Let’s get this out of the way first. Secure Access Service Edge (SASE) – pronounced ‘sassy’ – is not a new technology category. The term was coined by Gartner in 2019 to represent a security framework or philosophy that combines the capabilities of SD-WAN and VPN with cloud-native security functions such as zero-trust network access, CASB, firewalls and other technology. At its heart, SASE is an amalgamation of many existing technologies coming together to help businesses reduce network complexity, deliver better security and reduce costs – all things that today’s distributed organizations desperately need.
SASE, the business enabler
Because SASE is made up of many different technologies under a large umbrella, there are in fact many paths that an organization could take to qualify as SASE. Most organizations already use elements of SASE in their network and security infrastructure, but the goal with any SASE framework is to establish better ways of giving agile, often remote workers a secure, direct way to access corporate resources with far less latency and network complexity.
For remote workers, this often means going directly to a SaaS application or hosted data service on the web rather that wasting bandwidth tunneling back to HQ and then out again. The result of this SASE structure is that users and their devices can bypass many of the traditional network bottlenecks, giving them more secure and more direct cloud access to the applications, data and services they need from anywhere, at any time.
Why do we need SASE?
As mentioned above, most organizations have traditionally funneled their connections to data and applications through a centrally located or managed data center. But with our rapidly growing distributed workforce and more cloud-based, decentralized applications, this kind of convoluted network structure became increasingly wasteful and unnecessary. So much so that in 2019 Gartner dubbed this complex approach “network gymnastics.”
Frankly, this traditional structure no longer makes sense, especially when you consider that very few companies today host most of their applications in a corporate data center. The extra hops created by this kind of structure also introduce latency and negate the benefits of secure direct access.
Rethinking the network
Implementing a SASE framework for a corporate network requires rethinking the way that data is routed, from its source all the way to the end users and back again. Conventional models focused on a hub-and-spoke network in which the data center was at the center of everything. The SASE model, on the other hand, does away with this approach and instead builds a cloud-centric, secure structure that relies on the unique identity of each user and device at the edge of the network.
The Gartner report says, “In a modern cloud-centric digital business, users, devices and the applications they require secure access to are everywhere.”
This all makes perfect sense when you consider how much the workplace has changed over the past decade:
- A vastly higher proportion of user traffic today goes to cloud services than to corporate or co-located data centers
- The typical employee uses more cloud services than data center-based services
- Employees perform more tasks off the network than on it
- Most organizations use more SaaS applications than locally hosted ones
- More data is hosted in cloud services than on private enterprise networks
Because the enterprise perimeter is no longer a tangible, physical location, but a dynamic perimeter that responds to the on-demand needs of users, organizations have to approach security and risk management differently.
Key benefits
This new, SASE framework promises a raft of improvements over traditional network frameworks. Chief among them are:
- Reduced complexity and cost, with improvements to usability
- Better network performance and a reduction in latency
- Simpler IT management and reduced maintenance
- Better security via a zero-trust posture based on unique identities
To put some of this into perspective, SASE’s support of zero-trust network access means that the identity of the user, device and application is far more important than a set of credentials, location information or IP address. These old methods of verification – used in tools such as conventional VPNs and DMZs – have proven to be the Achilles heel of many networks. Contrast this with the ability of identity-based methods to limit lateral movement through a network, giving users access only to the data, applications or services the need at that specific time.
Another advantage enabled by SASE is the ability to choose the level of service each application receives. For example, a mission critical application can be given priority for bandwidth over less important applications such as web browsing.
Long road to SASE
All of this talk about SASE sounds very encouraging. In fact, many organizations are already trying to map out what their particular SASE approach will look like.
But that doesn’t mean that it can or will happen overnight. SASE frameworks are often complicated in their own right, made up of many moving parts. Because of this, no organization should expect to ‘become SASE’ overnight. There are a lot of small steps.
“Comprehensive SASE offerings are only now emerging, with adoption rates at less than 1%… By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.”
Top Actions From Gartner Hype Cycle for Cloud Security, 2020, by Susan Moore, August 27, 2020
So, if your organization is just setting out on the SASE journey, rest assured that you’re not alone. The important thing is that you’re on your way, regardless of your starting point.
Continue reading…
- Best practices in legal IT: Daniel Demonakis from Linklaters
- Verified IT and security leaders reveal highest-rated ZTNA platforms in new G2 Grids
- Best practices in finance IT: Sven Goelles from Lincoln International
- Inside NetMotion: A security engineer’s view of SASE
- Best practices in public safety: Alex Bowen of the UK’s National Enabling Programmes
