What is secure access service edge (SASE)?

The key difference between SASE and traditional network security is that instead of routing all traffic back to a data center to apply security policies, SASE delivers security capabilities and other services nearer to where users and endpoints connect, at the network edge.

The SASE model offers great potential to strengthen network security, simplify network performance management, and improve the overall user experience.

As more organizations pursue digital transformation—and as they increasingly adopt cloud environments, edge computing and work-from-home or hybrid work models—more and more users and IT resources will reside outside the traditional network perimeter. SASE enables organizations to provide direct, secure, low-latency connections between users and these resources regardless of where they’re located.

SASE may be relatively new technology—industry analyst Gartner defined the term in 2019—but many security experts believe it represents the future of network security.

SASE is the combination, or convergence, of two core technologies: Software-defined wide area networking, or SD-WAN, and secure service edge, or SSE. It’s easier to understand how SASE works if you first understand what each of these technologies does.

An SD-WAN is a wide-area network that has been virtualized, in much the same way servers are virtualized. It decouples network functionality from the underlying hardware—connections, switches, routers, gateways—to create a pool of networking capacity and network security capabilities that can be divided, aggregated and applied to traffic under software control.

Traditional wide area networks (WANs) were designed to connect users in corporate branch offices to applications in a central corporate data center, usually over dedicated, private and expensive leased-line network connections. Routers installed at each branch controlled and prioritized traffic to ensure optimal performance for applications that mattered most. Security functions, such as packet inspection and data encryption, were applied at the central data center.

SD-WAN was developed originally to let organizations duplicate their WAN capabilities on less-expensive, more scalable internet infrastructure. But demand for SD-WAN accelerated as more and more businesses began adopting cloud services before they were quite ready to trust internet security. The WAN security model was challenged: Routing ever-increasing volumes of internet-destined traffic through the corporate data center created an expensive bottleneck, and both network performance and the users’ experience degraded.

SD-WAN eliminates this bottleneck by enabling security to be applied to traffic at the connection point, rather than forcing the traffic to be routed to the security. It lets organizations establish direct, secure, optimized connections between users and whatever they need—software-as-a-service (SaaS) apps, cloud resources, or public internet services.

Another term coined by Gartner, SSE is “the security half of SASE.” Gartner specifies SSE as the convergence of three key cloud-native security technologies:

Secure web gateways (SWGs). An SWG is a two-way internet traffic cop. It prevents malicious traffic from reaching network resources, using techniques such as traffic filtering and domain name system (DNS) query inspection to identify and block malware, ransomware and other cyberthreats. And it prevents authorized users from connecting to suspicious web sites: Instead of connecting directly to the internet, users and endpoints connect to the SWG, through which they can access approved resources only (e.g. on-premises data centers, business applications, and cloud applications and services).

Cloud access security brokers (CASBs). CASBs sit between users and cloud applications and resources. CASBs enforce company security policies like encryption, access control, and malware detection as users access the cloud, no matter where or how users connect—and it can do so without installing software on the endpoint device, making it ideal for securing BYOD (bring your own device) and other workforce transformation use cases. and other CASBs can also enforce security policies when users connect to unknown cloud assets.

Zero trust network access (ZTNA). A zero trust approach to network access is one that never trusts and continuously validates all users and entities, whether they’re outside or already inside the network. Validated users and entities are granted the least privileged access necessary to complete their tasks. All users and entities are forced to revalidate whenever their context changes, and every data interaction is authenticated on a packet-by-packet basis until the connection session ends.

ZTNA isn’t a security product itself, but a network security approach implemented using a variety of technologies including identity and access management (IAM), multi-factor authentication (MFA), user and entity behavior analytics (UEBA) and various threat detection and response solutions.

Individual vendors’ SASE platforms may include other threat prevention and security capabilities, including firewall as a service (FWaaS), data loss prevention (DLP), network access control (NAC), and endpoint protection platforms (EPPs).

SASE solutions use SD-WAN to deliver SSE security services to users, devices and other endpoints where or close to where they connect, at the network edge.

Specifically, instead of sending all traffic back to a central data center for inspection and encryption, SASE architectures direct traffic to distributed points of points of presence (PoPs) located close to the end user or endpoint. (PoPs are either owned by the SASE service provider or established at a third-party vendor’s data center.) The PoP secures the traffic using the cloud-delivered SSE services, and then the user or endpoint is connected to public and private clouds, software-as-a-service (SaaS) applications, the public internet, or any other resource.

SASE provides important business benefits for security teams, IT staff, end users, and the organization as a whole.

Cost-savings—specifically, less capital expense. SASE is essentially a SaaS security solution: Customers purchase access to the software for setting up and controlling the SASE, and get the full benefit of the cloud service provider’s hardware on which it’s delivered. Instead of routing traffic from a branch office router to an on-premises data center hardware for security, SASE customers route traffic to the cloud from the nearest internet connection.

Companies can also consume SASE as a hybrid solution delivered across both public cloud and the organization’s on-premises infrastructure, integrating physical networking hardware, security appliances and data center with their virtualized cloud-native counterparts.

Simplified management and operations. SASE frameworks provide a single, consistent solution for securing anything that connects or attempts to connect to the network—not just users but internet of things (IoT) devices, APIs, containerized microservices or serverless applications, and even virtual machines (VMs) that spin up on demand. It also eliminates the need to manage a stack of security point solutions—routers, firewalls, etc.—at each connection point. Instead, IT or security teams can craft a single, central policy for securing all connections and resources on the network, and they can manage everything from a single point of control.

Stronger cybersecurity. Properly implemented, SASE can improve security on a number of levels. Simplified management strengthens security by reducing the chance of errors or misconfigurations. For securing traffic from remote users, SASE replaces the blanket, one-size-fits-all permissioning of virtual private network (VPN) access with ZTNA’s fine-grained, identity- and context-based access control over applications, directories, datasets and workloads. 

Better, more consistent user experience. With SASE users connect to the network the same way whether they’re working onsite, in a branch office, from home or on the road—and whether they’re connecting to applications and resources hosted in the cloud or on premises. SD-WAN services automatically route traffic to the closest PoP and, once security policies are applied, optimize connections for the best possible performance.

SASE offers advantages to any organization evolving away from the central data center model of application delivery. But a handful of specific use cases are driving its adoption today.

Securing hybrid workforces without VPN bottlenecks. VPNs have been the predominant means of securing remote or mobile users for nearly two decades. But VPNs don’t scale easily or inexpensively—something many organizations learned the hard way when their workforces went fully remote because of the COVID-19 pandemic. In contrast, SASE can scale dynamically to support the security requirements of remote workers in particular and an evolving workforce in general.

Hybrid cloud adoption and cloud migration. Hybrid cloud combines public cloud, private cloud and on-premises infrastructure into a single flexible computing environment, where workloads move freely between infrastructures as circumstances change. WAN security solutions aren’t designed for this kind of workload mobility, but SASE, which abstracts security capabilities from the underlying infrastructure, secures traffic wherever it moves. It also gives organizations the flexibility to migrate workloads to the cloud at whatever pace works.

Edge computing and IoT/OT device proliferation. Edge computing is a distributed computing model that locates applications and computing resources out of the centralized data center and closer to data sources such as mobile phones, IoT or operational technology (OT) devices and data servers. This proximity results improved application response times and faster insights, particularly for artificial intelligence (AI) and machine learning applications that process huge volumes of streaming data in real time.

To enable these applications, organizations or solution vendors have deployed thousands of IoT sensors or OT devices, many with little or no security configured. This makes these devices prime targets for hackers, who can hijack them to access sensitive data sources, disrupt operations, or stage distributed denial-of-service (DDoS) attacks. SASE can apply security policies to these devices as they connect to the network, and provide management visibility into all connected devices from a central dashboard.