endpoint security, and zero-trust network access. This results in a multi-tenant and multi-regional secure platform for users that is location, and device-agnostic. Your employee can access applications from anywhere and on any device in a secure and efficient manner.

Another example to help drive the point. How do the next gen AVs work? Install a client on the end-point and the remaining aspects are handled by the cloud. Similarly, install a SASE client on the endpoint and the rest is taken care of by the cloud. A SASE client (such as a mobile device with a SASE agent, an IoT device, a mobile device with clientless access, or branch office equipment) will send traffic to the PoP for inspection and forwarding -- to the internet, or across the central SASE architecture.

SASE combines software-defined WAN and other networking services and functions, including the following:

ZTNA
cloud access security brokers
firewall as a service
secure web gateways
SaaS

SASE's aim is to blend these services and technologies to build a cloud-aware and cloud-based secure network and this is best achieved by exploiting the power of the cloud.

When you move to the cloud, you are making what is called by Gartner - a “Thin Branch” and “Heavy Cloud Model”. When the security functions would move to the cloud, the only thing that would be left at the branch office would be an SD-WAN box.

Here is a comparison of SASE with other products.

ZTNA vs SASE -- No , its SASE and ZTNA

ZTNA or Zero Trust Network Access is not going to compete with SASE. Instead, it will be defining component of SASE. Why is it so? Because SASE is completely Identity Driven. Identity is the focal point and the basis of SASE.

What are the benefits of SASE?

Reduces Costs and Complexity
Ensures Consistent Policy
Ease of Management
Simplified Security Model
Increased Network Performance
Fully Integrates SD-WAN
Centralized Orchestration
Secure, Seamless User Access

While SASE is being touted as the next big thing, remember, that happens with almost every new buzzword that comes along. This is the panacea that we are looking for. SASE will also bring together a host of challenges with its implementation. We have multiple organizations that have signed up for different products to handle security and remote working. They will not jump on the bandwagon immediately till the time they have existing contracts. Decisions in organizations are often based on costs and if SASE turns out to be a cost-effective solution, it will reach the CEO’s desk, else, it will vanish without a trace. Given that multiple organizations are already struggling with inflated cloud costs, another cloud solution will not be easy to sell.

What would work in SASE’s favor is the problem that it is trying to solve. While employers will push employees to return to the office, remote working will become the norm and businesses will have to adapt and adopt a location and device-agnostic culture. SASE is setting the stage for next-gen network connectivity and security. Its journey will be quite interesting to watch out for.

What are your thoughts on SASE?

Everyone’s calling This the next big thing in Security. What is it?