All About SASE: What It Is, Why Its Here, How to Use It
Secure Access Service Edge is a new name for a known and growing architecture designed to strengthen security in cloud environments.
Secure access service edge, also known as SASE (pronounced sassy), is a term popping up more in security conversations as businesses grapple with the challenge of secure networking in the cloud.
SASE combines WAN capabilities with network security functions: secure web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access. These capabilities are primarily delivered as-a-service and aim to find sensitive data or malware, decrypt content, and monitor risk and the trust level of sessions, Gartners Andrew Lerner says in a
blog post
. Monitored entities can span groups of people, devices, applications, services, or Internet of Things systems.
Gartner first
mentioned
the term SASE in its 2019 networking hype cycle, but its not a novel practice. Rather, its a new name for a tactic that organizations have been adopting as they navigate new security hurdles amid the transition to cloud- and mobile-intensive environments.
Its a combination of different technologies, all of which I think people have been using in one respect or another, but are converging, and adoption of them is accelerating, says Tom Cross, chief technology officer at OPAQ, describing SASE. The reason is, enterprise network architectures have not kept up with the way that IT has changed.
Modern employees use all kinds of devices to access corporate data and applications from a range of geographical locations. The rise of cloud computing and mobility have disrupted the typical technology infrastructure by swapping the physical data center for infrastructure-as-a-service (IaaS). Many IT teams interact with their network through a web console or API. Your data is everywhere, and you dont have visibility into everything happening on the network.
Legacy enterprise networks have gone through major upheaval over the last couple of years, and organizations have been able to reduce cost and increase agility. SD-WAN was designed to address these needs but doesnt connect to mobile users, explains Dave Greenfield, technology evangelist at Cato Networks. Furthermore, its not enough to address their many cloud security concerns.
Many constructs that make up SASE — firewalls, intrusion-prevention systems (IPS), cloud access security brokers (CASB) — are things businesses have used for years. These can still be applicable as you move into the cloud, says Mike Rothman, Securosis president and analyst. But theres this old adage that just because you can doesnt mean you should. Organizations dont often think about how they can build a cloud-native environment that provides capabilities and flexibility they need while adding security into the network stack.
The traditional model of network security is based on inspection points: Traffic is rerouted through a place where its inspected to detect attacks. When you overlay existing capabilities with familiar tools, its the lowest common denominator, he continues. It drives inefficiency, adds cost, and forces traffic into a bottleneck. Organizations dont need conventional tools scattered throughout their environments if they can segment more effectively in the cloud, which lets them add more accounts and subscriptions instead of a flat data center network.
It doesnt make sense to have an on-premises firewall everyone is rerouting their traffic to, says Cross. We need a security infrastructure that makes sense in this world and is convenient for people to use, and that they will use. … What we need is for security to be available in the Internet. Security comes to the traffic, not traffic going to security.
The SASE Approach to Network Security
Instead of thinking about mobile access, cloud access, and site access as separate things, SASE puts it all into a single global network. With this approach, businesses no longer have separate security policies. There is one policy — one firewall for protecting against network-based threats.
The secure access service edge converges security and networking together for any kind of endpoint, Rothman explains. Instead of putting an agent on the device, connecting to a VPN, and rerouting to a cloud-based resource, SASE brings security to each individual device. If I can bring the secure perimeter to the actual user, this allows me to be more efficient, he adds.
Cloud networking is different. You dont think about what you already have but about the kind of network a specific application or use case requires. Build what is needed, where its needed, Rothman explains in a report on networking in the cloud age. A network for remote employees should be different from one for interconnecting primary sites. Externally facing web applications need a different network than applications used to access sensitive data kept in a data center.
How it works: The SASE architecture is a cloud-native platform, which provides a company with the heavy security processing it requires, Greenfield explains. Each location runs an SD-WAN device to bring traffic into the SASE cloud. Traffic is sent to a local point-of-presence (POP), where networking and security processing is applied before its forwarded to its destination. For Cato Networks, POPs are co-located in the same physical data centers as the cloud providers.
When youre first starting out, you have to figure out how to get started and sometimes it can be challenging to [do] a whole reconsideration of security infrastructure, says Cross.
The key is starting small, Rothman explains. Know the problem youre trying to solve, select a short list of companies that can help you solve it, present the use case, and see how they can help. Over time, you can add more applications, users, and use cases to the SASE environment.
It doesnt have to be a big bang. … You can look at it from an application access or user constituency basis, he continues. Pick a use case and start somewhere. Dont expect youre going to replace your entire network tomorrow with one of these services. As part of a gradual process, companies may start implementing SASE in a single office and expand from there.
(Story continues on the next page)
Implementing SASE: One Companys Story
This is what Andrew Thomson, vice president of innovation and technology at BioIVT, was looking for when he was revamping network security two years ago. He wasnt specifically seeking SASE but wanted to find a more secure way to manage the network in the cloud. At the time, BioIVT was running on a network with several Cisco point-to-point connections, which connected sites together into a WAN. There were multiple points of entry through various Internet provider connections, and he wasnt sure how to support its growth.
We were kind of at a crossroads, Thomson says. How do we manage this growing network and how do we manage our security game? The search turned to SD-WAN providers, which were focused on this type of service.
He found disparate tools but wasnt enthusiastic about working with several partners. I didnt want to have to go find different vendors … didnt want a network monitoring vendor, and a new firewall vendor. Being able to select a SASE model, [we have] one vendor handling all that for us.
BioIVT needed to maintain connectivity throughout the implementation process and was able to structure the integration as it ran in parallel alongside its existing network. Since then, hes noticed some unexpected benefits to the new approach. The company has been able to stick with the same vendor (Cato Networks) without additional monitoring or staffing, a perk because it hasnt required a learning curve for security employees. Since its implementation, BioIVT has grown from eight locations to 17, and a preconfigured device can be shipped to each new site.
To SASE or Not to SASE?
There are several reasons why an organization might adopt a SASE model and many reasons why they might hold back. Companies that choose SASE are driven by a set of factors: They dont want to run their own hardware anymore; they dont want traffic backhauled to the data center before it goes to the Internet; they dont want end users unsecured when not on a VPN.
If your firewall is about to expire, for example, you might consider a SASE-based approach rather than investing in new hardware, Cross notes. Perhaps youre opening a new office and it would be easier to connect using a service-based security model. Or maybe youre in the M&A process and need stronger control over a new companys security processes and infrastructure. Distributed workforces, branch offices, and retail stores are also scenarios where SASE fits in.
When Cato Networks started, only the smallest businesses were looking for a SASE model, says Greenfield. Mid- to low-end enterprise users often didnt have the staff to manage a lot of complex infrastructure. Now, even the largest enterprises are adding SASE to 50–70 sites. Security has grown so complicated that most organizations dont have the resources to manage it.
It doesnt matter how big you are but how old you are and how your IT works, Cross says. Businesses born in the cloud will have an easier time adopting SASE, but the reality is that most are not starting from scratch. And there are some industries that will always need on-premises IT infrastructure: manufacturing facilities, hospitals, and retail sites all need hardware on-site.
The Future of Cloud Security?
There has been a significant uptick in interest in solving this problem over recent months, says Cross, and as a result, multiple vendors are tackling the issue from different directions. Vendors like Cato Networks, Zscaler, Forcepoint, OPAQ, and Symantec for a while had a managed WAN or proxy type of service theyre starting to extend, says Rothman. Meta Networks, another, was acquired by Proofpoint — an early sign of consolidation in the space.
While adoption has grown, its unclear if or when SASE will reach the widespread popularity of cloud storage and apps. Some organizations remain hesitant, a common mentality when cloud computing started to emerge. When IaaS began, a lot of people were like, Were not going to move our workloads to the cloud — were not going to trust cloud providers, says Cross.
Consider the millions of workloads in platforms like Amazon Web Services and Microsoft Azure, he continues, and think about how much weaker their security would be if each organization had handled their security on their own. Its the same situation with security-as-a-service: Outsource to people who can securely manage the infrastructure — they will be more successful.
This will be proven out over time, just as with the cloud, Cross says.
Related Content:
How to Get CISOs & Boards on the Same Page
5 Strategies to Secure Cloud Operations Against Todays Cyber Threats
7 Ways SMBs Can Secure Their Websites
How Data Breaches Affect the Enterprise
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
10 Tough Questions CEOs Are Asking CISOs.
Tags:
All About SASE: What It Is, Why Its Here, How to Use It