Demystifying Secure Access Service Edge (SASE)

Even IT decision-makers keep losing track of terms such as SASE, SD-WAN and SSE. We shed light on the confusion and clarify what is hidden behind the abbreviations and how they are related.

In September 2019, the consulting firm Gartner described in its report “The Future Of Network Security Is In The Cloud” a new security concept that has since turned IT security on its head. While previous approaches have focused primarily on the perimeter as the most important line of protection against cyber attacks, the "Secure Access Service Edge" (SASE) concept developed by Gartner goes a big step further.

Why we need to embrace SASE and say goodbye to the perimeter

The days when companies hosted all important applications and services exclusively in their own data center are over. To a large extent, their employees are also no longer located in their own company building but access the networks from outside. Another important role is played by the success of the cloud. Today, a considerable part of the applications and services are no longer operated in-house, but by external service providers – rented and operated on the insecure Internet. Examples include collaboration platforms such as Microsoft Teams, Cisco Webex, the video conferencing solution Zoom or business applications such as Salesforce and Microsoft 365.

SASE is intended to re-secure these complex structures by including not only the area of network security, but also the wide area networks (WANs), which are protected even in a cloud-based service model. Secure Web Gateways (SWG), Cloud Access Security Broker (CASB) for monitoring cloud applications, virtual firewall-as-a-service offerings (FWaaS) and Zero Trust Network Access (ZTNA) for granular access control form the core of this modern approach at the interfaces between the Internet and internal networks. However, this is often where the similarities of SASE platforms end. Most vendors extend their SASE-based solutions with additional features for data loss prevention (DLP), identity and access management (IAM), to detect and defend against attacks (IPS/IDS, identity prevention systems, identity detection systems) or, like NCP, with cloud-based VPN, which can be used as a VPN-as-a-service (VPNaaS).

Particular importance is attached to enforcing policies, which prevent, for example, an employee from accessing central company resources from home with an outdated and insufficiently secured device. Efficient enforcement of policies is an essential part of SASE.

How SASE complements Software-Defined WAN and Zero Trust

Classic wide area networks connect local area networks (LANs) over longer distances. Above all, large companies use them to network site offices and their headquarters. Until now, the hardware and software required for this have mostly come from a single source. A software-defined WAN (SD-WAN), on the other hand, offers significantly more flexibility, as the software used also works with hardware from other manufacturers. SD-WAN also offers better scalability and can lead to significant cost savings.

However, conventional security measures are no longer sufficient for securing an SD-WAN, as they only defend the existing perimeter. Above all, they assume that the internal network is trustworthy. The Zero Trust principle alleviates this situation by not trusting anyone. Instead, trust must be obtained through repeat authorization and validation.

Least Privilege means that users are only granted the level of access they really need for their tasks. Top-level accounts with access to entire networks are now a thing of the past. In addition, a Zero Trust solution no longer distinguishes between internal and external networks – both are considered insecure. NCP Secure Enterprise Management (SEM) also allows granular configuration of access rights for user groups and individual users.

While Zero Trust focuses on giving authenticated users and devices access to the resources they need, SASE goes one step further. However, both concepts can be optimally combined with each other. However, the outlay for SASE should not be underestimated. Many companies therefore initially integrate Zero Trust and set SASE as an extended goal for the future.

In a nutshell:

When SASE was introduced, many thought it was just another term for SD-WAN. But that is not true. SD-WAN is part of SASE and by no means the same. SASE integrates advanced security features in addition to the network, creating a holistic network and security model. This even goes so far that Gartner has already introduced the next model, SSE (Secure Service Edge). SSE focuses on the topic of security and omits the network part. The terms ZTNA, SWG and CASB appear again here.

Put simply:

If you need any more information, please do not hesitate to contact us. We are happy to advise you and answer any questions regarding the integration of our solutions into SD-WAN, SASE, SSE and ZTNA. You can also find out how you can combine maximum flexibility with the highest security in SASE and SD-WAN infrastructures in our brochure “VPN and the Cloud”.

Download the brochure now

Subscribe to blog

CAPTCHA image for SPAM prevention If you can't read the word, click here.