SASE – a cloud-based model for network security beyond the data center

SASE emerged as a new buzzword in forums and company presentations during the end of 2019. SASE, pronounced ‘Sassy’, stands for Security Access Service Edge. Put simply, it is an efficient way of combining management and security functions in the cloud and existing data centers for a more user-centric rather than site-centric approach. But a simple one-sentence explanation does not do justice to a term that is currently being hyped by many industry experts like Gartner. In this blog post, we cut to the chase and offer an explanation of what SASE really is and why it makes sense.

Gartner claims that SASE is already one of the most important technologies that will be used by around 40 percent of all companies by 2024. A detailed analysis is given in this report “The Future of Network Security is in the Cloud”, which describes SASE as a model that defines security as a network functionality and delivers it as a cloud service. The best way to understand SASE is to look at the current situation in many organizations. They have one or several data centers which users connect to, mostly via a VPN. Most data centers and company locations usually communicate via MPLS. And now cloud services are becoming even more commonplace.

How can users best access cloud services? From a client, which is increasingly a mobile device, via VPN through perimeter security in the company's own data center and then via a network connection to the cloud? Although this is an option, it causes an enormous burden on the internal LAN, if an application is already available in the cloud directly via the Internet. However, if you take the direct route, perimeter security must also be deployed for the application in the cloud.

The introduction of Software Defined-WAN (SD-WAN) has made this question even more complicated. SD-WAN facilitates routing and combining multiple media. This allows bandwidth to be combined, redundancy to be created and simplifies access to corporate resources for remote offices and users. But even if SD-WANs make it easier to configure VPN split tunnels so that users can access the cloud directly and don't have to take the detour via enterprise WAN and the data center, new attack vectors are emerging. This could be resolved by deploying firewalls for each remote site. But this is not only expensive, it entails immense organizational effort in managing dozens or even hundreds of firewalls at the same time and keeping them up to date with the latest security patches. SASE addresses this problem by integrating security functionality as a service into the network. Security and networking are managed via the cloud, so administrators can make changes once and roll them out to all locations.

SASE shifts central network security measures away from the organization’s data center. Instead of forcing traffic to the data center to firewalls, IPS, and other perimeter security measures, SASE brings inspection engines to a nearby point of presence (PoP) in the cloud. Traffic sent via the client to the PoP is checked and forwarded to the Internet or via the global SASE backbone to other SASE clients. Gartner has defined over a dozen different SASE features, but they can be combined into four main attributes. Firstly, SASE tries to deliver the best possible network performance for all applications using a global SD-WAN service. This backbone takes over most of the traffic distribution, following the principle that the company's traffic should hardly ever be in contact with the Internet. Secondly, SASE provides policy-based traffic protection features, such as encryption and decryption, malware scanning, and sandboxing. SASE should also provide other services, such as DNS-based protection and DDoS protection. Thirdly, at least the early SASE providers agree that a SASE service uses a cloud-native architecture that has no special hardware dependencies. Fourthly, SASE is based on the identity of the users. Unlike other managed network services, the SASE architecture delivers services based on the identity and context of the connection source. Identity includes a variety of factors, such as the initiating user, the device used, and real-time factors, such as time of day and device location.

SASE as such will not save the world or eliminate all external attack vectors on its own. But increasingly cloud-adopting organizations need a way to manage access to applications that are not deployed in the data center securely and with the least possible effort. If SASE can provide this path, that's good news for the next few years.