According to Gartner, secure access service edge or SASE is “the future of network security.” However, like any major security trend, there can be confusion about what is and isn’t “SASE.” Understanding the core features of a SASE solution can be invaluable when evaluating the available options.
What is SASE?
SASE is designed to provide a secure, cloud-based corporate WAN. SASE is deployed as a network of virtualized points of presence (PoPs) located in the cloud. Each SASE PoP integrates a range of networking and security functionality into a single solution, enabling it to provide network performance guarantees and inspect and secure the business traffic flowing over the corporate WAN.
Crucial SASE Networking Features
SASE is intended to be the backbone of the enterprise WAN, meaning that it needs to provide high-performance, reliable, and scalable network infrastructure. As the corporate WAN supplants the corporate LAN and organizations become more reliant on latency-sensitive Software as a Service (SaaS) applications and remote work, business traffic needs to flow quickly and reliably from anywhere to anywhere.
To accomplish this, a SASE solution and network should have certain core networking features, including:
- Software-Defined WAN (SD-WAN): SD-WAN is one of the core functions of a SASE solution. SASE is deployed as a network of cloud-based PoPs, and SD-WAN provides optimized network routing between these PoPs. This eliminates the inefficient routing of traditional architectures built around an on-prem security stack.
- Dedicated Backbone: SD-WAN provides optimal routing over the available transport media, but optimal routing over broadband Internet does not provide the performance guarantees that the modern business needs. SASE must be supported by a dedicated web of high-performance network links to ensure that traffic over the network meets service level agreements (SLAs). Otherwise, the SD-WAN’s performance may be worse than routing traffic directly to its destination, which may cause employees to stop using it.
- Global Network: With the rise of cloud computing and remote work, an organization’s infrastructure and workers can be anywhere in the world. With SASE, traffic must detour through the SASE network for security inspection before being forwarded to its destination. A global SASE network is necessary to ensure that the trip to the nearest SASE PoP – which occurs over broadband Internet – is not so long that it creates significant network latency.
- Zero-Trust Network Access (ZTNA): ZTNA – also known as a software-defined perimeter (SDP) – is a secure remote access solution. As businesses increasingly transition to a remote workforce, a secure remote access solution is an essential part of any network infrastructure. With ZTNA/SDP, organizations achieve a higher level of security than is available with traditional virtual private network (VPN) solutions in a more scalable and efficient system than VPN infrastructure.
Security Must-Haves for SASE
SASE is more than just a networking solution; it is designed to also provide a complete security stack in a single cloud-native solution. By integrating networking and security functionality into a single application, SASE eliminates the need to route network traffic through the enterprise LAN for inspection and security policy enforcement by a perimeter-based security stack.
To accomplish this, a SASE solution needs to include certain security functionality, such as:
- Full Security Stack: Gartner defines SASE as having certain core security features, including a secure web gateway (SWG), ZTNA, cloud access security broker (CASB), and firewall as a service (FWaaS). While these are a good starting point, a SASE solution should also incorporate solutions like the web app and API protection (WAAP) that meet the needs of organizations embracing cloud-based infrastructure for hosting business applications.
- Security Integration: SASE is designed to be a fully integrated networking and security system; however, some vendors cobble together multiple point solutions using service chaining and label it as SASE. These SASE-like systems provide many of the same protections as SASE but without the benefits of SASE. Without full security integration, a solution is more difficult to use, lacks the optimizations and efficiency of an integrated system, and has more complex update and patching processes.
- Managed Security: The goal of SASE is to make security simpler. With the cybersecurity skills shortage, many organizations are struggling to staff their security teams fully. SASE solutions should be available as a service, making it possible for an organization to outsource the management and maintain their SASE solution to a third-party provider.
Selecting a SASE Solution
As organizations design and build their networks for the “new normal,” investing in a SASE solution is essential. However, to reap the full benefits of SASE, it is necessary to select an actual SASE solution. When evaluating different offerings, pay attention to the feature sets and implementation details to ensure that a particular product actually implements the full range of necessary networking and security functionality within a fully integrated SASE solution.