What Is SASE?

Jeremy Wittkop, CTO

02.23.2021

Secure Access Service Edge (SASE) seems to be everywhere nowadays, and for good reasons. SASE represents the next generation of information security architecture. It will be disruptive to hybrid security approaches in the same way that Next-Generation firewalls were to on-premises security strategies. And SASE offers a compelling vision for how we can modernize our largest and most important quadrant of information security: data and network security.

In the realm of information security technology tools can often cross generations. Capabilities can stay relevant or adapt to shifting trends. But every ten years or so, there is a distinct generational shift that happens in the security landscape. The languages and protocols that people—and increasingly, applications—use to communicate change.

For example, when Next Generation firewalls emerged, it was difficult for antivirus-generation companies like Symantec and McAfee to compete with vendors like Palo Alto. Likewise, it will be difficult for legacy companies like Palo Alto to compete in the SASE generation.

Difficult, but not impossible.

Security technology providers that offer cloud-native solutions, or have experience delivering Software as a Service (SaaS) capabilities, have a distinct advantage. This is why, when you are talking about SASE, you may be hearing more about security companies like Zscaler, Netskope, and Proofpoint than about Palo Alto, Checkpoint, or Fortinet.

What SASE Is Not: A Turnkey Security Technology

The first concept to understand about SASE is that it is not an individual technology.

It is not even a suite of products. If someone tells you they are going to “sell you a SASE,” you should tightly grip your wallet and hang up on that person. That just isn’t how it works. The person you’re talking to either doesn’t understand the concept or is trying to deceive you.

A SASE architecture involves multiple products. The SASE technology solutions roster includes close to 40 product categories at last count—and no single vendor offers them all.

What SASE Is: A Framework for Meeting Security Objectives

Perhaps the best description of SASE I have heard came from my friends at Broadcom who said, “If Zero Trust is what you’re trying to accomplish, SASE is how you will do it.” I thought this was a good way of summarizing the concept of SASE as an architecture and a framework.

I describe SASE as an environment in which all the traditional data and network security products—

  • IDS/IPS
  • Firewalls
  • Data loss prevention (DLP)
  • User and Entity Behavior Analytics (UEBA)
  • Data Classification
  • and more

—are refactored and delivered as microservices.

Those microservices are attached to a single cloud security stack, with traffic routed in an optimized way, much like the way SD-WAN works.

This architecture requires a multitude of capabilities that fall into broad categories, each with star-performing products. 

Network as a Service

When considering SASE, the most logical question to start with is:

“How is my traffic going to get to this cloud microservices architecture?”

 The answer is that you need an optimized path to the internet. Some security vendors like Netskope have spent lavishly to create this optimized route. Netskope calls their version NewEdge, and it’s so highly optimized that they deliver more latency reduction through their infrastructure than they introduce to their security stack.

In other words, your connection is faster going through their security stack than it is going direct to the internet.

This is a concept that was a pipe dream five short years ago. Other content delivery network (CDN) providers like Cloudflare are using their Network-as-a-Service capabilities to challenge in the SASE space by building security capabilities on top of their existing infrastructure.

Network Security

The next piece of SASE is where most security people start their conversation: at the point where the network meets the web. This is the “edge” that inspired Gartner to coin the term Secure Access Service Edge.

The concept came to life when Zscaler started refactoring traditional on-premises web proxies and delivering them as cloud services. Today, that is the standard architecture, and almost every vendor that provides Secure Web Gateway has an option for a cloud-based version.

Additional capabilities that fall into this portion of SASE include private access (or Zero Trust Network Access), remote browser isolation, firewall as a service, cloud access security broker (CASB), cloud security posture management (CSPM), and other solutions.

The idea of each of these components is that users should have the same rules and security regardless of where they are, what device they are using, and where the destination of the traffic is located, whether on premises or in some cloud-based architecture.

Identity

Any cloud solution also must take identity into account. For many years, the location of a user was used as a false factor of authentication. Now, when users can access resources from anywhere, its essential to validate that users are who they say they are.

You must also ensure that the principle of least privilege is enforced. Fortunately, good solutions exist for single sign on and multi-factor authentication.

Unfortunately, identity governance and privileged access management solutions are not as widely adopted. Other capabilities that look at user behavior are also important pieces to the puzzle, but exactly how they will be deployed and integrated is still not settled science.

Data Protection

Data protection is a central element of SASE. It encompasses technologies such as DLP, data classification, and digital rights management (DRM), among others.

Data protection is important because protecting data that belongs to your organization, your partners, and your customers is always your responsibility. It cannot be transferred.

Are You Ready for the Shift?

The key to understanding SASE is remembering that it is not a product. This emerging security architecture approach represents a fundamental shift in the way we perform data and network security in the modern world.

It could be accurately and simply described as digital transformation for information security.

For many organizations, dealing with the rapid acceleration of digital transformation across their operations has become all too real. Perhaps you think your organization isn’t ready for another big change. But SASE is the kind of change that is designed to help you deal with all the other transformations that are happening—better. Soon, you’ll want to dive in and explore what SASE has to offer.

Where Are You on Your Data Protection Journey?

Whether you’re looking for a deeper discussion of SASE or just looking for a way to simplify the data protection program you have today, talk to the experts at InteliSecure. We bring unbiased, vendor neutral insights that you won’t find anywhere else. Let us answer your data protection questions.